Jumps Land Safely

The LandHere architecture is a small extension of the Intel x86_64 instruction set architecture. It adds two features which have been proposed in academic literature as possible mitigations for code-reuse attacks. site

Special landing pad instructions that are used to mark the targets of dynamic control flow. These ensure that the actual control flow of a program cannot deviate significantly from the programmer's intended control flow. For example, an attacker cannot induce a program to jump into the middle of a function body, or "return" to the head of a function.

A shadow stack, which is a separate stack structure that maintains redundant data about the current state of the program's stack. This allows the program to verify that the actual stack state matches the intended stack state, making it more resilient to modification by an attacker.


This is not that much different from the humorous proposal for come-from instructions as an alternative to the then considered harmful go-to instructions that were banished with structured programming. wikipedia wiki

This would certainly mitigate accidental stack-smashing bugs and complicated designed exploits but the ingenuity manifest in willful abuse of insufficiently careful programs shows no bounds.

Beyond stack-smashing, return-oriented-programming exploits the trailing instructions intended for one control flow by calling into that tail to invoke unintended behavior. wikipedia

See Intel's Control-flow Enforcement Technology Preview which describes their versions of Shadow Stack and Indirect Branch Tracking. June 2016. page

See The Performance Cost of Shadow Stacks and Stack Canaries. April 2015. pdf