A common attack on software takes advantage of bugs in handling extreme or unexpected inputs. Carefully crafted input to the application may overwrite a location that contains a pointer to executable code. This can be used to redirect control flow to code controlled by the attacker. The CFG runtime checks do not fix the data corruption bugs in your executable. They instead make it more difficult for an attacker to use them to execute arbitrary code. CFG is a mitigation tool that prevents calls to locations other than function entry points in your code.
According to [Burow2017], the execution time overhead measured with the SPEC CPU2006 benchmarks ranges between -0.3–10.8% with a geometric mean of 2.3%.
[Burow2017] Burow, Nathan, et al. "Control-flow integrity: Precision, security, and performance." ACM Computing Surveys (CSUR) 50.1 (2017): 1-33.
The compiler implementation of CFGuard is comprised of two parts: The first part is to emit metadata indicating valid entry points, and the second part is to insert runtime checks before indirect call instructions. In LLVM, the first part was there for a quite long time, but the patch adding the second part was merged only in 2019. The support for CFGuard in Rust has been introduced in https://github.com/rust-lang/rust/pull/68180.
ajpaverd
commented
4 years ago
Control Flow Guard is a forward-edge control-flow integrity mechanism supported by Windows.
https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard:
https://docs.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard?view=vs-2019:
According to [Burow2017], the execution time overhead measured with the SPEC CPU2006 benchmarks ranges between -0.3–10.8% with a geometric mean of 2.3%.
[Burow2017] Burow, Nathan, et al. "Control-flow integrity: Precision, security, and performance." ACM Computing Surveys (CSUR) 50.1 (2017): 1-33.
The compiler implementation of CFGuard is comprised of two parts: The first part is to emit metadata indicating valid entry points, and the second part is to insert runtime checks before indirect call instructions. In LLVM, the first part was there for a quite long time, but the patch adding the second part was merged only in 2019. The support for CFGuard in Rust has been introduced in https://github.com/rust-lang/rust/pull/68180.
The option for enabling CFGuard is currently feature-gated by
-Z control_flow_guard, whose tracking issue can be found at https://github.com/rust-lang/rust/issues/68793.-Z control_flow_guard