This work addresses the limitations of existing forward-edge control-flow integrity (CFI) mechanisms, which are either overly permissive in source authorization—such as type-based CFI—or constrained by fixed-width hardware registers, as in hardware tagging schemes. To overcome these issues, we propose Branch Landing (BRL), the first framework to integrate Bloom filters into RISC-V forward-edge CFI. BRL introduces a lightweight ISA extension (bld/brl) and a dedicated BRState register to verify source identifiers (SIDs) at branch targets with constant-time overhead, thereby eliminating restrictions on the number of authorized sources. The design uniformly supports multi-granularity policies ranging from type-based to CFG-derived enforcement, with LLVM backend integration enabling function- and basic block-level configurations. Evaluation on 81 BEEBS benchmarks shows runtime overhead of only 0.210%–0.421%, code size increase of 0.46%–0.52%, a 32.5% average reduction in equivalence class size, and zero execution failures.

Jump-Oriented Programming (JOP) attacks exploit indirect control transfers to bypass backward-edge defenses, yet existing forward-edge CFI mechanisms lack precise source-domain authorization: type-based CFI admits all same-signature callers, while tag-based hardware CFI is limited by fixed-width register storage that caps the number of simultaneously authorized sources. We propose Branch Landing (BRL), a landing-based forward-edge CFI framework for RISC-V that replaces fixed-capacity checks with Bloom filter membership queries. Two lightweight ISA extensions, bld and brl, propagate a source Section Identifier (SID) through a dedicated BRState register and validate it at each landing site with fixed-probe latency that is independent of the number of authorized sources under a chosen filter configuration. Section granularity is configurable, supporting policies from type-based to CFG-derived authorization within a single mechanism. We implement Branch Landing in the LLVM RISC-V backend and evaluate it on 81 BEEBS benchmarks under two representative policy configurations: a function-level, type-based policy and a basic-block-level, CFG-derived policy. Under a 3-cycle brl latency model, the two configurations incur average runtime overheads of only 0.210% and 0.421%, with mean code size growth of 0.46% and 0.52% respectively. The CFG-derived policy reduces the average equivalence class size by 32.5% compared to the type-based policy, and all evaluated executions complete without BRL enforcement failures.