Code Pointer Masking: Hardening Applications against Code Injection Attacks

  • Pieter Philippaerts
  • Yves Younan
  • Stijn Muylle
  • Frank Piessens
  • Sven Lachmund
  • Thomas Walter
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


In this paper we present an efficient countermeasure against code injection attacks. Our countermeasure does not rely on secret values such as stack canaries and protects against attacks that are not addressed by state-of-the-art countermeasures of similar performance. By enforcing the correct semantics of code pointers, we thwart attacks that modify code pointers to divert the application’s control flow. We have implemented a prototype of our solution in a C-compiler for Linux. The evaluation shows that the overhead of using our countermeasure is small and the security benefits are substantial.


Function Pointer Return Address Library Function Spec Benchmark Code Pointer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Institute of Standards and Technology, National vulnerability database statistics,
  2. 2.
    Etoh, H., Yoda, K.: Protecting from stack-smashing attacks. tech. rep., IBM Research Divison (June 2000)Google Scholar
  3. 3.
    Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: Proceedings of the European Workshop on System Security (Eurosec), Nuremberg, Germany (March 2009)Google Scholar
  4. 4.
    Lhee, K.S., Chapin, S.J.: Buffer overflow and format string overflow vulnerabilities. Software: Practice and Experience 33, 423–460 (2003)Google Scholar
  5. 5.
    Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, USENIX Association (August 2003)Google Scholar
  6. 6.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (October 2004)Google Scholar
  7. 7.
    Gadaleta, F., Younan, Y., Joosen, W.: BuBBle: A javascript engine level countermeasure against heap-spraying attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 1–17. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Wojtczuk, R.: Defeating solar designer non-executable stack patch. Posted on the Bugtraq mailinglist (February 1998)Google Scholar
  9. 9.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM Press, Washington, D.C., U.S.A (2007)Google Scholar
  10. 10.
    Skape, Skywing.: Bypassing windows hardware-enforced data execution prevention (Uninformed) vol. 2 (September 2005)Google Scholar
  11. 11.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM, Alexandria (2005)Google Scholar
  12. 12.
    Younan, Y., Pozza, D., Piessens, F., Joosen, W.: Extended protection against stack smashing attacks without performance loss. In: Proceedings of the Twenty-Second Annual Computer Security Applications Conference (ACSAC 2006), pp. 429–438. IEEE Press, Los Alamitos (2006)CrossRefGoogle Scholar
  13. 13.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, USENIX Association, San Antonio (1998)Google Scholar
  14. 14.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium, pp. 91–104. USENIX Association (August 2003)Google Scholar
  15. 15.
    Henning, J.L.: Spec cpu2000: Measuring cpu performance in the new millennium. Computer 33, 28–35 (2000)CrossRefGoogle Scholar
  16. 16.
    Erlingsson, U.: Low-level software security: Attacks and defenses. Tech. Rep. MSR-TR-2007-153, Microsoft Research (2007)Google Scholar
  17. 17.
    Younan, Y., Joosen, W., Piessens, F.: Runtime countermeasures for code injection attacks against c and c++ programs. ACM Computing Surveys (2010)Google Scholar
  18. 18.
    Oiwa, Y., Sekiguchi, T., Sumii, E., Yonezawa, A.: Fail-safe ANSI-C compiler: An approach to making C programs secure: Progress report. In: Proceedings of International Symposium on Software Security (November 2002)Google Scholar
  19. 19.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th USENIX Security Symposium, Montreal, QC (August 2009)Google Scholar
  20. 20.
    Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: Paricheck: An efficient pointer arithmetic checker for c programs. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), ACM, Bejing (2010)Google Scholar
  21. 21.
    The PaX Team, Documentation for the PaX project.Google Scholar
  22. 22.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 281–289. ACM, New York (2003)CrossRefGoogle Scholar
  23. 23.
    Chiueh, T., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the 21st International Conference on Distributed Computing Systems, pp. 409–420. IEEE Computer Society, Phoenix (2001)CrossRefGoogle Scholar
  24. 24.
    Mccamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: Proceedings of the 15th USENIX Security Symposium, USENIX Association, Vancouver (2006)Google Scholar
  25. 25.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, USENIX Association, San Francisco (August 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Pieter Philippaerts
    • 1
  • Yves Younan
    • 1
  • Stijn Muylle
    • 1
  • Frank Piessens
    • 1
  • Sven Lachmund
    • 2
  • Thomas Walter
    • 2
  1. 1.DistriNet Research GroupBelgium
  2. 2.DOCOMO Euro-LabsGermany

Personalised recommendations