[ Thanks to Britta for this link.
]
“Since most attacks are accompanied by system calls,
the CFGs limit themselves to these calls and document the
legitimate pattern for each application. If a program deviates from
the pattern, the kernel ends the process.”