Skip to main content

Rust Binaries

CodeDefender fully supports obfuscation of Rust-compiled binaries. However, certain compiler optimizations and platform targets can interfere with analysis or lifting. This page outlines known challenges and how to resolve them.

Unbounded Jump Tables

Rust’s LLVM backend aggressively optimizes jump tables by removing bounds checks when the compiler can prove exact control flow reachability. While this improves performance, it presents a challenge for CodeDefender’s indirect branch analysis, which requires explicit jump table bounds for safe transformation.

info

🔍 For more technical detail, see our blog post: Technical Challenges of Indirect Control Flow

Why This Matters

If CodeDefender is unable to determine the bounds of a jump table, it will reject the function with the error: BadIndirectBranch. This issue is especially common in Rust because the compiler can often prove exact reachability for each jump‑table target at compile time, allowing it to eliminate the usual bounds checks altogether. (Rust’s safety guarantees give LLVM more precise control‑flow information than it typically gains from C/C++.) While similar situations can occur in C/C++, they are far less frequent.

The Fix

Thanks to this issue we can derive a simple solution to the problem

rustc -C llvm-args='--help-list-hidden' | grep -- 'jump-table'

--aarch64-min-jump-table-entries=<uint> 
--arm-adjust-jump-tables       
--emit-jump-table-sizes-section     
--enable-jump-table-to-switch      
--hexagon-emit-jump-tables     
--jump-table-density=<uint>                   
--jump-table-to-switch-function-size-threshold=<uint>
--jump-table-to-switch-size-threshold=<uint>  
--max-jump-table-size=<uint>  
--min-jump-table-entries=<uint> 
--minimum-jump-tables=<int>                            
--optsize-jump-table-density=<uint> 
--ppc-min-jump-table-entries=<uint> 
--riscv-min-jump-table-entries=<uint>
  1. Create or open .cargo/config.toml
  2. Include the following:
[build]
rustflags = ["-Cllvm-args=max-jump-table-size=0"]

Rust UEFI (x86_64-unknown-uefi)

This Rust build target generates PE files without unwind information, which is expected—UEFI environments don’t require or utilize unwind data. However, many of CodeDefender’s safety guardrails rely on this information to function correctly. Thanks to this post we can solve this easily.

  1. Create or open .cargo/config.toml
  2. Include the following:
[build]
rustflags = ["-Cforce-unwind-tables"]