A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity Article Swipe

PDF

Sabine Houy , Bruno Kreyssig , Timothée Riom , Alexandre Bartel , Patrick McDaniel ·

YOU? · · 2025 · Open Access · · DOI: https://doi.org/10.48550/arxiv.2508.15386

Memory corruption vulnerabilities remain one of the most severe threats to software security. They often allow attackers to achieve arbitrary code execution by redirecting a vulnerable program's control flow. While Control Flow Integrity (CFI) has gained traction to mitigate this exploitation path, developers are not provided with any direction on how to apply CFI to real-world software. In this work, we establish a taxonomy mapping LLVM's forward-edge CFI variants to memory corruption vulnerability classes, offering actionable guidance for developers seeking to deploy CFI incrementally in existing codebases. Based on the Top 10 Known Exploited Vulnerabilities (KEV) list, we identify four high-impact vulnerability categories and select one representative CVE for each. We evaluate LLVM's CFI against each CVE and explain why CFI blocks exploitation in two cases while failing in the other two, illustrating its potential and current limitations. Our findings support informed deployment decisions and provide a foundation for improving the practical use of CFI in production systems.

Related Topics

Concepts

No concepts available.

Metadata

Type: preprint
Language: en
Landing Page: http://arxiv.org/abs/2508.15386
PDF: https://arxiv.org/pdf/2508.15386
OA Status: green
OpenAlex ID: https://openalex.org/W4416050920

All OpenAlex metadata

Raw OpenAlex JSON

OpenAlex ID: https://openalex.org/W4416050920

Canonical identifier for this work in OpenAlex
DOI: https://doi.org/10.48550/arxiv.2508.15386

Digital Object Identifier
Title: A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity

Work title
Type: preprint

OpenAlex work type
Language: en

Primary language
Publication year: 2025

Year of publication
Publication date: 2025-08-21

Full publication date if available
Authors: Sabine Houy, Bruno Kreyssig, Timothée Riom, Alexandre Bartel, Patrick McDaniel

