Chapter 37 Further Reading: Return-Oriented Programming
Foundational Papers
"The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls" (CCS 2007) by Hovav Shacham The paper that formally introduced and named Return-Oriented Programming and proved its Turing completeness. Shacham showed that the x86 instruction set is "sufficiently expressive" from any code corpus. Available free online — the original source for understanding what ROP is and why it matters.
"Return-Oriented Programming: Systems, Languages, and Applications" (ACM TISSEC 2012) by Ryan Roemer, Erik Buchanan, Hovav Shacham, Stefan Savage An extended treatment of ROP applied to multiple architectures (x86, SPARC, ARM). Demonstrates that ROP is not x86-specific. Also covers defenses and their limitations at the time. A comprehensive academic foundation.
"Hacking Blind" (IEEE S&P 2014) by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh The Blind ROP paper. Demonstrates remote exploitation without the binary, using only network behavior to infer address space layout. Required reading for understanding why ASLR randomization quality matters and why fork-without-exec is dangerous. Available free: search "BROP paper Bittau 2014 PDF"
"SROP: Sigreturn-Oriented Programming" (IEEE S&P 2014) by Erik Bosman and Herbert Bos
Introduces SROP. Shows that a single syscall; ret gadget is sufficient for Turing-complete computation via the sigreturn syscall. Elegant and alarming. Available at academic repositories.
Intel CET Documentation
Intel CET Technical Preview and Architecture Details
Intel has published extensive documentation on CET's design:
- Intel SDM Volume 1, Chapter 18: The normative CET specification
- Intel developer blog posts on CET implementation details
- The shadow_stack kernel patches and documentation in the Linux kernel tree
https://www.intel.com/content/www/us/en/developer/articles/technical/technical-look-control-flow-enforcement-technology.html
Online Resources
LiveOverflow "Binary Exploitation" Playlist
Several episodes specifically cover ROP, including live demonstrations in GDB with annotations. The ret2libc and ret2plt episodes make the chaining concrete.
https://www.youtube.com/playlist?list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN
ROPgadget Documentation (GitHub)
https://github.com/JonathanSalwan/ROPgadget
The tool used throughout this chapter. The README documents all flags. The repository also includes research papers by the tool's author (Jonathan Salwan) on gadget finding and ROP chain automation.
pwn.college — Return-Oriented Programming module Hands-on challenges building from simple ret2win (return to a function in the binary) through ret2libc, ASLR bypass, and full chain construction. Browser-based Linux environment. The progression from "jump to win" to "bypass all mitigations" is well-structured.
Books
"Hacking: The Art of Exploitation" (2nd edition) by Jon Erickson Chapter 5 covers advanced memory corruption techniques including ret2libc. The book's approach of building up from assembly basics to exploitation makes the connection between memory layout and exploitation very concrete.
"A Bug Hunter's Diary" by Tobias Klein The chapter on exploiting function pointer overwrites is directly relevant to post-SHSTK attack scenarios. Real-world examples of finding and exploiting non-return-address control flow targets.
Advanced Topics
"Control-Flow Bending" (USENIX Security 2015) by Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, Thomas Gross Demonstrates attacks that work within a CFI-enforced call graph by choosing malicious paths within valid edges. Shows the limits of imprecise CFI policies. Important for understanding why CET IBT must be precise.
The Linux kernel CET implementation
The kernel patches that implement user-space CET support are in the Linux kernel source (arch/x86/kernel/shstk.c and related files). Reading the implementation shows exactly how SSP is saved/restored on context switches and how setjmp/longjmp compatibility is maintained.
https://elixir.bootlin.com/linux/latest/source/arch/x86/kernel/shstk.c
Tools
pwntools Python library
The standard library for exploit development in CTF and security research. While primarily useful for automated exploitation, understanding its ROP module (from pwn import ROP) reveals how chain construction is automated in practice. For defenders: understanding pwntools shows what attackers work with.
https://github.com/Gallopsled/pwntools
angr binary analysis framework
An academic/research framework for binary analysis that includes automated ROP chain finding and symbolic execution. Used by security researchers for automated vulnerability discovery. Understanding that such tools exist contextualizes the practical threat.
https://angr.io/