Code reuse attacks have been a threat to software security for over two decades. Instead of injecting their own malicious code, attackers exploit existing program components. These attacks typically rely on so-called memory corruption vulnerabilities, such as buffer overflows or use-after-free errors in C or C++ software. "Such vulnerabilities can be found in web servers, browsers, or VPN systems, among other places. If an attack is successful, attackers can, for example, extract sensitive data, install malware, or take complete control of systems," explains CISPA researcher Apostolos Chatzianagnostou.
PLaTypus Restricts Abitrary Transition Between Libraries
To make code-reuse attacks more difficult, modern processors are increasingly relying on hardware-based protection mechanisms such as Intel CET or ARM Branch Target Identification (BTI). These are designed to prevent attackers from redirecting a program's control flow to unintended code sections via manipulated indirect calls or return addresses. "Protection mechanisms like CET or BTI are expected to become standard in modern systems in the coming years. However, we have found that they still leave an important attack vector open: attackers can still arbitrarily jump between functions across different libraries," explains Apostolos Chatzianagnostou.
The additional hardening layer PLaTypus addresses this specific issue. It ensures that indirect transitions remain within the same program library as much as possible. Transitions between different libraries are only permitted via explicitly designated mechanisms, specifically the PLT stubs. These are small pieces of code that Linux systems use to dispatch calls to shared library functions at runtime. This is intended to prevent attackers from using compromised function pointers to jump to arbitrary functions in other libraries. "Our central motivation was simple: if a module does not explicitly require access to a function, it should not be able to jump to it indirectly either," explains Chatzianagnostou.
Practical Rather than Theoretical
Unlike many academic security approaches, PLaTypus deliberately takes a practical approach. Instead of replacing existing protection mechanisms, the mitigation complements existing security features and leverages already established mechanisms of modern operating systems. This keeps the additional runtime overhead low and makes integration into existing software more realistic.
According to the researchers, PLaTypus reduces the number of indirectly accessible functions between libraries by more than 98 percent. In tests with applications such as Nginx or Redis, the approach also caused less than 0.5 percent in additional runtime overhead. "Our prototype is currently implemented for Intel architecture, but the approach could also work in ARM systems," says Chatzianagnostou.
From Research to Real-World Toolchains
PLaTypus is still a research prototype. However, the researchers are already in dialogue with the LLVM community to explore possible paths for integration into the standard LLVM toolchain. Since PLaTypus is a compiler-based mitigation built on top of LLVM, such integration would be an important step toward practical deployment. "The path from academic security approaches to real development tools is complex and only possible through close collaboration with the community, in our case, the LLVM developers. I would be delighted if we could realize this in a joint project," explains Chatzianagnostou.