List of authors in order
Landing page: https://arxiv.org/abs/2508.15386

Publisher landing page
PDF URL: https://arxiv.org/pdf/2508.15386

Direct link to full text PDF
Open access: Yes

Whether a free full text is available
OA status: green

Open access status per OpenAlex
OA URL: https://arxiv.org/pdf/2508.15386

Direct OA link when available
Cited by: 0

Total citation count in OpenAlex

Full payload

id	https://openalex.org/W4416050920
doi	https://doi.org/10.48550/arxiv.2508.15386
ids.doi	https://doi.org/10.48550/arxiv.2508.15386
ids.openalex	https://openalex.org/W4416050920
fwci
type	preprint
title	A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity
biblio.issue
biblio.volume
biblio.last_page
biblio.first_page
is_xpac	False
apc_list
apc_paid
language	en
locations[0].id	pmh:oai:arXiv.org:2508.15386
locations[0].is_oa	True
locations[0].source.id	https://openalex.org/S4306400194
locations[0].source.issn
locations[0].source.type	repository
locations[0].source.is_oa	True
locations[0].source.issn_l
locations[0].source.is_core	False
locations[0].source.is_in_doaj	False
locations[0].source.display_name	arXiv (Cornell University)
locations[0].source.host_organization	https://openalex.org/I205783295
locations[0].source.host_organization_name	Cornell University
locations[0].source.host_organization_lineage	https://openalex.org/I205783295
locations[0].license
locations[0].pdf_url	https://arxiv.org/pdf/2508.15386
locations[0].version	submittedVersion
locations[0].raw_type	text
locations[0].license_id
locations[0].is_accepted	False
locations[0].is_published	False
locations[0].raw_source_name
locations[0].landing_page_url	http://arxiv.org/abs/2508.15386
locations[1].id	doi:10.48550/arxiv.2508.15386
locations[1].is_oa	True
locations[1].source.id	https://openalex.org/S4306400194
locations[1].source.issn
locations[1].source.type	repository
locations[1].source.is_oa	True
locations[1].source.issn_l
locations[1].source.is_core	False
locations[1].source.is_in_doaj	False
locations[1].source.display_name	arXiv (Cornell University)
locations[1].source.host_organization	https://openalex.org/I205783295
locations[1].source.host_organization_name	Cornell University
locations[1].source.host_organization_lineage	https://openalex.org/I205783295
locations[1].license
locations[1].pdf_url
locations[1].version
locations[1].raw_type	article
locations[1].license_id
locations[1].is_accepted	False
locations[1].is_published
locations[1].raw_source_name
locations[1].landing_page_url	https://doi.org/10.48550/arxiv.2508.15386
indexed_in	arxiv, datacite
authorships[0].author.id	https://openalex.org/A5091965804
authorships[0].author.orcid	https://orcid.org/0000-0002-7679-0796
authorships[0].author.display_name	Sabine Houy
authorships[0].author_position	first
authorships[0].raw_author_name	Houy, Sabine
authorships[0].is_corresponding	False
authorships[1].author.id	https://openalex.org/A5099127829
authorships[1].author.orcid
authorships[1].author.display_name	Bruno Kreyssig
authorships[1].author_position	middle
authorships[1].raw_author_name	Kreyssig, Bruno
authorships[1].is_corresponding	False
authorships[2].author.id	https://openalex.org/A5006466540
authorships[2].author.orcid	https://orcid.org/0000-0001-7486-0538
authorships[2].author.display_name	Timothée Riom
authorships[2].author_position	middle
authorships[2].raw_author_name	Riom, Timothee
authorships[2].is_corresponding	False
authorships[3].author.id	https://openalex.org/A5019300625
authorships[3].author.orcid	https://orcid.org/0000-0003-1383-0372
authorships[3].author.display_name	Alexandre Bartel
authorships[3].author_position	middle
authorships[3].raw_author_name	Bartel, Alexandre
authorships[3].is_corresponding	False
authorships[4].author.id	https://openalex.org/A5055368149
authorships[4].author.orcid	https://orcid.org/0000-0003-2091-7484
authorships[4].author.display_name	Patrick McDaniel
authorships[4].author_position	last
authorships[4].raw_author_name	McDaniel, Patrick
authorships[4].is_corresponding	False
has_content.pdf	True
has_content.grobid_xml	True
is_paratext	False
open_access.is_oa	True
open_access.oa_url	https://arxiv.org/pdf/2508.15386
open_access.oa_status	green
open_access.any_repository_has_fulltext	False
created_date	2025-10-10T00:00:00
display_name	A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity
has_fulltext	True
is_retracted	False
updated_date	2025-11-28T10:50:22.618217
primary_topic
cited_by_count	0
locations_count	2
best_oa_location.id	pmh:oai:arXiv.org:2508.15386
best_oa_location.is_oa	True
best_oa_location.source.id	https://openalex.org/S4306400194
best_oa_location.source.issn
best_oa_location.source.type	repository
best_oa_location.source.is_oa	True
best_oa_location.source.issn_l
best_oa_location.source.is_core	False
best_oa_location.source.is_in_doaj	False
best_oa_location.source.display_name	arXiv (Cornell University)
best_oa_location.source.host_organization	https://openalex.org/I205783295
best_oa_location.source.host_organization_name	Cornell University
best_oa_location.source.host_organization_lineage	https://openalex.org/I205783295
best_oa_location.license
best_oa_location.pdf_url	https://arxiv.org/pdf/2508.15386
best_oa_location.version	submittedVersion
best_oa_location.raw_type	text
best_oa_location.license_id
best_oa_location.is_accepted	False
best_oa_location.is_published	False
best_oa_location.raw_source_name
best_oa_location.landing_page_url	http://arxiv.org/abs/2508.15386
primary_location.id	pmh:oai:arXiv.org:2508.15386
primary_location.is_oa	True
