- The paper introduces a scalable forward-edge CFI framework on RISC-V by replacing fixed-capacity checks with Bloom filter membership queries for source authorization.
- It details two lightweight ISA extensions, bld and brl, that propagate and verify source identifiers with constant-time checks and minimal performance overhead.
- The evaluation on 81 BEEBS benchmarks shows performance overheads as low as 0.210% and a 32.5% reduction in equivalence class size compared to prior CFI methods.
Branch Landing: Bloom Filter-Based Source Authorization for Forward-Edge CFI on RISC-V
Introduction and Motivations
Forward-edge control-flow integrity (CFI) remains a critical defense against code-reuse attacks, notably Jump-Oriented Programming (JOP) and related exploitation strategies that leverage indirect control transfers to bypass backward-edge protections such as shadow stacks. While existing type-based CFI mechanisms (e.g., FineIBT, LLVM-CFI) and tag-based hardware CFI (e.g., Bratter) provide varying degrees of source authorization, each exhibits fundamental limitations: type-based CFI collapses all callers of the same type into a single equivalence class, admitting significant over-permissiveness; tag-based hardware CFI is constrained by fixed storage (e.g., a small number of per-target tag slots), structurally preventing it from scaling to programs with large authorized-caller sets.
Branch Landing (BRL) introduces a forward-edge CFI framework for RISC-V that directly addresses these gaps. The framework replaces fixed-capacity equality or tag checks with a scalable, set-based source authorization via Bloom filter membership queries. This design shift is realized through two lightweight ISA extensions, bld and brl, that propagate and validate source Section Identifiers (SIDs) through a dedicated architectural register. The mechanism is general: it instantiates both type-based and CFG-derived policies, achieving fine-grained control using a common enforcement substrate regardless of policy granularity.
Figure 1: Comparison of type-based CFI, tag-based hardware CFI, and Branch Landing. Bloom filter membership enables scalable source authorization with fixed verification latency.
Design and Mechanism Details
BRL differentiates itself by executing fixed-probe Bloom filter membership checks at landing sites, allowing an arbitrary number of authorized sources without introducing register or code-size bottlenecks. The ISA extensions are as follows:
- bld (Branch Landing Descriptor): Inserts a source SID into the BRState architectural register before any indirect branch.
- brl (Branch Landing Verification): At the landing site, checks if the previously propagated SID is in the authorized set, represented by a Bloom filter with configurable false positive probability.
Key properties:
- Scalability: Bloom filter encoding decouples authorized-source cardinality from hardware resource constraints, with membership queries executing in constant time for any filter configuration.
- Policy-agnostic substrate: The same hardware mechanism supports multiple CFI granularity settings (function-level/type-based to basic-block/CFG-derived).
- Minimal performance and code-size overhead: Per-target Bloom-filtered authorization metadata is compact. The single-use model for BRState prevents replay attacks and ensures clean semantics for both security and hardware implementation.
Evaluation and Empirical Results
The implementation targets the LLVM RISC-V backend and is evaluated on the BEEBS suite, covering 81 benchmarks. Two configurations are considered for empirical characterization:
- BRL-Func: Function-level SIDs, mirroring type-based CFI.
- BRL-CFG: Basic-block-level SIDs with CFG-derived authorization sets.
Key results:
Implications and Theoretical Impact
Branch Landing achieves scalable, constant-latency, and highly configurable source-domain authorization with minimal hardware extension. Its use of probabilistic Bloom filters sidesteps core architectural limitations of prior CFI designs:
- Mandatory minimal metadata footprint: Unlike tag-slot CFI approaches, BRL metadata size scales with the actual number of authorized sources, not the worst-case caller set.
- Introduction of tunable security–performance tradeoffs: By configuring Bloom filter parameters and granularity of SID assignment at compile time, enforcement precision and runtime/space overheads can be balanced according to application and threat model requirements.
- Generalization to a variety of policy abstractions: The policy-agnostic infrastructure can adopt field-sensitive or origin-sensitive policy analyses (e.g., ECCut, HPCFI) to further reduce equivalence classes or integrate with pointer analysis to disallow attack surfaces exposed by coarse-grained equivalence class assignments.
The mechanism is robust against memory corruption adversaries within realistic system threat models but, like all current CFI approaches, does not guard against microarchitectural side channels or data-only attacks. The design is compatible with out-of-order processors provided that BRState single-use semantics are maintained via reorder buffer or equivalent state management.
Practical Considerations and Future Directions
The evaluation of BRL demonstrates its feasibility and impact in deeply resource-constrained environments (such as embedded systems). Future hardware pipelines could optimize Bloom filter lookup paths and descriptor caching to further minimize enforcement latency. Integration with more precise policy analyses promises further reductions in equivalence classes and residual exploitable surface. Extending the core concept to backward-edge CFI (returns) or multi-layer interposition (e.g., software fault isolation) is plausible due to the generality of the propagation-and-verify model.
Speculatively, as hardware CFI adoption progresses in heterogeneous RISC-V SoCs and more complex operating system stacks, BRL's tunable, low-overhead source authorization model is likely to influence both custom extensions and standardized ISA proposals. It also opens research questions regarding the composability of hardware-enforced control-flow policies and the systematic analysis of probabilistic security primitives under adversarial workloads.
Conclusion
Branch Landing presents a source-domain CFI enforcement scheme for RISC-V that leverages Bloom filter membership to attain high-precision, scalable, and efficient forward-edge authorization. With lightweight ISA support, configurable SIDs, and policy-agnostic enforcement, BRL delivers performance and code-size overheads substantially below state-of-the-art hardware CFI mechanisms while simultaneously reducing authorized equivalence classes and closing critical attack vectors exposed by type- and tag-based models. The mechanism is a promising direction for architectural security in both embedded and general-purpose RISC-V environments (2604.23331).