Return-oriented programming (ROP) is a computer security exploit technique by which an attacker can induce arbitrary behavior in a program whose control flow the attacker has diverted without injecting any code. An ROP program chains together short instruction sequences, or “gadgets,” that are already present in a program's address space. Each of the gadgets typically ends in a return instruction.
ROP is a state-of-the-art security exploit technique that can be used to defeat security defenses such as non-executable memory or code signing. Known defenses against ROP, such as Control Flow Integrity (CFI) or code diversity, have certain drawbacks. For example, they may require changes in the toolchain (i.e., a set of software development tools), or may require hardware changes that may introduce significant overhead.