Return-oriented programming
Encyclopedia
Return-oriented programming is a computer security exploit technique in which the attacker uses control of the call stack
to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutine
s within the existing program code, in a way similar to the execution of a threaded code
interpreter.
Because all the instructions that are executed are from executable memory areas within the original program, this avoids the need for direct code injection
, and circumvents most measures that try to prevent the execution
of instructions from user-controlled memory.
Often the executed code itself consists only of 2 or 3 assembler
instructions that can already perform a well-defined attack operation.
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack"...
to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutine
Subroutine
In computer science, a subroutine is a portion of code within a larger program that performs a specific task and is relatively independent of the remaining code....
s within the existing program code, in a way similar to the execution of a threaded code
Threaded code
In computer science, the term threaded code refers to a compiler implementation technique where the generated code has a form that essentially consists entirely of calls to subroutines...
interpreter.
Because all the instructions that are executed are from executable memory areas within the original program, this avoids the need for direct code injection
Code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous...
, and circumvents most measures that try to prevent the execution
Executable space protection
In computer security, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception...
of instructions from user-controlled memory.
Often the executed code itself consists only of 2 or 3 assembler
Assembler
Assembler may refer to:* Assembler , for an assembly language, a computer program to translate between lower-level representations of computer programs...
instructions that can already perform a well-defined attack operation.
See also
- Return-to-libc attackReturn-to-libc attackA return-to-libc attack is a computer security attack usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function...
, a specific implementation of return-oriented programming.