Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

CFCI: Strong Code Integrity for COTS Binaries

See our ACSAC 2015 paper for an overview of this approach. Note that this paper is an extension built on top of PSI (paper in VEE 2014).


Despite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control -- the ability to execute arbitrary low-level code. Attackers have shown time and again their ability to overcome widely deployed countermeasures such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by crafting ReturnOriented Programming (ROP) attacks. Although Turing-complete ROP attacks have been demonstrated in research papers, real-world ROP payloads have had a more limited objective: that of disabling DEP so that injected native code attacks can be carried out. In this project, we have developed a systematic defense, called Control Flow and Code Integrity (CFCI), that makes injected native code attacks impossible. CFCI achieves this without sacrificing compatibility with existing software, the need to replace system programs suchas the dynamic loader, and without significant performance penalty.


CFCI is alpha software. It is provided for research and evaluation purposes only.


Available soon as a Virtual Box VM shipped under GPL: cfci-vbox-v1.0.tar.gz.


This work was supported in part by an NSF grants CNS-1319137, CNS-0831298, an AFOSR grant FA9550-09-1-0539, and an ONR grant N000140710928.

Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.