Forward-edges control-flow integrity
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. were the first to publish a practical control-flow integrity scheme in 2005.
PaX had RAP, a type-based CFI, privately
since at least 2012, and publicly since 2015. The idea of CFI was even
mentioned in pax_future.txt
from 2003, in its c
section.
Windows added CFG in Windows 8.1 and Windows 10 in 2015, but even if they removed it from the scope of its bugbounty in 2018, it’s coming back as XFG since 2019,taking inspiration for PaX’s RAP.
Android uses clang’s CFI for some userland applications since 2017, cross-DSO since 2018, and in kernel-land since 2019.
In the BSD-land, HardenedBSD has non-cross-DSO clang CFI since 2017.
In February 2022, LLVM implemented support for KCFI, which landed in Linux the 3rd of October 2022:
Unlike the current CFI schemes implemented in LLVM, KCFI does not require LTO, does not alter function references to point to a jump table, and never breaks function address equality. KCFI is intended to be used in low-level code, such as operating system kernels, where the existing schemes can cause undue complications because of the aforementioned properties. However, unlike the existing schemes, KCFI is limited to validating only function pointers and is not compatible with executable-only memory.
This forward-edge control flow integrity scheme for indirect calls is type-based, and does look like a subset of PaX’ RAP.
As of 2022, OpenBSD doesn’t have any forward-edge CFI.
Control Flow Integrity for backward edges is covered in the RETGUARD article.