On the Effectiveness of Control-Flow Integrity in Practice - A Systematic Overview

Explore a 20-minute conference talk from USENIX WOOT '24 examining the real-world implementation and effectiveness of Control-Flow Integrity (CFI) protection schemes. Dive into research findings from a comprehensive study analyzing over 77,000 files across 33 Android images and two Windows builds to understand how CFI is currently deployed in practice. Learn about the systematic categorization of actively used CFI solutions and discover concerning gaps in protection, with findings showing up to 94% of binaries and 93% of libraries remaining unprotected on Android systems. Understand the implications of stagnating CFI coverage in Android development and the incomplete protection status in Windows builds, highlighting the significant disconnect between academic research advances and actual system security implementations. Presented by researchers from Technical University of Darmstadt and Hasso Plattner Institute, this analysis reveals critical insights about the current state of memory corruption protection in complex programs.