The present invention relates generally to the field of arbitrary code execution, and more particularly to return oriented programming exploits.
Arbitrary code execution includes techniques for an attacker to execute any command of the attacker's choice on a target device. Typically, an attacker injects malicious code into a process in order to compromise the target device. Most arbitrary code execution attacks involve the execution of instructions, or machine code, used by the device. An attacker typically adds, or points to, a series of instructions to a running process in order to execute the arbitrary code. One exploit to use for execution of arbitrary code is return oriented programming. Return Oriented Programming (ROP) is a technique used to counter common exploit prevention strategies. In particular, ROP is useful for circumventing data execution prevention (DEP). Data execution prevention is a security feature of most operating systems that marks certain memory areas as executable and non-executable, allowing only data in the executable area to be executed. ROP allows for arbitrary code execution by compiling a payload via the chaining of several carefully chosen machine instruction sequences, called “gadgets”. Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code.