Modern and powerful security technology that protects against hacking attempts is used to a very limited extent – despite having been available to developers for more than a decade. Researchers at Umeå University can now reveal why the technology fails to take hold. “At the same time, we present an automated solution that makes it easy to adopt the technology,” says Sabine Houy, doctoral student at the Department of Computing Science, who is now defending her thesis.

In common operating systems such as Windows, Android and iOS, as well as in browsers like Chrome and Edge, there is a built‑in security mechanism – Control Flow Integrity, CFI. It prevents attackers from hijacking software by exploiting bugs or memory errors, particularly in programmes written in languages such as C and C++.

"Attackers can use such flaws to redirect the programme flow and execute malicious code,” explains Sabine Houy, doctoral student at the Department of Computing Science, Umeå University.

Despite the technology being well established and technically mature, its use is surprisingly low.

“Less than one per cent of software packages in major Linux distributions use CFI. Even Android has only enabled the technology for selected components, which is remarkable. CFI provides robust guardrails and has been available for over a decade."

Automated solution to a complex problem
In her research, Houy investigated why this is the case. When she and her colleagues attempted to enable CFI in OpenJDK – the open‑source version of Java – they quickly encountered extensive problems. The software refused to compile, crashed, or behaved unpredictably.

“Solving the issues required extensive manual work to understand why the security tool clashed with the way the software was built,” says Sabine Houy.

She argues that the problem is not that CFI does not work.

“It is that real‑world software is complex and often violates the assumptions that CFI relies on,” says Sabine Houy.

Directly crucial for security in critical systems
To address this, Houy now introduces a tool that automatically detects and repairs these compatibility issues, called CFIghter.

“In tests on real software projects, our solution succeeded in enabling CFI where manual attempts would have been both time‑consuming and technically difficult.”

The results have immediate relevance for software security in critical environments. Operating systems, browsers and industrial control systems all use programming languages that CFI can protect. Automated tools can help companies implement security measures at scale – something that is becoming increasingly important as cyberattacks grow more sophisticated.

“Developers want to use security technologies, but the threshold becomes too high when the tools do not work out of the box. This provides a smart and safe solution that reduces the burden,” says Sabine Houy.

CFI will not eliminate all security risks. “But by making it more accessible, one can significantly raise the bar for attackers exploiting memory vulnerabilities in critical software systems,” concludes Sabine Houy.

Prominent research
Sabine Houy has worked with both theoretical and practical aspects of CFI. In her master’s thesis, she also worked on security aspects of cryptocurrency ledgers. Sabine Houy is part of the prominent research group Software Engineering and Security at Umeå University, led by Professor Alexandre Bartel at the Department of Computing Science. He has recently received several prestigious international awards, and he also teaches the highly popular course in Computer Security.

Sabine Houy defends her thesis, "Control Flow Integrity in Practice: Retrospectives, Realities, and Automated Enforcement," on Tuesday, 17 February.