Return-Oriented Programming without Returns

By Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy.

In Proceedings of CCS 2010, pages 559–72. ACM Press, Oct. 2010.


We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.

Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.


See Also

The CCS paper represents the merge of two papers available separately as technical reports:


@InProceedings{CDDSSW10, author = {Stephen Checkoway and Lucas Davi and Alexandra Dmitrienko and Ahmad-Reza Sadeghi and Hovav Shacham and Marcel Winandy}, title = {Return-Oriented Programming without Returns}, booktitle = {Proceedings of CCS 2010}, year = 2010, editor = {Angelos Keromytis and Vitaly Shmatikov}, month = oct, publisher = {ACM Press}, pages = {559-72} }

Navigation: Hovav Shacham // Publications // [CDDSSW10]