SCADS: Separated control- and data-stacks

Abstract

Despite the fact that protection mechanisms like Stack-Guard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this paper, we present a compiler-level protection called SCADS: Separated Control-and Data-Stacks. In our approach, we protect return addresses and saved frame pointers on a separate stack, called the Control-Stack (CS). In common computer programs, a single user mode stack is used to store control information next to data buffers. By separating control information from the Data-Stack (DS), we protect sensitive pointers of a program’s control flow from being overwritten by buffer overflows. As we make control flow information simply unreachable for buffer overflows, many exploits are stopped at an early stage of progression with only little performance overhead. To substantiate the practicability of our approach, we provide SCADS as an open source patch for the LLVM compiler infrastructure for AMD64 hosts.