AD5025: EnableControlFlowIntegrityMachO¶

Summary¶

Property	Value
ID	AD5025
Name	EnableControlFlowIntegrityMachO
Category	Security
Severity	Note
Applies to	Mach-O (macOS, iOS)

Description¶

Mach-O binaries compiled with Clang should enable Control Flow Integrity (CFI) to prevent control flow hijacking attacks.

How It Works¶

The rule checks for CFI indicators:

CFI-related symbols
Type metadata for call validation
LTO usage (required for CFI)

Why This Matters¶

CFI provides fine-grained protection against control flow hijacking, complementing Apple's existing security features.

CFI on Apple Platforms¶

Feature	Status
ARM PAC	Hardware (M1+, A12+)
CFI	Software (Clang)
Combined	Strongest protection

CFI Check Types¶

Check	Protects
cfi-vcall	Virtual calls
cfi-icall	Indirect calls
cfi-nvcall	Non-virtual member calls
cfi-cast	Type casts

LTO Requirement¶

# CFI requires LTO
clang -flto -fsanitize=cfi -fvisibility=hidden program.c

Visibility Requirement¶

// Default hidden visibility recommended for CFI
__attribute__((visibility("default"))) void public_api();
// Other functions default to hidden

Performance¶

Configuration	Overhead
CFI alone	1-5%
CFI + PAC	2-6%

Resolution¶

Enable CFI with LTO:

clang -flto -fsanitize=cfi -fvisibility=hidden -o program program.c

CMake Configuration¶

if(APPLE AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
    target_compile_options(myapp PRIVATE
        -flto -fsanitize=cfi -fvisibility=hidden)
    target_link_options(myapp PRIVATE
        -flto -fsanitize=cfi)
endif()