Branch Landing: Bloom Filter-Based Source Authorization for Forward-Edge CFI on RISC-V

TL;DR

Branch Landing introduces a Bloom filter-based forward-edge CFI framework for RISC-V, enabling precise source authorization with minimal runtime overhead and flexible policy configurations.

Contribution

It proposes a novel Bloom filter-based mechanism with ISA extensions for efficient, configurable source authorization in forward-edge CFI on RISC-V.

Findings

Achieves average runtime overheads of 0.210% and 0.421% for two policies.

Code size increases by less than 1%.

CFG-derived policy reduces equivalence class size by 32.5%.

Abstract

Jump-Oriented Programming (JOP) attacks exploit indirect control transfers to bypass backward-edge defenses, yet existing forward-edge CFI mechanisms lack precise source-domain authorization: type-based CFI admits all same-signature callers, while tag-based hardware CFI is limited by fixed-width register storage that caps the number of simultaneously authorized sources. We propose Branch Landing (BRL), a landing-based forward-edge CFI framework for RISC-V that replaces fixed-capacity checks with Bloom filter membership queries. Two lightweight ISA extensions, bld and brl, propagate a source Section Identifier (SID) through a dedicated BRState register and validate it at each landing site with fixed-probe latency that is independent of the number of authorized sources under a chosen filter configuration. Section granularity is configurable, supporting policies from type-based to CFG-derived authorization within a single mechanism. We implement Branch Landing in the LLVM RISC-V backend and evaluate it on 81 BEEBS benchmarks under two representative policy configurations: a function-level, type-based policy and a basic-block-level, CFG-derived policy. Under a 3-cycle brl latency model, the two configurations incur average runtime overheads of only 0.210% and 0.421%, with mean code size growth of 0.46% and 0.52% respectively. The CFG-derived policy reduces the average equivalence class size by 32.5% compared to the type-based policy, and all evaluated executions complete without BRL enforcement failures.