OnePlus phones are quite popular among tinkerers, primarily because of the company's developer-friendly attitude and of course, its painless bootloader unlocking policy. The company itself isn’t afraid to experiment and modders fully embrace the same school of thought. For example, OnePlus phones were the first few non-Pixel devices to support Energy Aware Scheduling (EAS) courtesy of XDA's rich aftermarket development community. This is a big reason why third-party kernels are always welcome here at XDA, as they can be customized to introduce new performance features as well as security measures.

XDA Recognized Developer Freak07, better known as the maintainer of Kirisakura kernel, has now introduced a nifty security feature to the OnePlus 8 Pro through his custom kernel. The mechanism is called Control Flow Integrity (CFI), which is designed to be a runtime hardening feature, but could also be classified as a bug-finding tool - making it quite distinctive.

OnePlus 8 Pro XDA Forums

Improving security by fixing exploitable code is a very important aspect of kernel development. This, amongst others, is done regularly by the monthly Android security updates.

However, as we all know, these updates aren't rolled out as regularly by all OEMs as we would like them to be. Additionally, the Android kernel consists of thousands and thousands of lines of code that are out of tree. Due to the complexity and size of the Android kernel, as well as the sheer diversity of the Android ecosystem, it's difficult to fix every single exploit. Instead of fixing every single line of exploitable code, it's beneficial to make the system more resilient against attacks by rendering the existing security bugs non-exploitable. This technique is called hardening.

That's where Control Flow Integrity (CFI) comes into play. CFI is a security mechanism that disallows changes to the original control flow graph of a compiled binary. Due to existing memory protections that make code injection more difficult, a common attack vector is to overwrite a function pointer stored in memory.

Here is a technical explanation by Freak07 that explains a bit more about Control Flow Integrity:

The only Android smartphone models (that we know of) that officially support CFI are the Google Pixel 3 and Pixel 4 family. The developer tells us that his kernel is among the few custom kernels to have fully working Kernel-CFI. There is another kernel on the OnePlus 7 Pro forum that supports Kernel-CFI as well as Freak07's own Kirisakura kernel for the ASUS ROG Phone II, but his kernel release for the OnePlus 8 Pro is the first custom kernel for a device with Linux kernel version 4.19 to have CFI enforced.

Kirisakura kernel for the OnePlus 8 Pro — XDA Download and Discussion Thread

Google strongly recommends the usage of Kernel-CFI if the device is running Android 9 Pie or higher. With OEMs sometimes being months behind the most recent security update and our phones becoming more and more connected to our lives, holding valuable private data, security features that focus on hardening the system are indeed a welcome addition to our personal smartphones. There are other kernel security features that are as important if not more important than Kernel-CFI, though, so don't take CFI as a magic bullet that protects from all flaws.