Jump-Oriented Programming
What is Jump-Oriented Programming?
Jump-Oriented ProgrammingA code-reuse exploitation technique (Bletsch et al., 2011) that chains gadgets ending in indirect jumps via a dispatcher, providing an alternative to ROP without using ret.
JOP was introduced by Bletsch, Jiang, Freeh and Liang in 2011 as a generalisation of Return-Oriented Programming. Instead of gadgets ending in ret, JOP uses gadgets ending in indirect jumps such as jmp [rax] and an attacker-controlled dispatcher gadget that walks through a table of gadget addresses. Because the call stack is never used to control flow, JOP defeats older mitigations like shadow stacks or stack canaries that target ret-based chains. Practical JOP chains have been demonstrated against Windows, Linux and embedded targets, often combined with information leaks to bypass ASLR. Modern hardware defences include CET/IBT (Intel) and BTI (ARM), which restrict indirect branch targets and break naive JOP chains.
● Examples
- 01
Building a JOP chain against an embedded firmware where the ret-based call stack is hardened but indirect jumps remain unconstrained.
- 02
Combining a JOP dispatcher with library code on Linux to call execve while bypassing a shadow-stack-only defence.
● Frequently asked questions
What is Jump-Oriented Programming?
A code-reuse exploitation technique (Bletsch et al., 2011) that chains gadgets ending in indirect jumps via a dispatcher, providing an alternative to ROP without using ret. It belongs to the Attacks & Threats category of cybersecurity.
What does Jump-Oriented Programming mean?
A code-reuse exploitation technique (Bletsch et al., 2011) that chains gadgets ending in indirect jumps via a dispatcher, providing an alternative to ROP without using ret.
How does Jump-Oriented Programming work?
JOP was introduced by Bletsch, Jiang, Freeh and Liang in 2011 as a generalisation of Return-Oriented Programming. Instead of gadgets ending in ret, JOP uses gadgets ending in indirect jumps such as jmp [rax] and an attacker-controlled dispatcher gadget that walks through a table of gadget addresses. Because the call stack is never used to control flow, JOP defeats older mitigations like shadow stacks or stack canaries that target ret-based chains. Practical JOP chains have been demonstrated against Windows, Linux and embedded targets, often combined with information leaks to bypass ASLR. Modern hardware defences include CET/IBT (Intel) and BTI (ARM), which restrict indirect branch targets and break naive JOP chains.
How do you defend against Jump-Oriented Programming?
Defences for Jump-Oriented Programming typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Jump-Oriented Programming?
Common alternative names include: JOP.
● Related terms
- attacks№ 753
one_gadget RCE
An exploitation shortcut in CTFs and real exploits that calls a single libc address to spawn a shell, provided register and stack constraints are met.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.