Buffer overflow attacks are the predominant threat to the secure
operation of network and Internet-based computing.  Stack smashing is
a common mode of buffer overflow attack for hijacking system control.
It is performed by overflowing a stack-allocated buffer in order to
overwrite a return address with the address of a malicious piece of
code.  This paper evaluates two architecture-based techniques to
defend systems against such attacks: (1) the split control and data
stack, and (2) secure return address stack (SRAS).  The split stack
approach separates control and data stack to prevent the function
return address from being overwritten.  It can be both implemented
with compiler support or with architectural support.  We implemented
the compiler-based approach by modifying gcc compiler. Results show
that it is effective in protecting real applications with slight
performance overhead (2% for ftp server). The architecture-based split
stack approach can eliminate the performance overhead and requires
changes in the instruction set. The SRAS approach, instead detects an
attack when a return instruction is being retired and requires no ISA
changes or recompilation. It has been implemented in the SimpleScalar
processor simulator. Simulation results show that the max overhead is
0.02% with a SRAS size of 64 entries for SPECINT 2000 benchmarks.