Details

This is more generally knows as Return Oriented Programming (ROP) or Jump Oriented Programming (JOP), but ultimately boils down to using the kernel's own executable memory to build a chain of gadgets in order to perform the attacker's exploit.

Examples

• remote execution (slides)
• JIT spraying

Mitigations

• compiler instrumentation for Control Flow Integrity (CFI)
• Return Address Protection, Indirect Control Transfer Protection (e.g. RAP)
• Constant blinding (to defeat JIT sprays)