Biblio

The authors present dynamic reencryption of return addresses to mitigate their leakage. The authors' method enforces programs to save return addresses as encrypted and renew the encryption states with fresh keys before or after vulnerable operations. When a function returns, it should restore the return address from its encryption using the most recent key not to cause a crash. Under the protection of their method, return addresses and keys may leak, but the disclosed bits become garbage because keys govern all return addresses through encryption, while changing before control-flow proceeds into a vulnerable region. As a result, it becomes probabilistically infeasible to build exploits for intercepting control-flow by using leaked return addresses or keys. They implemented the proposed method as an extension of the LLVM compiler that inserts reencryption code where necessary. They also have confirmed its effectiveness against information leak attacks carried out in the early stage of blind return-oriented programming (BROP). The performance overhead ranges below 11.6% for processor-intensive programs and 4.12% or less for web servers.