Control flow integrity (CFI) and software fault isolation (SFI) secure software against control flow hijacking attacks by confining its flows to a whitelist of permissible control flow edges. The CFI and SFI approaches are appropriate for some types of software attacks, for example, return-oriented programming (ROP) and other code-reuse attacks (CRAs). Attacks in these families exploit dataflow vulnerabilities, e.g., buffer overflows, to corrupt code pointers and thereby redirect control to attacker chosen program subroutines. By validating the impending control flow targets at runtime before it is reached, CFI and SFI (hereinafter CFI/SFI) guards can prevent these attacks.
There remain types of software to which the CFI/SFI technologies are difficult to apply using existing processes. Such limitations stem from many source aware CFI algorithms' need for full source code for the entire software ecosystem, e.g., even for the operating system (OS) kernel, device drivers, and complete runtime system, in order to analyze application control flows. In addition, there can be difficulty in analyzing complex flows, such as GUI interactive, event driven, and component based software applications.
Also, application code that is to be protected by CFI/SFI, can be located within an untrusted or trusted logical application area. Application code that exists within trusted logical application areas, such as, system libraries and other OS modules, typically cannot be modified, and sometimes not examined, by the CFI/SFI process, since they are part of the protected runtime system.