Sigreturn-oriented programming

This gadget may reside at a fixed location, making this attack simple and effective, with a setup generally simpler and more portable than the one needed by the plain return-oriented programming technique.

With such protections in place, the machine won't execute any code present in memory areas marked as writable and non-executable.

Most programs do not contain functions that will allow the attacker to directly carry out the desired action (e.g., obtain access to a shell), but the necessary instructions are often scattered around memory.

Address space layout randomization (ASLR) makes it hard to use gadgets without an information leakage to get their exact positions in memory.

For Linux kernels prior to version 3.3, it is also possible to find a suitable gadget inside the vsyscall page, which is a mechanism to accelerate the access to certain system calls often used by legacy programs and resides always at a fixed location.

[1] A number of techniques exists to mitigate SROP attacks, relying on address space layout randomization, canaries and cookies, or shadow stacks.

In this way, the sigreturn syscall just needs to verify the cookie's existence at the expected location, effectively mitigating SROP with a minimal impact on performances.

[1][10] In Linux kernel versions greater than 3.3, the vsyscall interface is emulated, and any attempt to directly execute gadgets in the page will result in an exception.

CET works by implementing a shadow stack in RAM which will only contain return addresses, protected by the CPU's memory management unit.