Connect with us

Hi, what are you looking for?



Researchers Reveal Return-Oriented Programming Tactics for Breaking Security Defenses

Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP).

Two researchers from the University of California, Berkeley, released a paper introducing new attack techniques they contend break existing defenses against return-oriented programming (ROP).

The researchers, Nicholas Carlini and David Wagner, are slated to present their research this week at the 23rd USENIX Security Symposium in San Diego. According to Carlini and Wagner, the widespread adoption of Data Execution Prevention (DEP) as a security feature killed classic code injection attacks, and made ROP the attacker tactic of choice for modern exploits of memory-safety vulnerabilities.

“In a ROP attack, the attacker does not inject new code; instead, the malicious computation is performed by chaining together existing sequences of instructions (called gadgets),” the paper explained.

In response to this reality, defenses have been designed that fall into two broad categories, they argued. The first relies on recompilation to remove potential gadgets from the program binary or to enforce the control flow integrity (CFI) of the binary. The second category of defenses attempts to protect legacy binaries using run-time protections.

To defeat these defenses, they have developed three attack strategies.

“Our first method breaks the conventional wisdom that it is difficult to mount attacks in a fully call-preceded manner… where the instruction before each gadget is a call,” according to the paper. “Many CFI-based policies rely upon policies similar to this. Next, we show that while most existing ROP attacks consist entirely of short gadgets, it is possible to mount attacks which consist of lone gadgets as well. Therefore, defenses that distinguish a ROP attack from normal execution by looking for a series of short gadgets are not secure.”

“Finally, we examine defenses that record a limited history of the execution state of a process,” the paper continues. “We show it is possible to effectively clear out any history kept by these defenses, rendering them ineffective.”

Advertisement. Scroll to continue reading.

The research in particular targets kBouncer and ROPecker, and seeks to demonstrate ways of modifying ROP attacks to slip by those defenses.

“Future defenses must take care to guard against attacks similar to ours,” according to the paper. “Specifically, we suggest two particular requirements for future defenses. First, defenses should argue either that they can inspect all relevant past history or, if they have a limited history, that their limited view of history cannot be effectively cleared out by an attacker. Second, defenses that defend against one specific aspect of ROP must argue that is a necessary component of one.”

The paper can be read here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.