The hijack of control breaks assumptions on how the program behaves, violating its execution model. For example, nearly all programs follow a calling convention where a return address must point to the caller. Yet the hardware imposes no restrictions on return address targets, allowing an attacker who overwrites a return address to successfully divert control flow to malicious code.