Efficient Return Address Verification Based on Dislocated Stack

Return-oriented programming (ROP) is a prevalent code reuse technique that hijacks a program’s control flow by modifying its return addresses on the stack. Researchers have proposed some return address verification methods by using the message authentication code (MAC). But these approaches suffer from high performance overhead. In this article, we first propose Dislocated Stack, a new kind of stack layout in which a previous return address would be pushed onto the current stack frame and the current return address would be stored into a hardware buffer on function calls. Based on Dislocated Stack, we design two new verification approaches, Lazy Verification and Batch Verification. Lazy Verification does not verify a return address popped from stack until it is going to be used for return. Batch Verification verifies a couple of return addresses at one time. We implemented these two designs on RISC-V architecture and quantitatively analyzed their effect on QEMU. Our experiments show that Lazy Verification reduces over 99% verifications on function returns and incurs only 1.23% performance overhead; while in Batch Verification, the overhead is merely 0.78%. The result demonstrates that these two approaches are highly efficient for return address verification.