{"id":30561850,"url":"https://github.com/software-engineering-and-security/cfi-practical-guideline","last_synced_at":"2026-02-24T08:32:05.360Z","repository":{"id":310653902,"uuid":"1040699611","full_name":"software-engineering-and-security/cfi-practical-guideline","owner":"software-engineering-and-security","description":"SoK: Preventing Real-World Exploits: A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity","archived":false,"fork":false,"pushed_at":"2025-08-19T11:31:54.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-29T15:39:02.079Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/software-engineering-and-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-19T11:27:08.000Z","updated_at":"2025-08-19T11:31:57.000Z","dependencies_parsed_at":"2025-08-19T13:32:24.454Z","dependency_job_id":"16946717-008d-4bd3-9fc7-d0fc53c9377e","html_url":"https://github.com/software-engineering-and-security/cfi-practical-guideline","commit_stats":null,"previous_names":["software-engineering-and-security/cfi-practical-guideline"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/software-engineering-and-security/cfi-practical-guideline","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/software-engineering-and-security%2Fcfi-practical-guideline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/software-engineering-and-security%2Fcfi-practical-guideline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/software-engineering-and-security%2Fcfi-practical-guideline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/software-engineering-and-security%2Fcfi-practical-guideline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/software-engineering-and-security","download_url":"https://codeload.github.com/software-engineering-and-security/cfi-practical-guideline/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/software-engineering-and-security%2Fcfi-practical-guideline/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29776637,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T04:54:30.205Z","status":"ssl_error","status_checked_at":"2026-02-24T04:53:58.628Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-28T12:40:08.933Z","updated_at":"2026-02-24T08:32:05.329Z","avatar_url":"https://github.com/software-engineering-and-security.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SoK: Preventing Real-World Exploits: A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity\nAccess artifacts via the following [OSF link](https://osf.io/xt3w2/?view_only=fb28e23824bc470eb80970bcfbc6dcb4).\n\n## General\nAll containers are created using podman, however, it is also possible to use them with Docker.  \nThe installation instructions for podman can be found [here](https://podman.io/docs/installation) and for Docker [here](https://docs.docker.com/engine/install/) or [here](https://www.docker.com/get-started/).  \n\n----------\n\nFor each CVE we have a separate container which was exported into a `.tar` file and can be found in the different folders respectively.  \nThey can be __imported__ and __used__ by:  \n```\n# Restore container as a new image\npodman import \u003ccontainer\u003e.tar \u003cyour_image\u003e\n\n# Run and enter the container\npodman run -it --name \u003cyour_container_name\u003e --user exploit \u003cyour_image\u003e\n\n# Start and enter the container if it is already created\npodman start \u003cyour_container_name\u003e\npodman exec -it --user exploit \u003cyour_container_name\u003e /bin/bash\n```\n\nFor __Docker__ the commands are the same just `podman` needs to be replaced with `docker`.  \n\nHow to trigger the PoCs/expoits with and without CFI is described within the directory of the CVEs.\n\n\n## Using the different CVEs\n###  Heap-based Buffer Overflow - CVE-2021-3156\nSudo before 1.9.5p2 contains an off-by-one error that can result in a **heap-based buffer overflow**, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character [[NVD](https://nvd.nist.gov/vuln/detail/cve-2021-3156)].  \n`sudo apt-get install clang lld make`  \n#### __Reproduction steps:__\n#### 1. Getting sudo\n##### i. Download the source code\n`git clone https://github.com/sudo-project/sudo.git`  \n`cd sudo`  \n`git checkout tags/SUDO_1_8_21p2`\n\n##### ii. Building sudo\n`./configure CC=clang`  \n`make`\n##### iii. Configuring sudo for execution\n`./conf_sudo \u003cabsolut/path/to/sudo/directory\u003e`\n\n#### 2. The exploit\n##### Getting the exploit\n`git clone https://github.com/CptGibbon/CVE-2021-3156`  \n`cd CVE-2021-3156`  \n##### Adjusting exploit to run local --and not system-- sudo\n`sed -i 's#/usr/bin/sudoedit#/home/exploit/sudo/src/.libs/sudoedit#g' exploit.c `  \n`make`\n##### Executing the exploit\n`./exploit`  \nExpected output (root shell): `# `\n\n#### 3. The exploit with CFI\n##### i. Building with CFI (__cfi-icall__ replace with other CFI variant) \n```text\n./configure CC=clang CXX=clang++ \\ \n\tCFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fno-sanitize-trap=cfi-icall' \\ \n\tCXXFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fno-sanitize-trap=cfi-icall' \\ \n\tLDFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld -fno-sanitize-trap=cfi-icall'\n```\n`make`  \nConfigure the new sudo to make it executable\n`../conf_sudo /home/exploit/cfi_icall/`  \n##### ii. Preparing the exploit\n`make \u003ccfi-variant\u003e`\n##### iii. Running the exploit for a specific CFI variant\n`./\u003ccfi-variant\u003e_exploit`\n\n\n----------\n\n### Stack-based Buffer Overflow - CVE-2023-49992 \nEspeak-ng 1.52-dev was discovered to contain a **Stack Buffer Overflow** via the function RemoveEnding at `dictionary.c` [[NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-49992), [Offical issue](https://github.com/espeak-ng/espeak-ng/issues/1827)].