Open this publication in new window or tab >>2026 (English)Doctoral thesis, comprehensive summary (Other academic)
Kontrollflödesintegritet i praktiken : retrospektiv, verklighet och automatiserad tillämpning
Abstract [en]
Control Flow Integrity (CFI) is a well-established mitigation against control-flow hijacking attacks arising from memory corruption vulnerabilities. Over the past two decades, numerous CFI mechanisms have been proposed and integrated into modern compilers and software ecosystems. Despite this progress, CFI remains difficult to adopt in practice, and deployment decisions, compatibility constraints, and engineering overhead strongly influence its real-world security impact.
This dissertation investigates Control Flow Integrity from the perspective of practical adoption and deployability. Rather than treating CFI as a purely theoretical protection, it examines how CFI is selected, integrated, and maintained in real-world software systems, and why these steps often fall short of idealized designs. The dissertation is structured around four complementary studies that together trace the path from measurement to guidance, to deployment experience, and finally to automated enforcement.
The first study presents a large-scale empirical analysis of deployed binaries to assess the current state of LLVM-CFI adoption across major software platforms. It shows that while CFI deployment is increasing in some ecosystems, it remains uneven and limited, leaving substantial portions of the attack surface unprotected. The second study addresses the lack of practical guidance for developers by introducing a systematic taxonomy that maps LLVM-CFI variants to common classes of memory corruption vulnerabilities. This taxonomy provides actionable recommendations to support incremental, informed adoption of CFI in existing codebases.
The third study examines the practical challenges of deploying CFI in a complex, production-grade runtime. Through a detailed case study of integrating LLVM-CFI into a modern Java Virtual Machine, it demonstrates that compatibility issues, manual exclusions, and maintenance effort are central obstacles to effective enforcement, even when strong CFI mechanisms are available. These findings highlight the gap between CFI as designed and CFI as deployed.
Building on these insights, the dissertation introduces an automated framework for CFI policy generation and enforcement. By reducing manual effort and mitigating compatibility barriers, this approach enables more consistent and scalable CFI deployment across large and evolving software systems.
Overall, the dissertation shows that the effectiveness of Control Flow Integrity in practice is shaped less by the availability of CFI mechanisms than by the feasibility of adopting them. By combining empirical measurement, practical guidance, deployment experience, and automation, this work contributes toward a more realistic and actionable understanding of CFI and provides concrete support for improving its deployment in real-world software systems.
Place, publisher, year, edition, pages
Umeå: Umeå University, 2026. p. 40
Keywords
control flow integrity, security, software security, program analysis, system security
National Category
Security, Privacy and Cryptography
Research subject
Computer Science
Identifiers
urn:nbn:se:umu:diva-248700 (URN)978-91-8070-888-3 (ISBN)978-91-8070-889-0 (ISBN)
Public defence
2026-02-17, Hörsal UB.A.230 - Lindellhallen 3, Lindellplatsen 1, 907 32 Umeå, Umeå, 13:00 (English)
Opponent
Supervisors
Funder
Wallenberg AI, Autonomous Systems and Software Program (WASP), 570011241
2026-01-272026-01-192026-01-20Bibliographically approved