Control Flow Integrity (CFI) is a promising defense technique against
code-reuse attacks. While proposals to use hardware features to support CFI already
exist, there is still a growing demand for an architectural CFI support on
commodity hardware. To tackle this problem, in this paper we demonstrate that
the Transactional Synchronization Extensions (TSX) recently introduced by Intel
in the x86-64 instruction set can be used to support CFI.
The main idea of our approach is to map control flow transitions into transactions.
This way, violations of the intended control flow graphs would then trigger transactional
aborts, which constitutes the core of our TSX-based CFI solution. To
prove the feasibility of our technique, we designed and implemented two coarsegrained
CFI proof-of-concept implementations using the new TSX features. In
particular, we show how hardware-supported transactions can be used to enforce
both loose CFI (which does not need to extract the control flow graph in advance)
and strict CFI (which requires pre-computed labels to achieve a better precision).
All solutions are based on a compile-time instrumentation.
We evaluate the effectiveness and overhead of our implementations to demonstrate
that a TSX-based implementation contains useful concepts for architectural
control flow integrity support.