Topic > Jump-Oriented Programming

Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) are both code reuse attacks. They reuse legitimate code from a vulnerable program to construct arbitrary calculations without inserting code. These are cybersecurity exploit techniques that primarily allow an attacker to execute code even in the presence of security defenses, such as non-executable memory and code signing. ROP is an effective code reuse attack where short sequences of code ending with a ret instruction are matched with existing binaries and executed in arbitrary order taking control of the stack, but its inherent characteristics, such as stack dependency and the consecutive execution of performance-oriented gadgets, have stimulated a series of defenses to detect or prevent this from happening. While Jump-oriented programming does not rely on stack and ret instructions as seen in ROP without sacrificing expressive power. In JOP, without the convenience of using ret to unify them, the attack relies on a gadget dispatcher to dispatch and execute the functional gadgets. As in the ROP, the building blocks of the JOP are still short sequences of code called gadgets. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an original essayJOP does the same return-oriented work in terms of building and chaining functional gadgets, with each gadget performing certain primitive operations. The main difference is that these gadgets end with an indirect branch rather than a ret as seen in performance-oriented programs. They are different in format, ROP uses ret as the final instruction. Use ret as the end of the gadget to concatenate multiple frames, while JOP uses jmp, use jmp as the end of the gadget. With jmp, we can't concatenate frames, which is a new problem in JOP on how to concatenate gadgets together with one-way jmps. The solution to this problem was the proposed "gadget dispatcher" which will be used to govern control flow between various jump-oriented gadgets. This dispatcher gadget will be used to determine which functional gadget will be invoked next. This gadget dispatcher can maintain an internal dispatch table that will explicitly specify the control flow of functional gadgets. It will also ensure that the final jmp statement in the functional gadget will always transfer control to the dispatcher gadget. In this way, jump-oriented computing became feasible. In a JOP-based attack, the attacker abandons any reliance on the stack for control flow and ret for gadget discovery and chaining, instead using a sequence of indirect jump instructions. Instead of ending with a ret, each of these gadgets ends with an indirect jmp. Unlike ROP, where a ret gadget can naturally return control based on the contents of the stack, a jmp gadget performs a one-way control flow transfer to its target, making it difficult to regain control to further chain execution. of the next jump-oriented gadget. What these techniques have in common is that they all assume that the attack must use the stack to govern the control flow. Jump-oriented programming is an alternative that does not rely on the stack and is therefore immune to such defenses. By not relying on the stack for control flow, JOP can potentially use any range of memory, including even non-contiguous memory, to hold the dispatch table. In particular, with this attack, we can build and chain normal functional gadgets and each of them performs certain.