Return-Oriented Programming on RISC-V

George-Axel Jaloyan, Konstantinos Markantonakis, Raja Naeem Akram, David Robin, Keith Mayes, David Naccache

Research output: Contribution to conferencePaperpeer-review

777 Downloads (Pure)


This paper provides the first analysis on the feasibility of Return-
Oriented programming (ROP) on RISC-V, a new instruction set
architecture targeting embedded systems. We show the existence
of a new class of gadgets, using several Linear Code Sequences And
Jumps (LCSAJ), undetected by current Galileo-based ROP gadget
searching tools.
We argue that this class of gadgets is rich enough on RISC-V
to mount complex ROP attacks, bypassing traditional mitigation
like DEP, ASLR, stack canaries, G-Free and some compiler-based
backward-edge CFI, by jumping over any guard inserted by a compiler
to protect indirect jump instructions.
We provide examples of such gadgets, as well as a proof-ofconcept
ROP chain, using C code injection to leverage a privilege
escalation attack on two standard Linux operating systems. Additionally,
we discuss some of the required mitigations to prevent
such attacks and provide a new ROP gadget finder algorithm that
handles this new class of gadgets.
Original languageEnglish
Number of pages10
Publication statusPublished - Oct 2020
EventACM ASIACCS 2020 - Taiwan, Taipei, Taiwan, Province of China
Duration: 5 Oct 20209 Oct 2020


ConferenceACM ASIACCS 2020
Abbreviated titleASIACCS
Country/TerritoryTaiwan, Province of China
Internet address

Cite this