Return-Oriented Programming on RISC-V. / Jaloyan, George-Axel; Markantonakis, Konstantinos; Akram, Raja Naeem; Robin, David; Mayes, Keith; Naccache, David.

2020. Paper presented at ACM ASIACCS 2020, Taipei, Taiwan, Province of China.

Research output: Contribution to conferencePaper



  • Accepted Manuscript

    Accepted author manuscript, 773 KB, PDF document


This paper provides the first analysis on the feasibility of Return-
Oriented programming (ROP) on RISC-V, a new instruction set
architecture targeting embedded systems. We show the existence
of a new class of gadgets, using several Linear Code Sequences And
Jumps (LCSAJ), undetected by current Galileo-based ROP gadget
searching tools.
We argue that this class of gadgets is rich enough on RISC-V
to mount complex ROP attacks, bypassing traditional mitigation
like DEP, ASLR, stack canaries, G-Free and some compiler-based
backward-edge CFI, by jumping over any guard inserted by a compiler
to protect indirect jump instructions.
We provide examples of such gadgets, as well as a proof-ofconcept
ROP chain, using C code injection to leverage a privilege
escalation attack on two standard Linux operating systems. Additionally,
we discuss some of the required mitigations to prevent
such attacks and provide a new ROP gadget finder algorithm that
handles this new class of gadgets.
Original languageEnglish
Publication statusAccepted/In press - 16 Feb 2020
EventACM ASIACCS 2020 - Taiwan, Taipei, Taiwan, Province of China
Duration: 5 Oct 20209 Oct 2020


ConferenceACM ASIACCS 2020
Abbreviated titleASIACCS
CountryTaiwan, Province of China
Internet address

ID: 37157934