Return-Oriented Programming vs Jump-Oriented Programming.
ROP (Return Oriented Programming) manipulates the return destinations in the (writeable) stack in such a way that short sequences of existing benign instructions before return instructions will be “stapled together” into a big malicious program.
It’s not an attack, it’s a technique for bypassing a non-executable stack.
Normally with a buffer overflow attack you just inject your code directly in the vulnerable buffer, and overwrite the return address to jump back to it — but then CPUs got support for non-executable memory, and the stack started getting marked as data-only, so you could no longer just inject your code like that.
To work around this, you use ROP, where you steal bits and pieces of already existing code — some instructions in the program’s code segment that ends with a RET — by setting up a fake stack with return addresses such that execution goes from fragment to fragment until you’ve finally accomplished what you wanted.
Some tools can automatically search for code fragments, and usually, the goal is just to disable the non-executable stack so that you can run your injected code normally.
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory, called “gadgets”. Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.
Some of the aforementioned defenses are:
G-Free
Address Space Layout Randomization
SEHOP
Binary Code Randomization
Pointer Authentication codes
Jump Oriented Programming(JOP) manipulates registers so that short sequences of existing benign instructions before indirect jumps will be “glued together”, with a small dispatcher program acting as the glue, so the execution becomes malicious.
Jump-Oriented Programming (JOP), is similar to Return-Oriented Programming (ROP). In an ROP attack, the software stack is scanned for gadgets that can be strung together to form a new program. ROP attacks look for sequences that end in a function return (RET). In contrast, JOP attacks target sequences that end in other forms of indirect (absolute) branches, like function pointers or case statements.
The attacker exploits the fact that BLR or BR instructions can target any executable address and not just the addresses that are entry points defined by the compiler or developer. This means that the instructions can be hijacked to string gadgets together.
In ROP, we use ‘RET’ as an ending of the gadget to chain multiple frames. But in JOP we use ‘JMP’ as an ending of gadget.
By the use of ‘JMP’, we cannot chain the frames due to unidirectional flow. So, in order to solve this, we use Dispatcher Gadget as a solution.
