1====================== 2Control Flow Integrity 3====================== 4 5.. toctree:: 6 :hidden: 7 8 ControlFlowIntegrityDesign 9 10.. contents:: 11 :local: 12 13Introduction 14============ 15 16Clang includes an implementation of a number of control flow integrity (CFI) 17schemes, which are designed to abort the program upon detecting certain forms 18of undefined behavior that can potentially allow attackers to subvert the 19program's control flow. These schemes have been optimized for performance, 20allowing developers to enable them in release builds. 21 22To enable Clang's available CFI schemes, use the flag ``-fsanitize=cfi``. 23You can also enable a subset of available :ref:`schemes <cfi-schemes>`. 24As currently implemented, all schemes rely on link-time optimization (LTO); 25so it is required to specify ``-flto``, and the linker used must support LTO, 26for example via the `gold plugin`_. 27To allow the checks to be implemented efficiently, the program must 28be structured such that certain object files are compiled with CFI enabled, 29and are statically linked into the program. This may preclude the use of 30shared libraries in some cases. 31 32.. _gold plugin: http://llvm.org/docs/GoldPlugin.html 33 34.. _cfi-schemes: 35 36Available schemes 37================= 38 39Available schemes are: 40 41 - ``-fsanitize=cfi-cast-strict``: Enables :ref:`strict cast checks 42 <cfi-strictness>`. 43 - ``-fsanitize=cfi-derived-cast``: Base-to-derived cast to the wrong 44 dynamic type. 45 - ``-fsanitize=cfi-unrelated-cast``: Cast from ``void*`` or another 46 unrelated type to the wrong dynamic type. 47 - ``-fsanitize=cfi-nvcall``: Non-virtual call via an object whose vptr is of 48 the wrong dynamic type. 49 - ``-fsanitize=cfi-vcall``: Virtual call via an object whose vptr is of the 50 wrong dynamic type. 51 - ``-fsanitize=cfi-icall``: Indirect call of a function with wrong dynamic 52 type. 53 54You can use ``-fsanitize=cfi`` to enable all the schemes and use 55``-fno-sanitize`` flag to narrow down the set of schemes as desired. 56For example, you can build your program with 57``-fsanitize=cfi -fno-sanitize=cfi-nvcall,cfi-icall`` 58to use all schemes except for non-virtual member function call and indirect call 59checking. 60 61Remember that you have to provide ``-flto`` if at least one CFI scheme is 62enabled. 63 64 65Forward-Edge CFI for Virtual Calls 66================================== 67 68This scheme checks that virtual calls take place using a vptr of the correct 69dynamic type; that is, the dynamic type of the called object must be a 70derived class of the static type of the object used to make the call. 71This CFI scheme can be enabled on its own using ``-fsanitize=cfi-vcall``. 72 73For this scheme to work, all translation units containing the definition 74of a virtual member function (whether inline or not), other than members 75of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with 76``-fsanitize=cfi-vcall`` enabled and be statically linked into the program. 77 78Performance 79----------- 80 81A performance overhead of less than 1% has been measured by running the 82Dromaeo benchmark suite against an instrumented version of the Chromium 83web browser. Another good performance benchmark for this mechanism is the 84virtual-call-heavy SPEC 2006 xalancbmk. 85 86Note that this scheme has not yet been optimized for binary size; an increase 87of up to 15% has been observed for Chromium. 88 89Bad Cast Checking 90================= 91 92This scheme checks that pointer casts are made to an object of the correct 93dynamic type; that is, the dynamic type of the object must be a derived class 94of the pointee type of the cast. The checks are currently only introduced 95where the class being casted to is a polymorphic class. 96 97Bad casts are not in themselves control flow integrity violations, but they 98can also create security vulnerabilities, and the implementation uses many 99of the same mechanisms. 100 101There are two types of bad cast that may be forbidden: bad casts 102from a base class to a derived class (which can be checked with 103``-fsanitize=cfi-derived-cast``), and bad casts from a pointer of 104type ``void*`` or another unrelated type (which can be checked with 105``-fsanitize=cfi-unrelated-cast``). 106 107The difference between these two types of casts is that the first is defined 108by the C++ standard to produce an undefined value, while the second is not 109in itself undefined behavior (it is well defined to cast the pointer back 110to its original type). 111 112If a program as a matter of policy forbids the second type of cast, that 113restriction can normally be enforced. However it may in some cases be necessary 114for a function to perform a forbidden cast to conform with an external API 115(e.g. the ``allocate`` member function of a standard library allocator). Such 116functions may be :ref:`blacklisted <cfi-blacklist>`. 117 118For this scheme to work, all translation units containing the definition 119of a virtual member function (whether inline or not), other than members 120of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with 121``-fsanitize=cfi-derived-cast`` or ``-fsanitize=cfi-unrelated-cast`` enabled 122and be statically linked into the program. 