Control-flow integrity
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. were the first to publish a practical control-flow integrity scheme in 2005.
PaX had RAP, a forward and backward edges
type-based arbitrary read/write impervious CFI, privately since at least 2012, and publicly since 2015. The
idea of CFI was even mentioned in
pax_future.txt from 2003, in
its c
section.
Windows added CFG in Windows 8.1 and Windows 10 in 2015, but even if they removed it from the scope of its bugbounty in 2018, it’s coming back as XFG since 2019,taking inspiration for PaX’s RAP.
Android uses clang’s CFI for some userland applications since 2017, cross-DSO since 2018, and in kernel-land since 2019.
In the BSD-land, HardenedBSD has non-cross-DSO clang CFI since 2017.
In 2018, Apple launched the Apple A12, with Pointer Authentication, protecting return addresses, functions pointers, …… enabled by default on all iPhones.
In October 2019, Android added support for shadow-stack in kernel-land.
Microsoft’s Windows 10 19H1 (version 1903) had support for hardware-assisted shadow stack via
Intel CET
since at
least March
2020,
and has made it available in Visual Studio 2019 via the
/cetcompat
compiler flag.
Ubuntu is compiling binaries with -fcf-protection
since Ubuntu 20.04 (Focal Fossa), released in
April 2020, and support
for kernel-land on Linux landed in 5.18,
in 2022.
In September 2020, Android 11 was released, with tagged pointers support.
In February 2022, LLVM implemented support for KCFI, which landed in Linux the 3rd of October 2022:
Unlike the current CFI schemes implemented in LLVM, KCFI does not require LTO, does not alter function references to point to a jump table, and never breaks function address equality. KCFI is intended to be used in low-level code, such as operating system kernels, where the existing schemes can cause undue complications because of the aforementioned properties. However, unlike the existing schemes, KCFI is limited to validating only function pointers and is not compatible with executable-only memory.
This forward-edge control flow integrity scheme for indirect calls is type-based, and does look like a subset of PaX’ RAP.
In February 2023, Deepak Gupta from rivos sent a serie of patches to make use of RISC-V Zisslpcfi (a subset of the Zicsr extension.) on Linux. The scheme is based on the now classic shadow-stack/landing-pad duo, but with hardware-support for functions signatures.
In his CanSecWest talk, De Raadt said, completely ignoring the state of the art (PaX’ RAP (2015), Apple’s PAC (2017), FineIBT (2021), …)
There isn’t a simple complete solution to block ROP.
He added, completely ignoring all iPhones released after 1028 having forward and backward edge CFI by default, and Ubuntu making use of Intel CET by default, and Android, …
Shadow stacks and branch-target instructions aren’t really deployed yet
As of 2023, OpenBSD doesn’t have any form of CFI beside RETGUARD.