AD3043: EnableKernelCFI¶
Summary¶
| Property | Value |
|---|---|
| ID | AD3043 |
| Name | EnableKernelCFI |
| Category | Security |
| Severity | Note |
| Applies to | ELF (Linux/Unix) |
Description¶
KCFI is a lightweight Control Flow Integrity implementation designed for kernel and embedded environments. Unlike regular CFI (-fsanitize=cfi), KCFI:
- Does not require Link-Time Optimization (LTO) - Can be used with separate compilation
- Preserves function pointer equality - Function pointers compare equal across translation units
- Does not use jump tables - Lower overhead and simpler implementation
- Validates indirect calls - Checks type hashes embedded before each function
KCFI is used by the Linux kernel and Android for kernel-level control-flow protection.
How to Fix¶
Clang¶
Compile with the -fsanitize=kcfi flag:
GCC¶
GCC support for KCFI is available through kernel patches. For kernel builds, enable CONFIG_CFI_CLANG in the kernel configuration.
When to Use KCFI vs CFI¶
| Feature | KCFI | CFI |
|---|---|---|
| Requires LTO | No | Yes |
| Use case | Kernel/embedded | Userspace applications |
| Overhead | Lower | Higher precision |
| Function pointer equality | Preserved | May break |
Applicability¶
This rule applies to: - Linux kernel modules and images - Embedded firmware - Bare-metal binaries - Statically linked system binaries
This rule does not apply to: - Regular userspace applications (use AD3036 EnableControlFlowIntegrity instead) - Shared libraries - Dynamically linked executables
References¶
Related Rules¶
- AD3036: EnableControlFlowIntegrity - Standard CFI for userspace
- AD3019: EnableLTO - Required for standard CFI