Drop-In Control Flow Hijacking Prevention through Dynamic Library Interception

A longstanding issue in computer security is preventing an attacker from gaining arbitrary execution rights from the exploitation of common programming mistakes, which result in opening unintentional breaches in the behavior of executable code. In particular, buffer overflows on the stack and the possibility for an attacker to manipulate format strings in formatted I/O functions still represent, according to the classification provided by the SANS institute, the third and 23rd most significant threats to the security of a system, respectively. We provide a drop-in countermeasure intercepting calls to dynamic libraries, to prevent both stack-based buffer overflows and uncontrolled format strings from providing a viable entry point for an attacker, while keeping the average performance overhead below 4% for I/O intensive applications and within 2% for CPU bound ones. We tested our approach on a large benchmark suite on a common Linux distribution, without making any modifications.