Code reuse attacks have been a threat to software security for over two decades. Instead of injecting their own malicious code, attackers exploit existing program components. These attacks typically rely on so-called memory corruption vulnerabilities, such as buffer overflows or use-after-free errors in C or C++ software. “Such vulnerabilities can be found in web servers, browsers, or VPN systems, among other places. If an attack is successful, attackers can, for example, extract sensitive data, install malware, or take complete control of systems,” explains CISPA researcher Apostolos Chatzianagnostou.
What? New hardening layer “PLaTypus” against code-reuse attacks
Who? Developed by CISPA researchers Apostolos Chatzianagnostou and Marcos Bajo from the team of CISPA-Faculty Prof. Dr. Christian Rossow
Based on? Extends hardware-based protection mechanisms such as Intel CET and ARM BTI
Problem? Existing protection mechanisms still allow transitions between different program libraries
Solution? PLaTypus restricts indirect control-flow transfers to the same library; cross-library transitions are only permitted through intended interfaces
Security impact? Reduces indirectly reachable functions across library boundaries by more than 98 percent
Practical relevance? Less than 0.5 percent runtime overhead in tests with Nginx and Redis
Status? Research prototype for Intel systems; discussions with the LLVM community about possible integration into real-world toolchains are ongoing
PLaTypus Restricts Abitrary Transition Between Libraries
To make code-reuse attacks more difficult, modern processors are increasingly relying on hardware-based protection mechanisms such as Intel CET or ARM Branch Target Identification (BTI). These are designed to prevent attackers from redirecting a program’s control flow to unintended code sections via manipulated indirect calls or return addresses. “Protection mechanisms like CET or BTI are expected to become standard in modern systems in the coming years. However, we have found that they still leave an important attack vector open: attackers can still arbitrarily jump between functions across different libraries,” explains Apostolos Chatzianagnostou.
The additional hardening layer PLaTypus addresses this specific issue. It ensures that indirect transitions remain within the same program library as much as possible. Transitions between different libraries are only permitted via explicitly designated mechanisms, specifically the PLT stubs. These are small pieces of code that Linux systems use to dispatch calls to shared library functions at runtime. This is intended to prevent attackers from using compromised function pointers to jump to arbitrary functions in other libraries. “Our central motivation was simple: if a module does not explicitly require access to a function, it should not be able to jump to it indirectly either,” explains Chatzianagnostou.
Practical Rather than Theoretical
Unlike many academic security approaches, PLaTypus deliberately takes a practical approach. Instead of replacing existing protection mechanisms, the mitigation complements existing security features and leverages already established mechanisms of modern operating systems. This keeps the additional runtime overhead low and makes integration into existing software more realistic.
According to the researchers, PLaTypus reduces the number of indirectly accessible functions between libraries by more than 98 percent. In tests with applications such as Nginx or Redis, the approach also caused less than 0.5 percent in additional runtime overhead. “Our prototype is currently implemented for Intel architecture, but the approach could also work in ARM systems,” says Chatzianagnostou.
From Research to Real-World Toolchains
PLaTypus is still a research prototype. However, the researchers are already in dialogue with the LLVM community to explore possible paths for integration into the standard LLVM toolchain. Since PLaTypus is a compiler-based mitigation built on top of LLVM, such integration would be an important step toward practical deployment. “The path from academic security approaches to real development tools is complex and only possible through close collaboration with the community, in our case, the LLVM developers. I would be delighted if we could realize this in a joint project,” explains Chatzianagnostou.
The paper “PLaTypus: Restricting Cross-Module Transitions to Mitigate Code-Reuse Attacks” is currently being presented at the IEEE Security & Privacy Symposium 2026 in San Francisco and will be presented in August at Black Hat in Mandalay Bay, Las Vegas.
