Abstract

Control-Flow Integrity (CFI) is an effective approach to mitigat-ing control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically gener-ated CFG includes all edges for all possible inputs; however, for a concrete input, the CFG may include many unnecessary edges. We present Per-Input Control-Flow Integrity (PICFI or piCFI), which is a new CFI technique that can enforce a CFG computed for each concrete input. piCFI starts executing a program with the empty CFG and lets the program itself lazily add edges to the enforced CFG if such edges are required for the concrete input. The edge addition is performed by piCFI-inserted instrumentation code. To prevent attackers from arbitrarily adding edges, piCFI uses a statically computed all-input CFG to constrain what edges can be added at runtime. To minimize performance overhead, op-erations for adding edges are designed to be idempotent, so they can be patched to no-ops after their first execution. As our evalu-ation shows, piCFI provides better security than conventional fine-grained CFI with comparable performance overhead.