Herein is innovative control flow integrity (CFI) based on code generation techniques that instrument data protection for access control of subroutines invoked across module boundaries. This approach is counterintuitive because, even though code is stored separately from data, access control to the data is used to provide access control to the code. In an embodiment, an instrumentation computer generates, at the beginning of a subroutine that is implemented in machine instructions, a prologue that contains: a first instruction of the subroutine that indicates that the first instruction is a target of a control flow branch and a second instruction of the subroutine that verifies that a memory address is accessible. Generated in the machine instructions are instruction(s) that, when executed by a processor, cause the memory address to have limited accessibility. Some code generation may be performed at the start of runtime by a loader or a dynamic linker.