Papers
Topics
Authors
Recent
Search
2000 character limit reached

Branch Landing: Bloom Filter-Based Source Authorization for Forward-Edge CFI on RISC-V

Published 25 Apr 2026 in cs.CR | (2604.23331v1)

Abstract: Jump-Oriented Programming (JOP) attacks exploit indirect control transfers to bypass backward-edge defenses, yet existing forward-edge CFI mechanisms lack precise source-domain authorization: type-based CFI admits all same-signature callers, while tag-based hardware CFI is limited by fixed-width register storage that caps the number of simultaneously authorized sources. We propose Branch Landing (BRL), a landing-based forward-edge CFI framework for RISC-V that replaces fixed-capacity checks with Bloom filter membership queries. Two lightweight ISA extensions, bld and brl, propagate a source Section Identifier (SID) through a dedicated BRState register and validate it at each landing site with fixed-probe latency that is independent of the number of authorized sources under a chosen filter configuration. Section granularity is configurable, supporting policies from type-based to CFG-derived authorization within a single mechanism. We implement Branch Landing in the LLVM RISC-V backend and evaluate it on 81 BEEBS benchmarks under two representative policy configurations: a function-level, type-based policy and a basic-block-level, CFG-derived policy. Under a 3-cycle brl latency model, the two configurations incur average runtime overheads of only 0.210% and 0.421%, with mean code size growth of 0.46% and 0.52% respectively. The CFG-derived policy reduces the average equivalence class size by 32.5% compared to the type-based policy, and all evaluated executions complete without BRL enforcement failures.

Authors (2)

Summary

  • The paper introduces a scalable forward-edge CFI framework on RISC-V by replacing fixed-capacity checks with Bloom filter membership queries for source authorization.
  • It details two lightweight ISA extensions, bld and brl, that propagate and verify source identifiers with constant-time checks and minimal performance overhead.
  • The evaluation on 81 BEEBS benchmarks shows performance overheads as low as 0.210% and a 32.5% reduction in equivalence class size compared to prior CFI methods.

Branch Landing: Bloom Filter-Based Source Authorization for Forward-Edge CFI on RISC-V

Introduction and Motivations

Forward-edge control-flow integrity (CFI) remains a critical defense against code-reuse attacks, notably Jump-Oriented Programming (JOP) and related exploitation strategies that leverage indirect control transfers to bypass backward-edge protections such as shadow stacks. While existing type-based CFI mechanisms (e.g., FineIBT, LLVM-CFI) and tag-based hardware CFI (e.g., Bratter) provide varying degrees of source authorization, each exhibits fundamental limitations: type-based CFI collapses all callers of the same type into a single equivalence class, admitting significant over-permissiveness; tag-based hardware CFI is constrained by fixed storage (e.g., a small number of per-target tag slots), structurally preventing it from scaling to programs with large authorized-caller sets.

Branch Landing (BRL) introduces a forward-edge CFI framework for RISC-V that directly addresses these gaps. The framework replaces fixed-capacity equality or tag checks with a scalable, set-based source authorization via Bloom filter membership queries. This design shift is realized through two lightweight ISA extensions, bld and brl, that propagate and validate source Section Identifiers (SIDs) through a dedicated architectural register. The mechanism is general: it instantiates both type-based and CFG-derived policies, achieving fine-grained control using a common enforcement substrate regardless of policy granularity. Figure 1

Figure 1: Comparison of type-based CFI, tag-based hardware CFI, and Branch Landing. Bloom filter membership enables scalable source authorization with fixed verification latency.

Design and Mechanism Details

BRL differentiates itself by executing fixed-probe Bloom filter membership checks at landing sites, allowing an arbitrary number of authorized sources without introducing register or code-size bottlenecks. The ISA extensions are as follows:

  • bld (Branch Landing Descriptor): Inserts a source SID into the BRState architectural register before any indirect branch.
  • brl (Branch Landing Verification): At the landing site, checks if the previously propagated SID is in the authorized set, represented by a Bloom filter with configurable false positive probability.

