A few days ago I delivered a session on return-oriented programming, in the context of stack-based buffer overflow exploitation, at the Distributed Systems, Networking and Security seminar (HUJI).
Generally speaking, return-oriented programming (at least in limited form, such as return to libc, return to syscall) is not new at all. It is a very effective means of bypassing stack-based buffer overflow mitigations such as NX (non-executable stack) and W+X. The awesome thing about ROP is that code execution vulnerabilities don’t have to involve actual code being placed in memory – a carefully constructed sequence of stack words can lead to arbitrary code execution through pieces of code (ROP gadgets) located elsewhere in memory.
However, my presentation was based mostly on results from a 2011 paper by Shacham et al., where they show that Linux and Solaris libc binaries contain more than enough ROP gadgets to enable arbitrary control flow, and develop an actual compiler for generating exploit stack structure from a C-like syntax. The paper is short, funny, and highly recommended.
If you’d like to read my short presentation instead, view my slides here.