123 124Non-Virtual Member Function Call Checking 125========================================= 126 127This scheme checks that non-virtual calls take place using an object of 128the correct dynamic type; that is, the dynamic type of the called object 129must be a derived class of the static type of the object used to make the 130call. The checks are currently only introduced where the object is of a 131polymorphic class type. This CFI scheme can be enabled on its own using 132``-fsanitize=cfi-nvcall``. 133 134For this scheme to work, all translation units containing the definition 135of a virtual member function (whether inline or not), other than members 136of :ref:`blacklisted <cfi-blacklist>` types, must be compiled with 137``-fsanitize=cfi-nvcall`` enabled and be statically linked into the program. 138 139.. _cfi-strictness: 140 141Strictness 142---------- 143 144If a class has a single non-virtual base and does not introduce or override 145virtual member functions or fields other than an implicitly defined virtual 146destructor, it will have the same layout and virtual function semantics as 147its base. By default, casts to such classes are checked as if they were made 148to the least derived such class. 149 150Casting an instance of a base class to such a derived class is technically 151undefined behavior, but it is a relatively common hack for introducing 152member functions on class instances with specific properties that works under 153most compilers and should not have security implications, so we allow it by 154default. It can be disabled with ``-fsanitize=cfi-cast-strict``. 155 156Indirect Function Call Checking 157=============================== 158 159This scheme checks that function calls take place using a function of the 160correct dynamic type; that is, the dynamic type of the function must match 161the static type used at the call. This CFI scheme can be enabled on its own 162using ``-fsanitize=cfi-icall``. 163 164For this scheme to work, each indirect function call in the program, other 165than calls in :ref:`blacklisted <cfi-blacklist>` functions, must call a 166function which was either compiled with ``-fsanitize=cfi-icall`` enabled, 167or whose address was taken by a function in a translation unit compiled with 168``-fsanitize=cfi-icall``. 169 170If a function in a translation unit compiled with ``-fsanitize=cfi-icall`` 171takes the address of a function not compiled with ``-fsanitize=cfi-icall``, 172that address may differ from the address taken by a function in a translation 173unit not compiled with ``-fsanitize=cfi-icall``. This is technically a 174violation of the C and C++ standards, but it should not affect most programs. 175 176Each translation unit compiled with ``-fsanitize=cfi-icall`` must be 177statically linked into the program or shared library, and calls across 178shared library boundaries are handled as if the callee was not compiled with 179``-fsanitize=cfi-icall``. 180 181This scheme is currently only supported on the x86 and x86_64 architectures. 182 183``-fsanitize=cfi-icall`` and ``-fsanitize=function`` 184---------------------------------------------------- 185 186This tool is similar to ``-fsanitize=function`` in that both tools check 187the types of function calls. However, the two tools occupy different points 188on the design space; ``-fsanitize=function`` is a developer tool designed 189to find bugs in local development builds, whereas ``-fsanitize=cfi-icall`` 190is a security hardening mechanism designed to be deployed in release builds. 191 192``-fsanitize=function`` has a higher space and time overhead due to a more 193complex type check at indirect call sites, as well as a need for run-time 194type information (RTTI), which may make it unsuitable for deployment. Because 195of the need for RTTI, ``-fsanitize=function`` can only be used with C++ 196programs, whereas ``-fsanitize=cfi-icall`` can protect both C and C++ programs. 197 198On the other hand, ``-fsanitize=function`` conforms more closely with the C++ 199standard and user expectations around interaction with shared libraries; 200the identity of function pointers is maintained, and calls across shared 201library boundaries are no different from calls within a single program or 202shared library. 203 204.. _cfi-blacklist: 205 206Blacklist 207========= 208 209A :doc:`SanitizerSpecialCaseList` can be used to relax CFI checks for certain 210source files, functions and types using the ``src``, ``fun`` and ``type`` 211entity types. 212 213In addition, if a type has a ``uuid`` attribute and the blacklist contains 214the type entry ``attr:uuid``, CFI checks are suppressed for that type. This 215allows all COM types to be easily blacklisted, which is useful as COM types 216are typically defined outside of the linked program. 217 218.. code-block:: bash 219 220 # Suppress checking for code in a file. 221 src:bad_file.cpp 222 src:bad_header.h 223 # Ignore all functions with names containing MyFooBar. 224 fun:*MyFooBar* 225 # Ignore all types in the standard library. 226 type:std::* 227 # Ignore all types with a uuid attribute. 228 type:attr:uuid 229 230Design 231====== 232 233Please refer to the :doc:`design document<ControlFlowIntegrityDesign>`. 234 235Publications 236============ 237 238`Control-Flow Integrity: Principles, Implementations, and Applications <http://research.microsoft.com/pubs/64250/ccs05.pdf>`_. 239Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. 240 241`Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM <http://www.pcc.me.uk/~peter/acad/usenix14.pdf>`_. 242Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, 243Úlfar Erlingsson, Luis Lozano, Geoff Pike. 244