A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity

TL;DR

This paper provides a practical guideline and taxonomy for applying LLVM's Control Flow Integrity (CFI) to real-world software, analyzing its effectiveness against common memory corruption vulnerabilities.

Contribution

It introduces a taxonomy linking LLVM's CFI variants to vulnerability classes and evaluates CFI's effectiveness on high-impact CVEs, guiding practical deployment.

Findings

CFI blocks exploitation in some high-impact CVEs

CFI has limitations in certain vulnerability scenarios

Provides actionable guidance for incremental CFI deployment

Abstract

Memory corruption vulnerabilities remain one of the most severe threats to software security. They often allow attackers to achieve arbitrary code execution by redirecting a vulnerable program's control flow. While Control Flow Integrity (CFI) has gained traction to mitigate this exploitation path, developers are not provided with any direction on how to apply CFI to real-world software. In this work, we establish a taxonomy mapping LLVM's forward-edge CFI variants to memory corruption vulnerability classes, offering actionable guidance for developers seeking to deploy CFI incrementally in existing codebases. Based on the Top 10 Known Exploited Vulnerabilities (KEV) list, we identify four high-impact vulnerability categories and select one representative CVE for each. We evaluate LLVM's CFI against each CVE and explain why CFI blocks exploitation in two cases while failing in the other two, illustrating its potential and current limitations. Our findings support informed deployment decisions and provide a foundation for improving the practical use of CFI in production systems.