Return-Oriented Programming (ROP) is a technique which leverages the instruc-tion snippets in existing libraries/executables to construct Turing Complete programs. Such technique can generate the shellcode which evades most code injection defens-es. However, ROP attack is usually composed with gadgets which are ending in ret instruction without the corresponding call instruction. Based on this fact, several de-fense mechanisms have been proposed to detect the ROP malicious code. In this paper, we present Jump-Oriented Programming (JOP) attack which uses the gadgets ending in jmp instruction. This new technique, which uses jmp instruction or call instruction to replace the ret instruction, breaks the hypothesis of existing defense tools. Mean-while we propose a tool to automatically construct the real-world JOP attack, which as demonstrated in our experiment can bypass most of the exiting ROP defenses. |