primary_location.source.id	https://openalex.org/S4306400194
primary_location.source.issn
primary_location.source.type	repository
primary_location.source.is_oa	True
primary_location.source.issn_l
primary_location.source.is_core	False
primary_location.source.is_in_doaj	False
primary_location.source.display_name	arXiv (Cornell University)
primary_location.source.host_organization	https://openalex.org/I205783295
primary_location.source.host_organization_name	Cornell University
primary_location.source.host_organization_lineage	https://openalex.org/I205783295
primary_location.license
primary_location.pdf_url	https://arxiv.org/pdf/2508.15386
primary_location.version	submittedVersion
primary_location.raw_type	text
primary_location.license_id
primary_location.is_accepted	False
primary_location.is_published	False
primary_location.raw_source_name
primary_location.landing_page_url	http://arxiv.org/abs/2508.15386
publication_date	2025-08-21
publication_year	2025
referenced_works_count	0
abstract_inverted_index.a	24, 62, 146
abstract_inverted_index.10	91
abstract_inverted_index.In	57
abstract_inverted_index.We	110
abstract_inverted_index.by	22
abstract_inverted_index.in	84, 123, 128, 155
abstract_inverted_index.of	5, 153
abstract_inverted_index.on	49, 88
abstract_inverted_index.to	10, 17, 37, 51, 54, 69, 80
abstract_inverted_index.we	60, 97
abstract_inverted_index.CFI	53, 67, 82, 113, 120, 154
abstract_inverted_index.CVE	107, 116
abstract_inverted_index.Our	138
abstract_inverted_index.Top	90
abstract_inverted_index.and	103, 117, 135, 144
abstract_inverted_index.any	47
abstract_inverted_index.are	43
abstract_inverted_index.for	77, 108, 148
abstract_inverted_index.has	34
abstract_inverted_index.how	50
abstract_inverted_index.its	133
abstract_inverted_index.not	44
abstract_inverted_index.one	4, 105
abstract_inverted_index.the	6, 89, 129, 150
abstract_inverted_index.two	124
abstract_inverted_index.use	152
abstract_inverted_index.why	119
abstract_inverted_index.Flow	31
abstract_inverted_index.They	13
abstract_inverted_index.code	20
abstract_inverted_index.each	115
abstract_inverted_index.four	99
abstract_inverted_index.most	7
abstract_inverted_index.this	39, 58
abstract_inverted_index.two,	131
abstract_inverted_index.with	46
abstract_inverted_index.(CFI)	33
abstract_inverted_index.(KEV)	95
abstract_inverted_index.Based	87
abstract_inverted_index.Known	92
abstract_inverted_index.While	29
abstract_inverted_index.allow	15
abstract_inverted_index.apply	52
abstract_inverted_index.cases	125
abstract_inverted_index.each.	109
abstract_inverted_index.flow.	28
abstract_inverted_index.list,	96
abstract_inverted_index.often	14
abstract_inverted_index.other	130
abstract_inverted_index.path,	41
abstract_inverted_index.while	126
abstract_inverted_index.work,	59
abstract_inverted_index.LLVM's	65, 112
abstract_inverted_index.Memory	0
abstract_inverted_index.blocks	121
abstract_inverted_index.deploy	81
abstract_inverted_index.gained	35
abstract_inverted_index.memory	70
abstract_inverted_index.remain	3
abstract_inverted_index.select	104
abstract_inverted_index.severe	8
abstract_inverted_index.Control	30
abstract_inverted_index.achieve	18
abstract_inverted_index.against	114
abstract_inverted_index.control	27
abstract_inverted_index.current	136
abstract_inverted_index.explain	118
abstract_inverted_index.failing	127
abstract_inverted_index.mapping	64
abstract_inverted_index.provide	145
abstract_inverted_index.seeking	79
abstract_inverted_index.support	140
abstract_inverted_index.threats	9
abstract_inverted_index.classes,	73
abstract_inverted_index.evaluate	111
abstract_inverted_index.existing	85
abstract_inverted_index.findings	139
abstract_inverted_index.guidance	76
abstract_inverted_index.identify	98
abstract_inverted_index.informed	141
abstract_inverted_index.mitigate	38
abstract_inverted_index.offering	74
abstract_inverted_index.provided	45
abstract_inverted_index.software	11
abstract_inverted_index.systems.	157
abstract_inverted_index.taxonomy	63
abstract_inverted_index.traction	36
abstract_inverted_index.variants	68
abstract_inverted_index.Exploited	93
abstract_inverted_index.Integrity	32
abstract_inverted_index.arbitrary	19
abstract_inverted_index.attackers	16
abstract_inverted_index.decisions	143
abstract_inverted_index.direction	48
abstract_inverted_index.establish	61
abstract_inverted_index.execution	21
abstract_inverted_index.improving	149
abstract_inverted_index.potential	134
abstract_inverted_index.practical	151
abstract_inverted_index.program's	26
abstract_inverted_index.security.	12
abstract_inverted_index.software.	56
abstract_inverted_index.actionable	75
abstract_inverted_index.categories	102
abstract_inverted_index.codebases.	86
abstract_inverted_index.corruption	1, 71
abstract_inverted_index.deployment	142
abstract_inverted_index.developers	42, 78
abstract_inverted_index.foundation	147
abstract_inverted_index.production	156
abstract_inverted_index.real-world	55
abstract_inverted_index.vulnerable	25
abstract_inverted_index.high-impact	100
abstract_inverted_index.redirecting	23
abstract_inverted_index.exploitation	40, 122
abstract_inverted_index.forward-edge	66
abstract_inverted_index.illustrating	132
abstract_inverted_index.limitations.	137
abstract_inverted_index.incrementally	83
abstract_inverted_index.vulnerability	72, 101
abstract_inverted_index.representative	106
abstract_inverted_index.Vulnerabilities	94
abstract_inverted_index.vulnerabilities	2
cited_by_percentile_year
countries_distinct_count	0
institutions_distinct_count	5
citation_normalized_percentile