@inproceedings{DBLP:conf/ccs/Shacham07,
  author    = {Hovav Shacham},
  title     = {The geometry of innocent flesh on the bone: return-into-libc
               without function calls (on the x86)},
  booktitle = {ACM Conference on Computer and Communications Security},
  year      = {2007},
  pages     = {552-561},
  ee        = {http://doi.acm.org/10.1145/1315245.1315313},
  crossref  = {DBLP:conf/ccs/2007},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}

@proceedings{DBLP:conf/ccs/2007,
  editor    = {Peng Ning and
               Sabrina De Capitani di Vimercati and
               Paul F. Syverson},
  title     = {Proceedings of the 2007 ACM Conference on Computer and
Communications
               Security, CCS 2007, Alexandria, Virginia, USA, October 28-31,
               2007},
  booktitle = {ACM Conference on Computer and Communications Security},
  publisher = {ACM},
  year      = {2007},
  isbn      = {978-1-59593-703-2},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}


ABSTRACT 

We present new techniques that allow a return-into-libc attack to be mounted
on x86 executables that calls no functions at all. Our attack combines a
large number of short instruction sequences to build gadgets that allow
arbitrary computation. We show how to discover such instruction sequences by
means of static analysis. We make use, in an essential way, of the
properties of the x86 instruction set.