A research team at CISPA has built PLaTypus, a compiler-based security layer that dramatically reduces how attackers can exploit code reuse vulnerabilities — even on systems already protected by Intel’s built-in hardware defenses.
Researchers at the CISPA Helmholtz Center for Information Security in Germany have developed a new mitigation tool called PLaTypus that significantly strengthens hardware-based protections against one of the oldest and most persistent classes of software attacks: code reuse attacks.
Code reuse attacks have threatened software security for more than two decades. Rather than injecting entirely new malicious code, attackers exploit fragments of code that already exist within a program. These exploits typically take advantage of memory corruption vulnerabilities — such as buffer overflows or use-after-free errors — commonly found in software written in C or C++.
“Such vulnerabilities can be found in web servers, browsers, or VPN systems, among other places. If an attack is successful, attackers can, for example, extract sensitive data, install malware, or take complete control of systems,” Apostolos Chatzianagnostou, a CISPA researcher, said in a news release.
To combat such threats, modern processors have introduced hardware-based protections like Intel Control-flow Enforcement Technology (CET) and ARM Branch Target Identification (BTI). These mechanisms are designed to prevent attackers from hijacking a program’s execution path by redirecting indirect calls or corrupting return addresses. However, the CISPA team found a meaningful gap in these defenses.
“Protection mechanisms like CET or BTI are expected to become standard in modern systems in the coming years. However, we have found that they still leave an important attack vector open: attackers can still arbitrarily jump between functions across different libraries,” Chatzianagnostou added.
How PLaTypus Works
PLaTypus addresses this specific vulnerability by restricting indirect transitions between software libraries. Under the new system, indirect jumps are generally confined to within the same library. Cross-library transitions are only permitted through explicitly designated mechanisms — specifically, PLT stubs, which are small pieces of code that Linux systems use to route calls to shared library functions at runtime.
The goal is to prevent attackers from using compromised function pointers to leap arbitrarily between libraries and access functions that were never meant to be reachable through indirect means.
“Our central motivation was simple: if a module does not explicitly require access to a function, it should not be able to jump to it indirectly either,” added Chatzianagnostou.
According to the researchers, PLaTypus reduces the number of indirectly accessible cross-library functions by more than 98% — a dramatic narrowing of the attack surface. Equally important for real-world adoption, performance tests with popular applications like Nginx and Redis showed additional runtime overhead of less than 0.5%, a threshold low enough to be acceptable in production environments.
A Practical Approach to Security Research
What sets PLaTypus apart from many academic security proposals is its emphasis on practicality. Rather than replacing existing protections, it layers on top of them and works with the mechanisms already built into modern operating systems. This design philosophy keeps performance costs minimal and makes the tool far more realistic to deploy in existing software stacks.
The tool is currently implemented for Intel architecture, though the researchers believe the underlying approach could translate to ARM-based systems as well.
“Our prototype is currently implemented for Intel architecture, but the approach could also work in ARM systems,” Chatzianagnostou added.
Path Toward Real-World Deployment
PLaTypus remains a research prototype for now, but the team is already in active conversations with the LLVM open-source compiler community about a potential path to mainstream integration. Because PLaTypus is built on top of LLVM, merging it into the standard LLVM toolchain would be a significant step toward widespread deployment across the software industry.
“The path from academic security approaches to real development tools is complex and only possible through close collaboration with the community, in our case, the LLVM developers. I would be delighted if we could realize this in a joint project,” added Chatzianagnostou.
Why It Matters
For students studying computer science, cybersecurity or software engineering, PLaTypus illustrates an important principle: hardware protections alone are rarely sufficient. As processors add new security features, researchers continue to find gaps that software-level mitigations must fill. The work also highlights the critical role compiler toolchains play in the security ecosystem — a dimension of security often overlooked in introductory coursework but central to how defenses actually reach end users.
With connected infrastructure, cloud services and personal devices all running software potentially vulnerable to code reuse attacks, advances like PLaTypus have implications far beyond the research lab. Closing even a fraction of the attack surface available to adversaries can meaningfully raise the cost and complexity of a successful exploit.
The research is available here.