Return-Oriented Programming
What is Return-Oriented Programming?
Return-Oriented ProgrammingReturn-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
Hovav Shacham introduced ROP in 2007 to bypass DEP/W^X mitigations. The attacker corrupts a stack and writes a chain of addresses, each pointing to a short gadget ending in RET. After each gadget runs, RET pops the next gadget address, producing a Turing-complete computation built only from existing executable bytes (libc, libraries, the program). Variants include JOP (jumps), COP (calls), and SROP (signal frames). ROP is the principal reason ASLR, CFI, stack canaries, shadow stacks, Intel CET and memory-safe languages were standardized; defenses target either gadget availability, control-flow integrity, or memory safety at the source.
● Examples
- 01
An exploit chaining pop-rdi/syscall gadgets in glibc to call execve("/bin/sh").
- 02
A kernel exploit using kASLR-leak plus ROP into commit_creds(prepare_kernel_cred(0)).
● Frequently asked questions
What is Return-Oriented Programming?
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code. It belongs to the Application Security category of cybersecurity.
What does Return-Oriented Programming mean?
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
How does Return-Oriented Programming work?
Hovav Shacham introduced ROP in 2007 to bypass DEP/W^X mitigations. The attacker corrupts a stack and writes a chain of addresses, each pointing to a short gadget ending in RET. After each gadget runs, RET pops the next gadget address, producing a Turing-complete computation built only from existing executable bytes (libc, libraries, the program). Variants include JOP (jumps), COP (calls), and SROP (signal frames). ROP is the principal reason ASLR, CFI, stack canaries, shadow stacks, Intel CET and memory-safe languages were standardized; defenses target either gadget availability, control-flow integrity, or memory safety at the source.
How do you defend against Return-Oriented Programming?
Defences for Return-Oriented Programming typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Return-Oriented Programming?
Common alternative names include: ROP, Code reuse attack, Return-to-libc.
● Related terms
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 303
DEP
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 1028
Shadow Stack
A shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks.
- appsec№ 545
Intel CET
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
● See also
- № 1095Stack Canary
- № 1058SMEP / SMAP
- № 671Memory-Safe Languages