GRIFFIN: Guardingl

Xinyang Ge, Weidong Cui, Trent Jaeger

Research output: Contribution to journalArticlepeer-review

42 Scopus citations


Researchers are actively exploring techniques to enforce control-flow integrity (CFI), which restricts program execution to a predefined set of targets for each indirect control transfer to prevent code-reuse attacks. While hardware-assisted CFI enforcement may have the potential for advantages in performance and flexibility over software instrumentation, current hardware-assisted defenses are either incomplete (i.e., do not enforce all control transfers) or less efficient in comparison. We find that the recent introduction of hardware features to log complete control-flow traces, such as Intel Processor Trace (PT), provides an opportunity to explore how efficient and flexible a hardware-assisted CFI enforcement system may become. While Intel PT was designed to aid in offline debugging and failure diagnosis, we explore its effectiveness for online CFI enforcement over unmodified binaries by designing a parallelized method for enforcing various types of CFI policies. We have implemented a prototype called GRIFFIN in the Linux 4.2 kernel that enables complete CFI enforcement over a variety of software, including the Firefox browser and its jitted code. Our experiments show that GRIFFIN can enforce fine-grained CFI policies with shadow stack as recommended by researchers at a performance that is comparable to software-only instrumentation techniques. In addition, we find that alternative logging approaches yield significant performance improvements for trace processing, identifying opportunities for further hardware assistance.

Original languageEnglish (US)
Pages (from-to)585-598
Number of pages14
JournalACM SIGPLAN Notices
Issue number4
StatePublished - Apr 4 2017

All Science Journal Classification (ASJC) codes

  • General Computer Science


Dive into the research topics of 'GRIFFIN: Guardingl'. Together they form a unique fingerprint.

Cite this