FPGate: The Last Building Block For A Practical CFI Solution

We propose and evaluate a new protection mechanism for indirect call and jump instructions in binaries, which we call FPGate. FPGate stops attacks targeting function pointers by limiting indirect transfers to only those targets that are legal in the original program. When deployed together with other existing lightweight protections, FPGate can provide a level of protection comparable to CFI (Control Flow Integrity), stopping almost all control-flow hijacking attacks including ROP. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which FPGate can use to find all legal jump targets reliably, without source code or symbol information. FPGate can be applied to a single module at a time, as well as the whole system, and it provides a clearly specified protection scheme so that it can be checked separatley if the whole binary is protected; we provide an example binary with a function pointer vulnerability which shows the protection. We evaluate our prototype implementation on the SPECint2006 suite: FPGate protects applications as large as the 3MB GCC completely automatically, and has an average time overhead below 0.4%.