Finding the Bad in Good Code: Automated Return-Oriented Programming Exploit Discovery

In this paper, the authors demonstrate that this attack is not limited to the x86 architecture, its original platform of introduction, and can be fully implemented on an architecture as completely different as SPARC. They present automated search tools that effectively and efficiently find full or partially Turing-complete return-oriented "Gadget" sets in arbitrary binaries using a dedicated and extensible query language. They discuss the results from searching thousands of previously unknown binaries and find that potentially exploitable return-oriented gadgets are prevalent in the wild.