Return-oriented programming (ROP) is a computer security exploit technique in which an attacker uses software control of a call stack to execute an attacker-chosen sequence of machine instructions. These clusters of instructions typically end with a programmer-intended or unintended return (RET) instruction within existing program code. The intended or unintended RET instruction transfers execution to the attacker-chosen return address on the stack and allows the attacker to retain execution control through the program code, and direct execution to the next set of chosen sequence of instructions to achieve the attacker's intent. The clusters of attacker-chosen instruction sequences are referred to as gadgets. Some gadgets may be found by attackers in functions compiled into a program or libraries, others are just arbitrary byte sequences that decode into a gadget.
Often the executed gadget includes only a few assembler instructions followed by a RET instruction that can perform a well-defined operation. By chaining together a set of these gadgets such that the RET instruction from one gadget lands into the next gadget and so on, the malware writer is able to execute a longer sequence of attacker desired instructions without injecting any code into the program.
The ROP technique uses vulnerabilities like stack buffer overflows to deliver a payload including a chained list of pointers to gadgets, then overwrites the return address of the function that was used to perform the stack buffer overflow to point to the first gadget in the sequence. When this function executes a RET instruction, control transfers to the first gadget instead of the function caller. This gadget may then consume one or more data elements from the payload on the stack. Using this exploitation technique, a malware writer may change the control flow of the program and cause a control transfer to a non-programmer intended location in the program (e.g., to the middle of an instruction).