TUM Logo

Precise Forward-Edge CFI in LLVM

Precise Forward-Edge CFI in LLVM

Supervisor(s): Philipp Zieris, Julian Horsch
Status: open
Topic: Others
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


Announcement: Master’s Thesis

Precise Forward-Edge CFI in LLVM


A vast majority of todays security-relevant vulnerabilities arise from the broad use of unsafe programming languages, such as C and C++. These languages omit the enforcement of strong type safety and memory safety in favor of efficiency and flexibility, rendering them ideal for software development, especially in the field of low-level embedded systems. However, the lack of such safety features frequently causes programming errors to result in vulnerable code pointers that can be corrupted at run-time. Code reuse attacks exploit these vulnerable code pointers in order to divert a program’s control-flow and induce malicious behaviour.

To circumvent code reuse attacks, programs can be equipped with Control-Flow Integrity (CFI) mechanisms that detect deviations from the program’s intended Control-Flow Graph (CFG). Jump- oriented programming (JOP), a dominant form of code-reuse attacks, targets forward-edges within a CFG by altering code pointers used in indirect function calls. Consequently, forward-edge CFI has to detect maliciously altered function pointers when being used in an indirect call.

Task Description

In previous work, forward-edge CFI mechanisms identified valid targets of indirect function calls by evaluating the signature of the called function and restricting indirect calls to functions with the same signature. This identification is simple and fast, but lacks precision as a lot of functions might share the same signature. For this thesis, we want to overcome the imprecision of signature-based forward-edge CFI by leveraging static points-to analysis to identify targets of indirect function calls more precisely. The goal of this thesis is to introduce such an analysis into the existing LLVM CFI mechanism and evaluate the gain in precision and performance.


• Ability to work independently and accurately
• Good C/C++ programming skills
• Familiar with Linux and compiler toolchains
• High interest in compiler programming and software security


Philipp Zieris

Telefon: +4989322-9986-183

Julian Horsch

Telefon: +4989322-9986-118

Fraunhofer Institute for Applied and Integrated Security (AISEC), Lichtenbergstr. 11, 85748 Garching (near Munich), Germany http://www.aisec.fraunhofer.de