CME-113

Control Flow Integrity (CFI / Shadow Call Stack)

Harden OS/Kernel Medium Confidence

Description

Hardware or compiler-enforced control flow integrity that validates indirect branch targets match expected types, blocking ROP/JOP chains. On ARM64, shadow call stack protects return addresses in a separate stack.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H ROP/JOP gadget chains are detected and blocked at runtime

CWE Relationships

CWE-119 CWE-120 CWE-787 CWE-416

Verification

Check kernel config for CFI or Shadow Call Stack

$ grep CONFIG_CFI_CLANG /boot/config-$(uname -r)
# Expected: CONFIG_CFI_CLANG=y
Platform: linux
$ grep CONFIG_SHADOW_CALL_STACK /boot/config-$(uname -r)
# Expected: CONFIG_SHADOW_CALL_STACK=y
Platform: linux
← CME-112: RELRO and PIE (Full) CME-114: Process Resource Limits (ulimit/prlimit) →