We present the design, implementation, and evaluation of FineIBT: a CFI enforcement mechanism that improves the precision of hardware-assisted CFI solutions, like Intel IBT and ARM BTI, by instrumenting program code to reduce the valid/allowed targets of indirect forward-edge transfers. We study the design of FineIBT on the x86-64 architecture, and implement and evaluate it on Linux and the LLVM toolchain. We designed FineIBT's instrumentation to be compact, and incur low runtime and memory overheads, and generic, so as to support a plethora of different CFI policies. Our prototype implementation incurs negligible runtime slowdowns ($\approx$0%-1.94% in SPEC CPU2017 and $\approx$0%-1.92% in real-world applications) outperforming Clang-CFI. Lastly, we investigate the effectiveness/security and compatibility of FineIBT using the ConFIRM CFI benchmarking suite, demonstrating that our nimble instrumentation provides complete coverage in the presence of modern software features, while supporting a wide range of CFI policies (coarse- vs. fine- vs. finer-grain) with the same, predictable performance.

翻译：本文介绍了FineIBT的设计、实现与评估：这是一种通过插桩程序代码以减少间接前向边转移的合法/允许目标，从而提高硬件辅助CFI解决方案（如Intel IBT和ARM BTI）精度的控制流完整性（CFI）强制机制。我们在x86-64架构上研究了FineIBT的设计，并在Linux及LLVM工具链上完成其实现与评估。我们设计的FineIBT插桩机制具有紧凑性、低运行时开销和低内存开销，且具备通用性以支持多种不同CFI策略。原型实现的运行时性能损耗几乎可忽略不计（SPEC CPU2017中约为0%-1.94%，实际应用中约为0%-1.92%），性能优于Clang-CFI。最后，我们利用ConFIRM CFI基准测试套件评估了FineIBT的有效性/安全性与兼容性，证明该轻量级插桩机制在支持现代软件特性的同时，能以相同的可预测性能覆盖粗粒度、细粒度及更细粒度等各类CFI策略。