Numerous techniques have been proposed to thwart code reuse attacks, yet practical adoption remains limited due to compatibility and deployment challenges. In the current and foreseeable Intel architecture landscape, the main line of defense against such attacks is Intel CET—a hardware-enforced control-flow integrity mechanism integrated into recent Intel x86-64 CPUs. However, despite its hardware-backed protections and widespread adoption, CET still provides only partial security: it continues to allow hijacked function pointers to invoke arbitrary functions across module boundaries, a capability that remains fundamental to many modern exploits. This paper proposes PLATYPUS, a novel defense on top of Intel CET to address this limitation. PLATYPUS enforces execution jails using lightweight address masking to ensure indirect control transfers remain within module boundaries. Cross-DSO function calls are only permitted via necessary PLT stubs specific to each DSO. The evaluation on our LLVM-based prototype, spanning 19 applications and 16 shared libraries (including glibc), demonstrates that PLATYPUS reduces indirectly accessible cross-DSO functions by over 98%. Performance testing with complex applications like Nginx and Redis shows that PLATYPUS incurs no more than 0.5% overhead.
IEEE Symposium on Security and Privacy (S&P)
2026-05-18
2026-04-23