Jump-oriented Programming

Return oriented programming (ROP) and Jump-oriented programming (JOP) are both code-reuse attack. They re-use legitimate code of a vulnerable program to construct arbitrary computation without injecting code. They are computer security exploit technique which mainly allows an attacker to execute code even in the presence of security defenses, like no-executable memory and code signing. ROP is an effective code-reuse attack in which short code sequences ending in a ret instruction are found with existing binaries and executed in arbitrary order by taking control of the stack, but its inherent characteristics, such as reliance on the stack and the consecutive execution of return-oriented gadgets, have prompted a variety of defenses to detect or prevent it from happening. Whereas Jump-oriented programming doesn’t rely on the stack and ret instructions as seen in ROP without sacrificing expressive power. In JOP, without the convenience of using ret to unify them, the attack relies on a dispatcher gadget to dispatch and execute the functional gadgets. As in ROP, the building blocks of JOP are still short code sequences called gadgets.

JOP does the same job as of return oriented in terms of building & chaining functional gadgets, with each gadget performing certain primitive operations. The main difference is, these gadgets end in an indirect branch rather than ret as seen in return oriented program. They are different in format, ROP uses ret as ending instruction. It uses ret as ending of gadget to chain multiple frames, whereas JOP uses jmp, it uses jmp as an ending of gadget. With jmp, we can’t chain the frames, which is a new problem in JOP on how to chain gadgets together with uni-directional jmps.

The solution to this problem was the proposition of ‘the dispatcher gadget’ which will be used to govern control flow among various jump-oriented gadgets. This dispatcher gadget will be used to determine which functional gadget is going to be invoked next. This dispatcher gadget can maintain an internal dispatch table that will explicitly specifies the control flow of functional gadgets. It will also ensures that the ending jmp instruction in the functional gadget will always transfer the control back to the dispatcher gadget. With this, jump-oriented computation became feasible.

In a JOP-based attack, the attacker abandons all reliance on the stack for control flow and ret for gadget discovery and chaining, instead it uses sequence of indirect jump instructions. Instead of ending with a ret, each such gadget ends with an indirect jmp. Unlike ROP, where a ret gadget can naturally return back the control based on the content of the stack, a jmp gadget is performing an uni-directional control-flow transfer to its target, making it tough to regain control back to further chain the execution of next jump-oriented gadget. What these techniques have in common is that they all assume that the attack must use the stack to govern control flow. Jump-oriented programming is an alternative that has no reliance on the stack, and is therefore immune to such defenses. By not relying on the stack for control flow, JOP can potentially use any memory range, including even non-contiguous memory, to hold the dispatch table. In particular, under this attack, we can build and chain normal functional gadgets with each performing certain primitive operations.

However, due to the lack of ret to chain them, this attack relies on a dispatcher gadget to dispatch and execute next functional gadget. Figure1: Return-oriented programming (ROP) vs. jump-oriented programming (JOP) Figure 1 compares ROP vs JOP. Like ROP, a JOP program consists of a set of gadget addresses and data values loaded into memory, with the gadget addresses being analogous to opcodes within a new jump-oriented machine. In ROP, this data is stored in the stack, so the stack pointer esp serves as the program counter in a return-oriented program.

JOP is not limited to using esp to reference its gadget addresses, and control flow is not driven by the ret instruction. Instead, in JOP, dispatch table is used to hold gadget addresses and data. The program counter is any register that points into the dispatch table. Dispatcher gadget is used to drive the Control flow by executing the sequence of gadgets. At each invocation, the dispatcher advances the virtual program counter, and launches the associated gadget.