Analyzing Attacker Capabilities from Valid Call Sites under Control Flow Integrity

Description

Memory corruption vulnerabilities remain commonly exploited in C/C++ programs, and Control Flow Integrity (CFI) 

has emerged as a promising defense mechanism against control-flow hijacking attacks. However, existing CFI security 

evaluation metrics focus on counting the reduction in the number of valid targets for indirect branches, without assessing 

the actual exploitability of remaining targets. We address this gap by developing metrics that measure the security of CFI 

policies based on attacker capabilities gained through function-level gadgets. Using symbolic execution, we identify and 

analyze gadgets that enable critical capabilities such as arbitrary memory writes and argument-controlled calls to dangerous

libc functions. Our approach focuses on already deployed CFI policies (Intel CET-IBT, ARM BTI, Microsoft CFG, and Clang CFI) 

and evaluates them across a benchmark real-world of 15 Linux applications. The coarsest policy (Intel CET-IBT) leaves all 

indirect call sites vulnerable to at least one dangerous libc function call and provides access to an average of 108 write-what-where 

and 79 arbitrary write gadgets per call site. In contrast, the most restrictive policy (Clang Intra-Module CFI) reduces dangerous function 

average reachability to just 13.4% of call sites and decreases the average amount of reachable memory write gadgets by 98.5%. Overall, 

the results demonstrate significant differences in protection effectiveness across CFI policies, with type-based approaches providing 

significantly better security than coarse-grained alternatives. We demonstrate that traditional metrics underestimate attack surface, 

and that they correlate weakly with our newly defined capability-based metrics. These findings demonstrate the need to transition from 

target-counting metrics to capability-based ones when evaluating the practical security benefits of CFI policies.