\n\n#### __Reproduction steps:__\n#### 1. Get source code and build ([*Official build instructions*](https://github.com/espeak-ng/espeak-ng/blob/master/docs/building.md#building-1))\n##### i. Download source code\n`git clone https://github.com/espeak-ng/espeak-ng.git`  \n##### ii. Install dependencies\n```text\nsudo apt-get install \\ \n\tmake autoconf automake libtool pkg-config \\ \n\tgcc g++ clang \\ \n\tlibsonic-dev ronn kramdown \\   \n\tlibpcaudio-dev\n```\n##### iii. Modify source code\nIn **./src/libespeak-ng/wavegen.c** change `int samplerate = 0;` to `extern int samplerate;`  \n##### iv. Build\n`./autogen.sh`  \n`CC=clang CFLAGS=-Wextra ./configure --prefix=/usr`  \n`make`\n \n#### 2. The PoC\n##### i. Download the PoC\n`git clone https://github.com/SEU-SSL/Poc.git`\n##### ii. Running the PoC\n`export ESPEAK_DATA_PATH=/home/exploit/espeak-ng/espeak-ng-data`\n\n```text\n/home/exploit/check_espeak-ng/src/espeak-ng \\ \n\t-f /home/exploit/Poc/espeak-ng/id_000000,sig_08,src_003156+002428,op_splice,rep_32 \\ \n\t-w /dev/null\n```  \n\nThe expected output without protection is: `Floating point exception (core dumped)`[[source](https://www.clouddefense.ai/cve/2023/CVE-2023-49994)]\n\n#### 3. With CFI protection\nReplace `cfi-unrelated-cast` with the CFI variant to test.  \n\n```text\nCC=clang CXX=clang++ \\ \nCFLAGS=\"-Wextra -fsanitize=cfi-icall -fvisibility=hidden -flto=thin -fno-sanitize-trap=cfi-icall\" \\ \nCXXFLAGS=\"-fsanitize=cfi-icall -fvisibility=hidden -flto=thin -fno-sanitize-trap=cfi-icall\" \\  \nLDFLAGS=\"-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld -Wl,--allow-multiple-definition -fno-sanitize-trap=cfi-icall\" \\ \n./configure --prefix=/usr\n```\n\n```text\nESPEAK_DATA_PATH=/home/exploit/cfi_icall/espeak-ng-data \\ \n/home/exploit/cfi_icall/src/espeak-ng \\ \n-f /home/exploit/Poc/espeak-ng/id_000000,sig_08,src_003156+002428,op_splice,rep_32 \\ \n-w /dev/null\n```\n\n----------\n\n### Type Confusion - CVE-2024-34391\nlibxmljs is vulnerable to a __type confusion__ vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the `XML_PARSE_HUGE` flag enabled) [[NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-34391)].  \n\n#### 1. Building the source\n```\nnpm run build  \n\"configure\": \"cd vendor/libxml2.config \u0026\u0026 cmake configure ../libxml2 \u0026\u0026 cd ../..\"\n```\n\n```\ncd vendor/libxml2.config\nadd #define LIBXML_EXPR_ENABLED 1 to config.h\n```\n```\nchange \"build\": \"node-gyp rebuild -j max\"\nto \"build\": \"node-gyp rebuild -j max \u0026\u0026 npm run tsc\" \n```\n#### 2. Comiling with CFI\n```\nCC=clang CXX=clang++ CFLAGS=\"-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fno-sanitize-trap=cfi-nvcall\" CXXFLAGS=\"-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fno-sanitize-trap=cfi-nvcall\" LDFLAGS=\"-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fuse-ld=lld -fno-sanitize-trap=cfi-nvcall\" npm run build\n```\n\n`mv build/Release/obj.target/xmljs.node build/Release/`  \n\n#### 3. Executing the PoC   \n`./node/out/Release/node exploit.js`  \nExpected output: `Segmentation fault (core dumped)`\n\n----------\n\n### Use-After-Free - CVE-2022-3666\nA vulnerability, which was classified as critical, has been found in **Axiomatic Bento4**. Affected by this issue is the function `AP4_LinearReader::Advance` of the file `Ap4LinearReader.cpp` of the component `mp42ts`. The manipulation leads to **use after free**. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-212006 is the identifier assigned to this vulnerability[[NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-3666)].  \n\n#### 1. Getting the source code and building Bento4\n```\ngit clone https://github.com/axiomatic-systems/Bento4\ncd Bento4\nmkdir check_build \u0026\u0026 cd check_build\ncmake ../ -DCMAKE_C_COMPILER=clang DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release`*  \nmake -j\n```\n#### 2. Getting the PoC\n`wget https://github.com/axiomatic-systems/Bento4/files/9744391/mp42ts_poc.zip`  \n`unzip mp42ts_poc.zip`\n##### i. Running the PoC\n`/home/exploit/Bento4/check_build/mp42ts /home/exploit/mp42ts_poc /dev/null`  \nExpected output:   \n```\nfree(): double free detected in tcache 2\nAborted (core dumped)\n```\n\n###### ii. Compiling the code with CFI\n`sudo apt-get install llvm-10-tools`\n```\ncmake ../ \\\n  -DCMAKE_C_COMPILER=clang \\\n  -DCMAKE_CXX_COMPILER=clang++ \\\n  -DCMAKE_C_FLAGS=\"-fsanitize=cfi-icall -fvisibility=hidden -flto=thin\" \\\n  -DCMAKE_CXX_FLAGS=\"-fsanitize=cfi-icall -fvisibility=hidden -flto=thin\" \\\n  -DCMAKE_EXE_LINKER_FLAGS=\"-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld\" \\\n  -DCMAKE_BUILD_TYPE=Release\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftware-engineering-and-security%2Fcfi-practical-guideline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoftware-engineering-and-security%2Fcfi-practical-guideline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftware-engineering-and-security%2Fcfi-practical-guideline/lists"}