Key properties:

  • Scalability: Bloom filter encoding decouples authorized-source cardinality from hardware resource constraints, with membership queries executing in constant time for any filter configuration.
  • Policy-agnostic substrate: The same hardware mechanism supports multiple CFI granularity settings (function-level/type-based to basic-block/CFG-derived).
  • Minimal performance and code-size overhead: Per-target Bloom-filtered authorization metadata is compact. The single-use model for BRState prevents replay attacks and ensures clean semantics for both security and hardware implementation.

Evaluation and Empirical Results

The implementation targets the LLVM RISC-V backend and is evaluated on the BEEBS suite, covering 81 benchmarks. Two configurations are considered for empirical characterization:

  • BRL-Func: Function-level SIDs, mirroring type-based CFI.
  • BRL-CFG: Basic-block-level SIDs with CFG-derived authorization sets.

Key results:

  • Performance: Under a 3-cycle brl latency model and 1-cycle bld, mean runtime overheads are 0.210% (BRL-Func) and 0.421% (BRL-CFG), rising only moderately under pessimistic (10-cycle) assumptions to 0.633% and 1.228% respectively. Both configurations outperform prior tag-based CFI (Bratter's 5.99% under comparable enforcement).
  • Code size: Average .textgrowth is 0.46% (BRL-Func) and 0.52% (BRL-CFG), lower than Bratter's CFG-enforcement overhead.
  • Authorization Precision: The CFG-derived policy reduces average equivalence class (EC) size by 32.5% (from 1.96 to 1.32 across all benchmarks).
  • Security: All benchmarks completed with zero BRL enforcement failures; empirical false positive rates for Bloom filter encoding remained negligible in all evaluated cases. Figure 2

    Figure 2: Weighted performance overhead for BRL-Func and BRL-CFG with brl latencies of 3, 5, and 10 cycles.

Implications and Theoretical Impact

Branch Landing achieves scalable, constant-latency, and highly configurable source-domain authorization with minimal hardware extension. Its use of probabilistic Bloom filters sidesteps core architectural limitations of prior CFI designs:

  • Mandatory minimal metadata footprint: Unlike tag-slot CFI approaches, BRL metadata size scales with the actual number of authorized sources, not the worst-case caller set.
  • Introduction of tunable security–performance tradeoffs: By configuring Bloom filter parameters and granularity of SID assignment at compile time, enforcement precision and runtime/space overheads can be balanced according to application and threat model requirements.
  • Generalization to a variety of policy abstractions: The policy-agnostic infrastructure can adopt field-sensitive or origin-sensitive policy analyses (e.g., ECCut, HPCFI) to further reduce equivalence classes or integrate with pointer analysis to disallow attack surfaces exposed by coarse-grained equivalence class assignments.

The mechanism is robust against memory corruption adversaries within realistic system threat models but, like all current CFI approaches, does not guard against microarchitectural side channels or data-only attacks. The design is compatible with out-of-order processors provided that BRState single-use semantics are maintained via reorder buffer or equivalent state management.

Practical Considerations and Future Directions

The evaluation of BRL demonstrates its feasibility and impact in deeply resource-constrained environments (such as embedded systems). Future hardware pipelines could optimize Bloom filter lookup paths and descriptor caching to further minimize enforcement latency. Integration with more precise policy analyses promises further reductions in equivalence classes and residual exploitable surface. Extending the core concept to backward-edge CFI (returns) or multi-layer interposition (e.g., software fault isolation) is plausible due to the generality of the propagation-and-verify model.

Speculatively, as hardware CFI adoption progresses in heterogeneous RISC-V SoCs and more complex operating system stacks, BRL's tunable, low-overhead source authorization model is likely to influence both custom extensions and standardized ISA proposals. It also opens research questions regarding the composability of hardware-enforced control-flow policies and the systematic analysis of probabilistic security primitives under adversarial workloads.

Conclusion

Branch Landing presents a source-domain CFI enforcement scheme for RISC-V that leverages Bloom filter membership to attain high-precision, scalable, and efficient forward-edge authorization. With lightweight ISA support, configurable SIDs, and policy-agnostic enforcement, BRL delivers performance and code-size overheads substantially below state-of-the-art hardware CFI mechanisms while simultaneously reducing authorized equivalence classes and closing critical attack vectors exposed by type- and tag-based models. The mechanism is a promising direction for architectural security in both embedded and general-purpose RISC-V environments (2604.23331).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.