Despite the fact that protection mechanisms like Stack-Guard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this paper, we present a compiler-level protection called SCADS: Separated Control-and Data-Stacks. In our approach, we protect return addresses and saved frame pointers on a separate stack, called the Control-Stack (CS). In common computer programs, a single user mode stack is used to store control information next to data buffers. By separating control information from the Data-Stack (DS), we protect sensitive pointers of a program’s control flow from being overwritten by buffer overflows. As we make control flow information simply unreachable for buffer overflows, many exploits are stopped at an early stage of progression with only little performance overhead. To substantiate the practicability of our approach, we provide SCADS as an open source patch for the LLVM compiler infrastructure for AMD64 hosts.
CITATION STYLE
Kugler, C., & Müller, T. (2015). SCADS: Separated control- and data-stacks. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST (Vol. 152, pp. 323–340). Springer Verlag. https://doi.org/10.1007/978-3-319-23829-6_23
Mendeley helps you to discover research relevant for your work.