CFI is an acronym for "Core Control Flow Integrity," which blocks execution flow redirection and blocks malware attacks.
As explained in the Tolvanen statement, an attacker can exploit any part of the kernel code by overwriting the pointer stored in memory:
To this end, CFI attempts to mitigate the impact of such attacks by adding additional checks to confirm that the kernel's control flow remains in the pre-designed layout.
Although this does not prevent an attacker from using an existing bug to gain write access, it changes the pointer to a function.
But it can greatly limit the targets that can be effectively invoked by it, making it more difficult for attackers to exploit vulnerabilities in practice.
Google added support for LLVM's CFI protection for the Android 4.9 and 4.14 kernels.Now all manufacturers can enable it on their own devices (with the help of the universal Android kernel).
The Android development team recommends that all manufacturers enable CFI features in the kernel on their Android 9-based arm64 devices to provide additional kernel vulnerability protection.
In subsequent releases,The development team also plans to join LLVM's "Shadow Call Stack" to defend against "function return address attacks."