Practical control flow integrity and randomization for binary executables

Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, Wei Zou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

404 Scopus citations


Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

Original languageEnglish (US)
Title of host publicationProceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013
Number of pages15
StatePublished - 2013
Event34th IEEE Symposium on Security and Privacy, SP 2013 - San Francisco, CA, United States
Duration: May 19 2013May 22 2013

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011


Other34th IEEE Symposium on Security and Privacy, SP 2013
Country/TerritoryUnited States
CitySan Francisco, CA


Dive into the research topics of 'Practical control flow integrity and randomization for binary executables'. Together they form a unique fingerprint.

Cite this