v0.11

New release based on a development version of LLVM 22. This release switches prebuilts to use the integrated LFI rewriter for x86-64 and aarch64. The lfi-rewrite and lfi-postlink tools are no longer necessary for compilation. This release also uses a new experimental implementation of bundling for LLVM 22, as bundling was removed from LLVM after release 21.

Target triples are now place lfi in the architecture field as a sub-architecture (aarch64_lfi and x86_64_lfi) rather than using the vendor field.

v0.10

The LFI implementation has been distributed across several repositories in https://github.com/lfi-project. This release includes prebuilts for the LFI compiler (Clang/LLVM, LFI sysroot), tools (lfi-rewrite, lfi-verify, lfi-run), and libraries (liblfi.so, liblfi.a).

Tools and libraries are in ARCH-lfi-tools.tar.gz. Compiler toolchain in ARCH-lfi-clang.tar.gz. Native compilers are provided for benchmarking (using the same runtime libraries+compiler version as the LFI version).

The aarch64 toolchains ending with host-x86_64 are aarch64 cross compilers that run on a x86-64 host machine.

v0.8

Full Changelog: v0.7...v0.8

v0.7

Full Changelog: v0.6...v0.7

v0.6

Full Changelog: v0.5...v0.6

v0.5

What's Changed

Full Changelog: v0.4...v0.5

Native toolchains are also provided for benchmarking purposes.

v0.4

Full Changelog: v0.3...v0.4

v0.3

This release adds initial native support for x86-64 (amd64). The x86-64 sandboxing scheme uses 16-byte bundles and rewrites jumps/loads/stores to safe equivalents via two reserved registers. More details will be forthcoming. A static verifier for x86-64 is not yet available, so currently only the compiler toolchains and lfi-run tool are available. The Clang toolchain for x86-64 requires a modification to LLVM, so prebuilt versions of the patched Clang and LLD are available in llvm/bin in the archive.

The performance of the ARM64 verifier has also been improved and now verifies typical binaries at a throughput of 500 MiB/s on an M2 CPU.

v0.2

New in this release:

• lfi-run has been rewritten to use liblfi and has been significantly improved.
• The runtime call table is now stored in x25, which will facilitate future improvements.
• The verifier is now significantly smaller and faster (200 MiB/s).
• Experimental support for running on x86-64 via Dynarmic in lfi-run. This effort will likely not be continued in the near future, but remains experimental due to being incomplete (you may encounter issues).

Several further improvements are in-progress: optimized integration with WebAssembly (including a WASI runtime), even faster verification, and native x86-64 support.

v0.1

Version 0.1 of LFI. This release includes prebuilt toolchains for both Clang and GCC in lfi-toolchain-arm64.tar.gz, and a prebuilt version of liblfi in liblfi-prebuilt.tar.gz. A GCC cross-compiler is also included that can run on x86-64 hosts in lfi-toolchain-amd64.tar.gz (does not include lfi-run).

The Clang toolchain expects you to have an externally installed version of Clang and LLD.

The GCC toolchain contains all necessary binaries within the toolchain (gcc, g++, binutils, etc.).