Control Flow Integrity in Clang / LLVM

Exploit mitigation

Hanno Böck

Exploit Mitigation

Too many bugs and security vulnerabilities.

Let's make it harder to exploit them.

Exploit mitigation for C / memory corruption

Bug types: Buffer overflow, use after free and similar.

Pioneers: Grsecurity / PAX for Linux

Stack canary / cookie

Secret value on the stack that gets checked on return.

If stack overflow overwrites return address it also overwrites canary / cookie.

Nonexecutable memory

Old days: Attackers could jump into data they control and execute it.

Memory page permissions allow marking data pages as non-executable.

Address Space Layout Randomization (ASLR)

Use random memory addresses for code and data.

Protects agsint code reuse: If the attacker doesn't know where the code is he can't jump to it.

Linux distributions slow in adopting ASLR.

Exploits in 2017

Modern exploits are complex: Return-oriented programming, heap spraying, bug chains required.

Exploit mitigation works to a certain degree.


Performance costs are usually low.

There's a cost/benefit issue regarding complexity.

Control Flow Integrity

Control Flow Guard (Microsoft)

RAP (Grsecurity/PAX)

-fsanitize=cfi (Clang/LLVM)

Control Flow Integrity in Clang

[Show example]

Control Flow Integrity in Clang

clang -fsanitize=cfi -fvisibility=hidden -fuse-ld=gold -flto [input file]

Some requirements

clang (not available for gcc)

Gold linker (-fuse-ld=gold)

Link time optimization (-flto)

Function visibility (-fvisibility=hidden)

CFI bug example (curl)

Function pointer type:

typedef size_t (*curl_write_callback)(char *buffer, size_t size, size_t nitems, void *outstream);


size_t tool_write_cb(void *buffer, size_t sz, size_t nmemb, void *userdata)

Source: [1] [2]

CFI usage

Chrome uses Control Flow Integrity and finds lots of bugs with it [1].

Future: Hardened Linux with CFI? (Lots of compatibility issues.)


Next meetup...?

Rust Hack Night, here on Wednesday (26.4.) -

Bornhack - 22.8. - 29.8. -