Code-Pointer Integrity

Volodymyr Kuznetsov and George Candea


Systems code is often written in low-level languages like C/C++, which offer many benefits but also delegate memory management to programmers. This invites memory safety bugs that attackers can exploit to divert control flow and compromise the system. Deployed defense mechanisms (e.g., ASLR, DEP) are incomplete, and stronger defense mechanisms (e.g., CFI) often have high overhead and limited guarantees.

We introduce code-pointer integrity (CPI), a new design point that guarantees the integrity of all code pointers in a program (e.g., function pointers, saved return addresses) and thereby prevents all control-flow hijack attacks, including return-oriented programming. We also introduce code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2% overhead for C and 1.9% for C/C++, while CPI’s overhead is 2.9% for C and 8.4% for C/C++.

A prototype implementation of CPI and CPS can be obtained from

(This is joint work with L. Szekeres, M. Payer, R. Sekar, and D. Song)


George Candea ( is an Associate Professor of Computer Science at EPFL. He got his BS ('97) and MEng ('98) from MIT and his PhD from Stanford ('05), all in Computer Science. He co-founded Aster Data Systems (now Teradata Aster) and served as its CTO and then Chief Scientist.

Volodymyr Kuznetsov ( is a PhD student at EPFL in George's group, working on systems, security, and program analysis & verification. He received his BS ('07) and MS ('09) in Applied Physics and Mathematics from the Moscow Institute of Physics and Technology.

Time and Place

Thursday, October 9, 4:15pm
Gates 463A