SACK: Systematic Generation of Function Substitution Attacks Against Control-Flow Integrity
Zhechang Zhang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
This talk presents **SACK**, the first systematic framework for automatically constructing **function substitution attacks** against programs protected by **fully precise static Control-Flow Integrity (CFI)**. While CFI has been the principal defense against control-flow hijacking for over a decade, SACK demonstrates that even the strongest possible static CFI -- where every allowed target must be triggered by some benign input -- can be systematically bypassed by substituting one legitimate target for another within the allowed set.
AI review
A genuinely important contribution to offensive security research. SACK systematically demonstrates that fully precise static CFI -- the gold standard defense against control-flow hijacking -- is fundamentally insufficient against function substitution attacks. Hundreds of attacks across seven applications, five end-to-end exploits including a V8 command execution, and a framework that uses LLMs to automate security oracle construction for $0.60 each. This is real exploitation research with deep implications for memory safety defenses.