The Geometry of Innocent Flesh on the Bone: Return-Into-Libc Without Function Calls (on the X86)

The authors' present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. The attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. They show how to discover such instruction sequences by means of static analysis. They make use, in an essential way, of the properties of the x86 instruction set. They present new techniques that allow a return-into-libc attack to be mounted on x86 executables that is every bit as powerful as code injection.