Saved in:
Bibliographic Details
Main Authors: Houy, Sabine, Kreyssig, Bruno, Bartel, Alexandre
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.22701
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908734818615296
author Houy, Sabine
Kreyssig, Bruno
Bartel, Alexandre
author_facet Houy, Sabine
Kreyssig, Bruno
Bartel, Alexandre
contents Compiler-based Control-Flow Integrity (CFI) offers strong forward-edge protection but remains challenging to deploy in large C/C++ software due to visibility mismatches, type inconsistencies, and unintended behavioral failures. We present CFIghter, the first fully automated system that enables strict, type-based CFI in real-world projects by detecting, classifying, and repairing unintended policy violations exposed by the test suite. CFIghter integrates whole-program analysis with guided runtime monitoring and iteratively applies the minimal necessary adjustments to CFI enforcement only where required, stopping once all tests pass or remaining failures are deemed unresolvable. We evaluate CFIghter on four GNU projects. It resolves all visibility-related build errors and automatically repairs 95.8% of unintended CFI violations in the large, multi-library util-linux codebase, while retaining strict enforcement at over 89% of indirect control-flow sites. Across all subjects, CFIghter preserves strict type-based CFI for the majority of the codebase without requiring manual source-code changes, relying only on automatically generated visibility adjustments and localized enforcement scopes where necessary. These results show that automated compatibility repair makes strict compiler CFI practically deployable in mature, modular C software.
format Preprint
id arxiv_https___arxiv_org_abs_2512_22701
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle CFIghter: Automated Control-Flow Integrity Enablement and Evaluation for Legacy C/C++ Systems
Houy, Sabine
Kreyssig, Bruno
Bartel, Alexandre
Software Engineering
Compiler-based Control-Flow Integrity (CFI) offers strong forward-edge protection but remains challenging to deploy in large C/C++ software due to visibility mismatches, type inconsistencies, and unintended behavioral failures. We present CFIghter, the first fully automated system that enables strict, type-based CFI in real-world projects by detecting, classifying, and repairing unintended policy violations exposed by the test suite. CFIghter integrates whole-program analysis with guided runtime monitoring and iteratively applies the minimal necessary adjustments to CFI enforcement only where required, stopping once all tests pass or remaining failures are deemed unresolvable. We evaluate CFIghter on four GNU projects. It resolves all visibility-related build errors and automatically repairs 95.8% of unintended CFI violations in the large, multi-library util-linux codebase, while retaining strict enforcement at over 89% of indirect control-flow sites. Across all subjects, CFIghter preserves strict type-based CFI for the majority of the codebase without requiring manual source-code changes, relying only on automatically generated visibility adjustments and localized enforcement scopes where necessary. These results show that automated compatibility repair makes strict compiler CFI practically deployable in mature, modular C software.
title CFIghter: Automated Control-Flow Integrity Enablement and Evaluation for Legacy C/C++ Systems
topic Software Engineering
url https://arxiv.org/abs/2512.22701