Why Control Flow Integrity is More Important Than Ever

Assaf Harel, Karamba Security Chief Scientist | September 26th, 2019

With billions of resource-limited, connected vehicles and devices set to hit the market in the coming years, there is a clear and present need for CFI that can be seamlessly embedded into these devices without performance drag, false positives, or delays in go to market.

In a connected world driven by data, the incentives for hackers grow larger by the day. The sheer volume of new malware produced daily is staggering, and as billions of Internet of Things devices and connected vehicles hit the market in the coming years, the threat environment will only become more toxic.

You look at the age-old risk equation of attack probability and its potential impact. If an attack has the potential to be devastating but is extremely unlikely, or if it has a high likelihood but the expected damage is limited in scope, then the attack is considered lower risk and is given less priority.

This formula is of growing importance due to threats such as remote code execution and memory corruption, which not only cause significant damage but are also becoming more common as the amount of code in today’s consumer products continues to soar.

cfi square

CFI is a key cybersecurity measure to apply on the connected ECU because it stops Remote Code Execution – the most dangerous form of cyberattack. RCE attacks allow a malicious actor to compromise the program and bend it to their will. In the case of a connected vehicle, this could potentially mean a hacker would be capable of seizing control and remotely operating a vehicle, putting property and lives at risk. According to an American Consumer Watchdog report from July 2019, a fleet wide hack of connected vehicles during rush hour in a major city could potentially “result in approximately 3,000 fatalities, the same death tolls as the 9/11 attack.”

As protecting the host is introduced in modern connected vehicles, CFI protects the software control flow by upholding the “known good” functions validated by the developer and analyzing the software in runtime to ensure that the control flow is not diverted in memory. When installed in the ECU, Karamba CFI detects commands that don’t match the whitelisted policy and stops the process. CFI can also run additional analysis tests and report the incident to the product user.

The effectiveness of CFI makes it something of a no-brainer for cybersecurity, but there are still hurdles to mass adoption of this software integrity measure.

A key consideration in any embedded environment – such as a vehicle ECU - is the resource constraints of embedded devices. Most CFI solutions available today have more than a 5% impact on CPU utilization and memory size, which can negatively affect overall system performance. Through 3 years of continuous improvements and optimization accrued over the course of 30 projects in various OS and hardware platforms, Karamba can demonstrate today the best performance for CFI based Host IDPS, one that is accepted by the top automotive OEMs.

When looking at a host based IDPS the P is critical. Prevention can only be suggested when the technology supports the 0 false positive model. And while statistical analysis of logs is adding detection capabilities, it has to be separated from the prevention functions that block the attack as it is detected. Another key consideration is the ease of integration into the ECU architecture. No new hardware can be expected for Host IDPS and the process of adding the solution must be transparent for developers and validation teams alike. The manpower demands of this integration must be kept low, as its ability to stop attacks usually comes second to SOP commitments.

Karamba Carwall is ideally suited to answer the CFI based Host IDPS requirements introduced today by major OEMs. It provides a comprehensive solution to each of these concerns. Karamba CFI has zero false positives and less than a 5% impact on memory size and space on disk, meaning that it won’t slow down devices or block whitelisted commands. Karamba CFI can be seamlessly instrumented into the code during the build phase, and it works deterministically throughout the lifetime of the device with no need for user operation or updates.

In other words, when embedded on IoT devices - from ECUs to routers to smart refrigerators – Karamba CFI creates self-defending devices that deterministically prevent attempts to hijack the control flow and execute arbitrary code.

For more than a decade, CFI has been touted as a potential game-changer when it comes to embedded cybersecurity. With billions of resource-limited, connected devices and vehicles set to hit the market in the coming years, there is a clear and present need for CFI that can be seamlessly embedded into these devices without performance drag, false positives, or delays in go to market.

Read more

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 248-574-5171



Landstr. 264, Munich
Tel: +49 151 1471 6088