Introducing return-oriented programming
So now we're seeing two distinct countermeasures that work together to make the lives of the bad guys more difficult. We're taking away the predictability necessary to find the soft spots of the vulnerable program when loaded in memory, and we're filing down the areas of memory where execution is allowed to the bare minimum. In other words, DEP/NX and ASLR take a big and stationary target and turn it into a tiny moving target. Hopefully, the hacker in you is already brainstorming the security assumptions of these protection mechanisms. Think of it this way: we're setting certain regions of memory as non-executable, but this is a program; there are instructions that have to be executed. We're randomizing address space so that it's hard to predict where to find certain structures, but there's a flow of execution. There has to be a way to find everything needed to get the job done. Return-oriented programming takes advantage of this reality. Let's take...