When I'm in conversations with friends and family about airport security, a quip I often hear is maybe we should just ban the passengers. Though this is obviously facetious, let's think about it for a moment—no matter what we do to screen everyone walking onto an airplane, we have to allow at least some people through the gates—particularly, the pilots. There's a clear divide between the malicious outsider with no good intention and the trusted insider who, by virtue of his or her role, must be given the necessary access to get some work done. Let's think of the malicious outsiders trying to get on the plane with all kinds of nasty stuff as shellcode, and the trusted pilot who runs the show as the legitimate native binary. With perfect security screening guaranteeing that no malicious individual can walk onto a plane, you will still have to trust that the pilot isn't corrupted by an outside influence; his or her power being leveraged to execute a malicious deed.

Welcome to the concept of return-oriented programming, where the world we live in is a paradise in which no shellcode can be injected and executed, but we've figured out how to leverage the code that's already there to do our dirty work. We're going to learn how combining the density of the x86 instruction set with a good old-fashioned buffer vulnerability in a program allows us to construct almost any arbitrary functionality. We'll take a break from injecting bad code and learn how to turn the good code against itself.

In this chapter, we will do the following:

• Understand core defense concepts, such as Data Execution Prevention (DEP) and address space layout randomization (ASLR)
• Learn how to examine machine code and memory to identify instructions that we can leverage for our purposes, called gadgets
• Understand the different types of ROP-based attacks
• Explore the tools used by hackers to pull off ROP attacks
• Write and attack a vulnerable C program