Systems code is mostly written in C/C++ and has memory safety bugs that attackers can exploit, primarily to divert control flow and thus compromise the system. The currently deployed defense mechanisms against this attack (e.g., ASLR, DEP, stack cookies) are incomplete, while stronger defense mechanisms (e.g., CFI) have limited guarantees and often high overhead. We introduce code-pointer integrity (CPI), a new design point that guarantees the integrity of all code pointers in a program (e.g., function pointers, saved return addresses) and thereby prevents all control-flow hijack attacks, including return-oriented programming (ROP). We also introduce code-pointer separation (CPS), a relaxation of CPI, with significantly lower performance overhead, but still stronger guarantees than CFI solutions. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2% overhead for C and 1.9% for C/C++, while CPI’s overhead is 2.9% for C and 8.4% for C/C++. A prototype implementation of CPI and CPS is available.
