Control-Flow Integrity (CFI)

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. “Control-flow integrity”. In ACM Conference on Computer and Communications Security (CCS), pages 340–353, Alexandria, VA, USA, November 2005.
[ACM]

Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, and Ahmad-Reza Sadeghi. “MoCFI: A framework to mitigate control-flow attacks on smartphones”. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2012.
[Conference]

Question: The 2005 CFI paper (the first reading) argues that for the most security, the set of IDs used to identify jump targets should be as diverse as possible, so that control-flow integrity checks are as restrictive as possible. But they also argue (in the last paragraph of Section 3.4) that even a coarse-grained policy with just one or two IDs can still provide "satisfactory" security. Can you tell how many IDs were used in the implemented version of their system described in Section 4?

Optional

Bin Zeng, Gang Tan, and Greg Morrisett. “Combining control-flow integrity and static analysis for efficient and validated data sandboxing”. In ACM Conference on Computer and Communications Security (CCS), pages 29–40, Chicago, IL, USA, October 2011.
[ACM]

This paper effectively shows how to build SFI on top of CFI. Among other things it shows how the more precise control-flow information available from CFI, compared to vanilla SFI, enables more optimizations.

Zhi Wang and Xuxian Jiang. “HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity”. In IEEE Symposium on Security and Privacy “Oakland”, pages 380–395, Oakland, CA, USA, May 2010.
[IEEE]

This paper shows how to provide CFI protection to software running on the bare metal: they use hypervisors, though you could apply the same techniques to an OS kernel as well.