Detecting Return Oriented Programming by Examining Positions of Saved Return Addresses

  • Jae-Won Min
  • Sung-Min Jung
  • Tai-Myoung Chung
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 214)


In the recent years, return-oriented programming (ROP) has become the most widely used exploitation technique, achieving arbitrary code execution without injecting any code at all. This is possible by executing small sequences of assembly instructions found in binaries, also known as gadgets. Gadgets cannot do complex operations by themselves but when chained together, they can do any arbitrary operations theoretically. There were many mitigations proposed in the past but they either introduced large overhead or were too complex. In this paper, we propose a simple method of detecting ROP attacks by calculating distance between saved return addresses in the runtime stack. Examined ROP exploits which were published on the Internet resulted short distances between return addresses, which are gadget addresses, compared to that of normal control flow of the program. Our method can be used as a stand-alone tool or part of sequential checks in existing tools.


Return oriented programming Code reuse attack Detection 



This work was supported by the IT R&D program of MKE/KEIT. [KI001810039260, Integrated dev-environment for personal, biz-customized open mobile cloud service and Collaboration tech for heterogeneous devices on server].


  1. 1.
    Solar Designer: Getting around non-executable stack (and fix). Bugtraq, Aug 1997.Google Scholar
  2. 2.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications, Security, pp. 552–561 (2007).Google Scholar
  3. 3.
    PaX Team: PaX address space layout randomization (ASLR),
  4. 4.
  5. 5.
    Davi, L., Sadephi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Asokan, N., Nita-Rotaru, C., Seifert, J.-P. (eds.) Proceedings of STC 2009, pp. 49–54. ACM Press (2009).Google Scholar
  6. 6.
    Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code. Malicious and Unwanted Software, In (2011)Google Scholar
  7. 7.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: Defeating return-oriented programming through gadget-less binaries. ACSAC, In (2010)Google Scholar
  8. 8.
  9. 9.
    Pappas, V.: kBouncer: Efficient and transparent ROP mitigation (2012).Google Scholar
  10. 10.
    PHP 5.3.6 Buffer Overflow PoC (ROP,
  11. 11.
    Exploit Database,

Copyright information

© Springer Science+Business Media Dordrecht 2013

Authors and Affiliations

  1. 1.Department of Electrical and Computer EngineeringSungkyunkwan UniversitySuwonKorea
  2. 2.College of Information and Communication EngineeringSungkyunkwan UniversitySuwonKorea

Personalised recommendations