Control-flow Integrity (CFI) attempts to validate the control-flow of a process. This is achieved by analyzing the application and building up a Control-flow Graph (CFG) representing the intended program behavior¹⁾²⁾.

One important addition of CFI is the so-called „shadow stack“. Next to the existing stack of an application, another one is introduced for verification purposes. Return addresses are added to both stacks upon function calls. When executing a return instruction, the top elements of both stacks is compared. In case they are equal, execution continues. But if they differ, a manipulation of the control-flow is detected.

Major compilers such as GCC and LLVM support CFI. Naturally, applications need to be recompiled if CFI is added later on. Also note that the performance impact of a purely software-based solution should not be neglected³⁾.

Following example demonstrates the usage of CFI in combination with the LLVM-powered Clang compiler⁴⁾.

cfi/clang.c

// clang -fvisibility=hidden -flto -fno-sanitize-trap=all -fsanitize=cfi-icall clang.c
#include <stdio.h>
 
void admin_stuff();
void user_stuff();
 
int main()
{
    void (*fp[])() = {&admin_stuff, &user_stuff};
    int choice;
    printf("Enter choice:\n0) Admin\n1) User\n");
    scanf("%d", &choice);
    (*fp[choice])();
    return 0;
}
 
void admin_stuff()
{
    printf("admin stuff\n");
}
 
void user_stuff()
{
    printf("user stuff\n");
}

Entering valid values for the array of function pointers causes the program to behave just as expected.

$ ./a.out 
Enter choice:
0) Admin
1) User
0
admin stuff

$ ./a.out
Enter choice:
0) Admin
1) User
1
user stuff

However, entering and invalid value and trying to execute an arbitrary memory region causes the execution to abort.

$ ./a.out
Enter choice:
0) Admin
1) User
123
clang.c:13:5: runtime error: control flow integrity check for type 'void ()' failed during indirect function call
0x0000000003e8: note: (unknown) defined here

Control-flow Enforcement Technology (CET)⁵⁾ is a hardware-supported implementation of CFI suggested by Intel.

With CET, a shadow stack tracks function calls. Upon a call instruction, the return address is also pushed to the shadow stack. When returning from the function call, the return addresses are popped from both stacks and compared. In case of different values, an exception is raised. Additionally, targets of jmp and indirect call instructions are marked. An error occurs if these instructions are executed for a target that is not marked.

As of January 2018 the CET specification is only available as a preview and there are no processors supporting it on a hardware level. CET support is added to version 8 of GCC⁶⁾.