Integrating Static Analyses for High-Precision Control-Flow Integrity

Memory corruptions are still one of the most prevalent and severe security vulnerabilities in today's programs. For this reason, several techniques for mitigating software vulnerabilities exist and are used in production systems. An important mitigation involves the prevention of invalid control flow transfers. Attackers often corrupt function pointers to subvert a forward-edge in a program's call graph. Forward-edges can be protected using Control-Flow Integrity (CFI), for which practical implementations already exist. However, current CFI implementations are often imprecise, allowing more control flow transfers than necessary. This often leaves sufficient leeway for an attacker to successfully exploit a program. This paper presents High-Precision CFI (HPCFI), a concept and implementation for precise forward-edge CFI protection of indirect calls in C and C++ programs using a combination of type analysis and static data-flow analysis for determining valid forward-edges. HPCFI is implemented as LLVM compiler passes that perform a precise type analysis and utilize the Static Value-Flow (SVF) framework to conduct a static data-flowanalysis. The combination of type analysis and static data-flow analysis offers higher precision than conventional heuristic-based approaches. Our evaluation, using all compatible benchmarks from SPEC CPU 2017, demonstrates that HPCFI can be effectively applied to large projects with an average performance overhead of only 1.3%, while improving the precision of established CFI mechanisms, such as Clang CFI, by up to 99% and 40% on average.