AI in the SOC Webinar | Separating Operational Value from Vendor Hype Register Now →

Code-Reuse Attacks

Home / Glossary / Code-Reuse Attacks
Code-reuse attacks bypass memory protections by exploiting existing code. Learn how to detect and defend against them in enterprise environments.

Code-reuse attacks are a class of memory exploitation techniques that bypass hardware and OS-enforced memory protections by chaining together small sequences of existing legitimate code—called gadgets—already present in the target process or its loaded libraries, enabling arbitrary computation without injecting any new executable code.

The introduction of Data Execution Prevention (DEP) and Non-Executable (NX) memory eliminated traditional shellcode injection as a reliable exploitation path. Attackers responded by developing code-reuse techniques—most notably Return-Oriented Programming (ROP)—that repurpose legitimate code to achieve execution under attacker control. These techniques are now standard components of advanced exploit frameworks and are used in targeted attacks against enterprise infrastructure, browser engines, and embedded systems alike.

Return-Oriented Programming: The Core Code-Reuse Technique

Return-Oriented Programming (ROP) is the foundational code-reuse attack technique. It manipulates the call stack by overwriting return addresses with the locations of small instruction sequences—gadgets—each ending in a RET instruction. By chaining these gadgets together, an attacker constructs a complete computation from fragments of legitimate, trusted code already present in memory.

  • Gadget Discovery and Chaining: A ROP exploit begins with gadget harvesting—automated analysis of target binaries and loaded libraries to catalog all short instruction sequences ending in RET. Toolkits such as ROPgadget, ropper, and pwntools automate this process. The attacker then constructs a gadget chain—a sequence of return addresses stacked in memory—that performs the desired operation when the call stack is unwound.
  • Stack Pivoting: When an attacker cannot directly control the stack pointer, a stack-pivot gadget redirects execution to an attacker-controlled memory region that serves as the fake stack. Stack pivots—typically gadgets involving XCHG, MOV, or LEA instructions on ESP or RSP—are a prerequisite for many ROP exploits and a reliable indicator of code-reuse attack activity in memory forensics.
  • ROP-Based Payload Staging: In common usage, ROP chains are not the final payload. Instead, attackers use a minimal ROP chain to call a system function—typically VirtualAlloc or mprotect—that marks a region of memory executable, then transfers control to conventional shellcode. This two-stage approach reduces the complexity of the ROP chain required while still achieving full code execution.

ROP attack construction requires deep knowledge of the target binary’s address space, making it a technique primarily associated with skilled threat actors and sophisticated exploit frameworks—though automated tooling has significantly reduced the expertise barrier.

Jump-Oriented Programming and Advanced Code-Reuse Variants

As defenses against ROP chains improved—particularly hardware shadow stack implementations and CFI (control-flow integrity) technologies—researchers and threat actors developed additional variants of code-reuse. Jump-Oriented Programming (JOP) and other advanced techniques extend the attack surface beyond return instructions to cover indirect jumps and calls.

  • Jump-Oriented Programming (JOP): JOP replaces the RET-based dispatch mechanism of ROP with indirect jump instructions (JMP [register]). A dispatcher gadget drives execution of the gadget chain by loading addresses from an attacker-controlled dispatch table into a register and jumping to each gadget in sequence. JOP evades return-address-focused shadow stack defenses because it never returns through the call stack in the conventional sense.
  • Call-Oriented Programming (COP): COP uses indirect call instructions (CALL [register]) as gadget terminators. Like JOP, it avoids the return-address stack entirely, targeting defenses that focus exclusively on return instruction monitoring. COP gadget chains are typically shorter and harder to detect than ROP chains, though the available gadget set is also smaller, constraining the operations that can be constructed.
  • Data-Oriented Programming (DOP) represents the most sophisticated evolution of code-reusetechniques. Rather than hijacking control flow, DOP manipulates data values processed by existing conditional branches to achieve attacker-controlled computation while the program follows its normal control flow path. DOP attacks are Turing-complete and can evade all control-flow-based defenses because the control flow graph is never violated.

Understanding this landscape of code-reuse variants is essential for security architects evaluating mitigations—a defense effective against ROP may offer no protection against JOP or DOP, requiring layered controls that address multiple attack vectors simultaneously.

Memory Protections and Their Limitations Against Code-Reuse Attacks

The defensive technologies deployed against memory exploitation—DEP/NX, ASLR, stack canaries, and CFI—each address specific aspects of the exploitation pipeline. Understanding what each control protects against and what it does not is essential for accurately assessing residual risk from code-reuse attacks.

