Seonglae ChoCFI
Control flow return integrity
Preventing corruption of return addresses by separating stack into two
- Safe stack
- Return address
- Non-array local variables
- Unsafe Stack
- Arrays that can be indexed
Indirect function call checking LLVM Clang
-fsanitize=cfi-icall Intel TigerLake and onwards
Safe Stack
Detecting corruption of return addresses
- Store a copy of the return address at call.
- Check the actual return address matches the copy at return.
- This can be supported in hardware.
Shadow stack
Detecting corruption of return addresses on Intel CPU
a shadow stack is a mechanism for protecting a procedure's stored return address
ASLR
Address Space Layout Randomization is a probability based effect approach
The executable must be PIE (Position Independent Executable) in randomized
BypassingASLR via Position-Independent ROP