Umeå University's logo

umu.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Twenty years later: evaluating the adoption of control flow integrity
Umeå University, Faculty of Science and Technology, Department of Computing Science.
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0003-1383-0372
2025 (English)In: ACM Transactions on Software Engineering and Methodology, ISSN 1049-331X, E-ISSN 1557-7392, Vol. 34, no 4, article id 103Article in journal (Refereed) Published
Abstract [en]

Memory corruption vulnerabilities still allow compromising computers through software written in a memory-unsafe language such as C/C++. This highlights that mitigation techniques to prevent such exploitations are not all widely deployed. In this article, we introduce SeeCFI, a tool to detect the presence of a memory corruption mitigation technique called Control Flow Integrity (CFI). We leverage SeeCFI to investigate to what extent the mitigation has been deployed in complex software systems such as Android and specific Linux distributions (Ubuntu and Debian). Our results indicate that the overall adoption of CFI (forward- and backward-edge) is increasing across Android versions (∼30% in Android 13) but remains the same low (1%) throughout different Linux versions. Our tool, SeeCFI, offers the possibility to identify which binaries in a system were compiled using the CFI option. This can be deployed by external security researchers to efficiently decide which binaries to prioritize when fixing vulnerabilities and how to fix them. Therefore, SeeCFI can help to make software systems more secure.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2025. Vol. 34, no 4, article id 103
Keywords [en]
CFI, memory corruption vulnerabilities, mitigation techniques, software maintenance, static analysis
National Category
Software Engineering Computer Systems
Identifiers
URN: urn:nbn:se:umu:diva-239174DOI: 10.1145/3702982ISI: 001490671100003Scopus ID: 2-s2.0-105005201930OAI: oai:DiVA.org:umu-239174DiVA, id: diva2:1970009
Available from: 2025-06-16 Created: 2025-06-16 Last updated: 2025-06-16Bibliographically approved

Open Access in DiVA

fulltext(5539 kB)22 downloads
File information
File name FULLTEXT01.pdfFile size 5539 kBChecksum SHA-512
72ef45ae2d2df774d91674a3360b00b714a5fd6eda648f86444d7d55b2531df3be128ddfa31f267dd45ffb164667b08023a63b8a09aab57ff2ecbdee77a9734e
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Houy, SabineBartel, Alexandre

Search in DiVA

By author/editor
Houy, SabineBartel, Alexandre
By organisation
Department of Computing Science
In the same journal
ACM Transactions on Software Engineering and Methodology
Software EngineeringComputer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 27 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 95 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf