[1][2] Attackers seek to inject code into a program to make use of its privileges or to extract data from its memory space.
[12][13] LLVM/Clang provides a "CFI" option that works in the forward edge by checking for errors in virtual tables and type casts.
[15] Google has shipped Android with the Linux kernel compiled by Clang with link-time optimization (LTO) and CFI since 2018.
[17] Intel Control-flow Enforcement Technology (CET) detects compromises to control flow integrity with a shadow stack (SS) and indirect branch tracking (IBT).
[18][19] The kernel must map a region of memory for the shadow stack not writable to user space programs except by special instructions.
On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect.
[20] This makes it more difficult for an attacker to exploit a use-after-free by replacing an object's contents and then using an indirect function call to execute a payload.
[23] For all protected indirect function calls, the _guard_check_icall function is called, which performs the following steps:[24] There are several generic techniques for bypassing CFG: eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.