Development Tools

-control_flow_integrity [Professional Edition only] [V1.06 or later]

This option generates code for the detection of illegal indirect function calls.

[Specification format]

-control_flow_integrity

-	Interpretation when omitted

Code for the detection of illegal indirect function calls is not generated.

[Detailed description]

-	This option generates code for the detection of illegal indirect function calls. When this option is specified, code for the following processing is generated in the C source program.

(1) The __control_flow_integrity checking function is called with an indirect calling address as an argument immediately before indirect function calls.

(2) Within the checking function, the address given as the argument is checked against a list of the addresses of functions (hereafter referred to as the function list) which may be indirectly called. If the list does not include the address, the __control_flow_chk_fail function will be called since this is regarded as an illegal indirect function call.

The correctness of processing to change the flow of the program, such as through indirect function calls, is referred to as control flow integrity (CFI), and CFI techniques are used to verify this.

-	A checking function is defined as follows and provided as library functions. Calling the checking function in the same way as normal functions is prohibited.

The compiler automatically extracts the information on the functions which may be indirectly called from the C source program. The linker consolidates that information in creating the function list. For the linker to create a function list, the -CFI link option must be specified.
For details, refer to section 2.5.3 Link options.

-	The __control_flow_chk_fail function contains code for the processing which is to be executed when an illegal indirect function call is detected. The user must define this function. Note the following when defining the __control_flow_chk_fail function.

-	Specify void as the type of the return value and parameter, and allocate it in the far area.

-	Do not define the function as static.

-	Calling the __control_flow_chk_fail function in the same way as a normal function is prohibited.

-	The __control_flow_chk_fail function is not for the creation of code for detecting illegal indirect function calls.

-	In the __control_flow_chk_fail function, note that execution must not be returned to the checking function, for example, by calling abort() to terminate the program.

[Example]

-	<C source code>

#include <stdlib.h>

int glb;

void __control_flow_chk_fail(void)

    abort();

void func1(void) // Added to the function list.

    ++glb;

void func2(void) // Not added to the function list.

    --glb;

void (*pf)(void) = func1;

void main(void)

    pf(); // Indirect call of the function func1.

    func2();

-	<Output code>

When -cpu=S2 -S -control_flow_integrity is specified for compilation

___control_flow_chk_fail:

    .STACK ___control_flow_chk_fail = 4

    br !!_abort

_func1:

    .STACK _func1 = 4

    incw !LOWW(_glb)

ret

_func2:

    .STACK _func2 = 4

    decw !LOWW(_glb)

ret

_main:

    .STACK _main = 8

    subw sp, #0x04

    movw de, !LOWW(_pf)

    movw ax, de

    movw [sp+0x02], ax

    mov a, !LOWW(_pf+0x00002)

    mov [sp+0x00], a

    call !!___control_flow_integrity ; Call the checking function.

    mov a, [sp+0x00]

    mov cs, a

    movw ax, [sp+0x02]

    movw hl, ax

    call hl ; Indirect call of the function func1.

    call $!_func2 ; Direct call of the function func2.

    addw sp, #0x04

ret

    .SECTION .bss,BSS

    .ALIGN 2

_glb:

    .DS (2)

    .SECTION .data,DATA

    .ALIGN 2

_pf:

    .DB2 LOWW(_func1)

    .DB LOW(HIGHW(_func1))

    .DB 0x00