A Theory of Secure Control Flow

  • Martín Abadi
  • Mihai Budiu
  • Úlfar Erlingsson
  • Jay Ligatti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3785)


Control-Flow Integrity (CFI) means that the execution of a program dynamically follows only certain paths, in accordance with a static policy. CFI can prevent attacks that, by exploiting buffer overflows and other vulnerabilities, attempt to control program behavior. This paper develops the basic theory that underlies two practical techniques for CFI enforcement, with precise formulations of hypotheses and guarantees.


Data Memory Program Counter Code Memory Label Instruction Attack Step 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M.: Protection in programming-language translations. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 868–883. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. In: Proceedings of the ACM Conference on Computer and Communications Security, 2005. A preliminary version appears as Microsoft Research Technical Report MSR-TR-05-18 (February 2005)Google Scholar
  3. 3.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Further formal material on CFI and SMAC (2005), available at (Manuscript)
  4. 4.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the Usenix Security Symposium, pp. 63–78 (1998)Google Scholar
  5. 5.
    Erlingsson, Ú., Schneider, F.B.: SASI enforcement of security policies: A retrospective. In: Proceedings of the New Security Paradigms Workshop, pp. 87–95 (1999)Google Scholar
  6. 6.
    Hamid, N., Shao, Z., Trifonov, V., Monnier, S., Ni, Z.: A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Dept. of Computer Science, Yale University (2002)Google Scholar
  7. 7.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(1-2), 2–16 (2005)CrossRefGoogle Scholar
  8. 8.
    Microsoft Corporation. Changes to functionality in Microsoft Windows XP SP2: Memory protection technologies (2004),
  9. 9.
    Morrisett, G., Walker, D., Crary, K., Glew, N.: From System F to typed assembly language. ACM Transactions on Programming Languages and Systems 21(3), 527–568 (1999)CrossRefGoogle Scholar
  10. 10.
    Necula, G.: Proof-carrying code. In: Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pp. 106–119 (January 1997)Google Scholar
  11. 11.
    PaX Project. The PaX project (2004),
  12. 12.
    Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2(4), 20–27 (2004)CrossRefGoogle Scholar
  13. 13.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of Network and Distributed System Security Symposium, pp. 159–169 (2004)Google Scholar
  14. 14.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 298–307 (2004)Google Scholar
  15. 15.
    Srivastava, A., Edwards, A., Vo, H.: Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research (2001)Google Scholar
  16. 16.
    Srivastava, A., Eustace, A.: ATOM: A system for building customized program analysis tools. Technical Report WRL Research Report 94/2, Digital Equipment Corporation (1994)Google Scholar
  17. 17.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96 (2004)Google Scholar
  18. 18.
    Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review 27(5), 203–216 (1993)CrossRefGoogle Scholar
  19. 19.
    Wilander, J., Kamkar, M.: A comparison of publicly available tools for dynamic buffer overflow prevention. In: Proceedings of the Network and Distributed System Security Symposium, pp. 149–162 (2003)Google Scholar
  20. 20.
    Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: Proceedings of the Symposium on Reliable and Distributed Systems, pp. 260–269 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Martín Abadi
    • 1
  • Mihai Budiu
    • 2
  • Úlfar Erlingsson
    • 2
  • Jay Ligatti
    • 3
  1. 1.Computer Science DepartmentUniversity of CaliforniaSanta Cruz
  2. 2.Microsoft ResearchSilicon Valley
  3. 3.Computer Science DepartmentPrinceton University 

Personalised recommendations