Efficient Forward-Edge Control-Flow Integrity for COTS Binaries via Arm BTI

CONTROL-FLOW Integrity (CFI) has been widely recognized as an effective technique for mitigating control-flow hijacking attacks. However, many binary-level CFI approaches suffer from weaknesses in safeguarding forward edges, particularly for the obfuscated binaries, due to the imprecision in binary analysis or heuristic algorithms. Moreover, these approaches often involve non-negligible overhead and are challenging to deploy, as they instrument plenty of code or employ hardware tracing to enforce the CFI policies. This paper introduces Mobius, the first complete implementation of security-instruction-based binary-only CFI solution on commercial processors. Mobius leverages the Branch Target Identification (BTI) technology in Arm v8.5 to safeguard the forward edges of binaries and shared libraries efficiently. It determines the forward-edge targets without false negatives and carefully instruments the $\textsf {bti}$ instructions to conduct the CFI checking efficiently. Then, it mounts a runtime monitor to detect potential attacks. We deploy Mobius on an Alibaba Cloud server with Yitian 710 processors in practice without modifying the kernel or loader. Remarkably, Mobius successfully provides efficient protection for real-world applications, including obfuscated code, with marginal overhead (5.78% on SPEC2006).