Skip to content
STIMSMITH

Control-Flow Integrity

Concept

Control-flow integrity (CFI) is a security policy that enforces the legitimacy of transitions between instruction sequences. In the provided evidence, CFI is contrasted with data-flow integrity (DFI): CFI checks whether control transfers, such as branches, go only to statically determined legal targets, while DFI is described as capable of detecting both control-data and non-control-data attacks.

First seen 6/5/2026
Last seen 6/5/2026
Evidence 1 chunks
Wiki v1

WIKI

Control-Flow Integrity

Control-flow integrity (CFI) is a security policy described in the evidence as distinct from data-flow integrity (DFI). Its purpose is to enforce the legitimacy of transitions between instruction sequences.

A representative rule given in the source is that each branch instruction in a program should jump only to one of the legal targets generated by static analysis. This makes CFI a policy focused on constraining runtime control transfers to precomputed valid destinations.

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

1 connections
RVDFI ← mentions 90% 1e
RVDFI mentions control-flow integrity as a related security policy

LINKED ENTITIES

1 links
RVDFI MENTIONS Extracted graph relationship

CITATIONS

8 sources
8 citations — click to expand
[1] Control-flow integrity (CFI) is another security policy different from DFI. RVDFI: A RISC-V Architecture with Security
[2] CFI enforces the legitimacy of each transition between instruction sequences. RVDFI: A RISC-V Architecture with Security
[3] The source gives the example that each branch instruction in a program should only jump to one of the legal targets generated by static analysis. RVDFI: A RISC-V Architecture with Security
[4] CFI was first proposed with a software implementation, and later hardware approaches were used to reduce performance overhead. RVDFI: A RISC-V Architecture with Security
[5] Intel proposed CET to enforce CFI, and the source describes it as coarse-grained compared with Griffin. RVDFI: A RISC-V Architecture with Security
[6] Griffin uses Intel Processor Tracing to generate control-flow traces that are used for CFI verification in software. RVDFI: A RISC-V Architecture with Security
[7] Lee et al. proposed using ARM Program Trace Macrocell to generate control-flow traces and send them to an FPGA through the ARM Trace Port Interface Unit for CFI verification. RVDFI: A RISC-V Architecture with Security
[8] In the comparison given by the source, CFI can detect control-data attacks but not non-control-data attacks, while DFI can identify both types of attacks. RVDFI: A RISC-V Architecture with Security