Return-Oriented Programming: Systems, Languages, and Applications

By Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage.

ACM Transactions on Information and System Security (TISSEC) 15(1):2, Mar. 2012.


We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted—without injecting any code. A return-oriented program chains together short instruction sequences already present in a program’s address space, each of which ends in a “return” instruction.

Return-oriented programming defeats the W⊕X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems, and bypasses an entire category of security measures: those that seek to prevent malicious computation by preventing the execution of malicious code.

To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C library from each of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.

Previous Publication

Two extended abstracts by the present authors introduced return-oriented programming on the x86 (Shacham, CCS 2007, [S07]) and SPARC (Buchanan et al., CCS 2008, [BRSS08]). The present full paper supersedes both these previous publications and is intended to be the definitive statement on return-oriented programming.


See Also


@Article{roemer-buchanan-shacham-savage:rop-journal:tissec12, author = {Ryan Roemer and Erik Buchanan and Hovav Shacham and Stefan Savage}, title = {Return-Oriented Programming: Systems, Languages, and Applications}, journal = {ACM Trans. Info. \& System Security}, year = 2012, volume = 15, number = 1, month = mar }

Navigation: Hovav Shacham // Publications // [RBSS12]