  • DEP/NX and Its Limitations: Data Execution Prevention prevents code execution from data segments, defeating traditional shellcode injection. However, DEP/NX does not affect code-reuse attacks because gadgets execute from legitimate, already-marked executable memory pages. DEP eliminates the need for DEP bypass in conventional shellcode exploits while simultaneously making code-reuse the primary technique for continued exploitation.
  • ASLR and Entropy Requirements: Address Space Layout Randomization randomizes the base addresses of the stack, heap, and loaded libraries, making it harder to predict where gadgets reside. However, ASLR can be defeated by information disclosure vulnerabilities that leak a single pointer into a known module. Once one address is known, an attacker can calculate the location of all gadgets in that module with certainty. 64-bit ASLR with high entropy is significantly stronger than 32-bit implementations.
  • Control Flow Integrity (CFI): CFI enforces valid indirect branch targets at runtime, preventing arbitrary gadget chaining by limiting where indirect calls and jumps can transfer control. Coarse-grained CFI—the most widely deployed form—provides meaningful protection against basic ROP and JOP attacks. Fine-grained CFI, shadow stacks (Intel CET), and ARM Pointer Authentication provide stronger guarantees but require hardware support and binary recompilation.

No single memory protection technology eliminates the risk of code-reuse attacks. Security architects should evaluate their platform’s combination of protections and identify the residual exposure—particularly for legacy applications running on older hardware without hardware-enforced CFI support.

Detecting Code-Reuse Attacks in Enterprise Environments

Detecting code-reuse attacks in enterprise environments is challenging because malicious computations execute entirely within legitimate code. Detection requires monitoring behavioral and structural indicators of exploitation activity rather than looking for novel code patterns.

  • API Call Sequence Anomaly Detection: Many ROP exploit payloads culminate in specific Win32 API call sequences—VirtualAlloc followed by WriteProcessMemory and CreateRemoteThread, or NtAllocateVirtualMemory with executable memory permissions. EDR platforms and API hooking frameworks can monitor for these anomalous call sequences and flag suspicious allocations even when the ROP chain itself is constructed from legitimate code.
  • Stack Walk and Return Address Validation: Process monitoring tools that perform call stack walks can identify anomalous return address sequences characteristic of ROP chain execution—long chains of returns with very short code sequences between them, or return addresses pointing to the middle of legitimate functions rather than valid call sites. Intel CET shadow stacks enforce this check at the hardware level.
  • Heap Spray and Memory Layout Monitoring: Code-reuse exploits are often preceded by heap spray or memory grooming operations that arrange memory in a predictable way before triggering the vulnerability. Behavioral monitoring for large, repetitive memory allocations—particularly those followed by API calls indicative of exploitation—provides an early warning signal for in-progress code-reuseexploitation attempts.

Effective detection of code-reuse attacks requires EDR platforms with kernel-level visibility and behavioral analytics capabilities that correlate memory events with process behavior over time—point-in-time snapshot tools are insufficient for detecting the multi-stage nature of these exploits.

Mitigating Code-Reuse Attacks: Compiler and OS-Level Controls

Effective mitigation of code-reuse attacks requires a defense-in-depth approach that combines compilation-time hardening, OS-level enforcement, and application-layer controls. Organizations should prioritize modern mitigations that address the full spectrum of code-reuse techniques, not just the classic ROP variant.

  • Intel CET and ARM Pointer Authentication: Intel Control-flow Enforcement Technology (CET) introduces a hardware shadow stack that tracks return addresses independently of the main call stack, preventing ROP-based return address manipulation, and Indirect Branch Tracking (IBT) that enforces valid indirect jump and call targets. ARM Pointer Authentication (PAC) provides similar return-address integrity guarantees on ARM64 hardware. These hardware-level controls should be enabled for all production systems running on supported hardware.
  • Compiler Hardening Options: Modern compilers support a range of hardening options that reduce gadget availability and add runtime integrity checks: SAFESEH and /guard (cf. on Windows), -fcf-protection (GCC/Clang), stack canaries (/GS or -fstack-protector-strong), and position-independent executable (PIE) compilation, which strengthens ASLR. Application owners should audit their build pipelines to ensure these flags are consistently applied to production binaries.
  • Exploit Mitigation Toolkits: Microsoft Enhanced Mitigation Experience Toolkit (EMET, now superseded by Windows Defender Exploit Guard) and Linux grsecurity/PaX provide additional process-level controls beyond default OS protections—caller/return address checks, heap spray detection, and export address table filtering. Security teams managing legacy applications that cannot be recompiled should evaluate these process-level mitigations as compensating controls.

Mitigation effectiveness depends on consistent application across all production systems, third-party libraries, and runtime components. A single unprotected binary in a process’s address space can provide sufficient gadgets to defeat protections applied to the main executable.

Code-Reuse Attacks in Threat Actor Toolkits and Enterprise Risk

Code reuse techniques are no longer solely the domain of specialized vulnerability researchers. They are integrated into commercial exploit frameworks, criminal malware platforms, and nation-state offensive toolkits—making enterprise exposure to code-reuse attack risk a practical threat operations concern rather than a theoretical vulnerability research issue.

  • Browser and Document Exploitation: Web browsers and document processing applications—PDF readers, Office suites, email clients—are primary targets for code-reuse exploitation because they process attacker-controlled content, have large attack surfaces, and have mature JIT compiler codebases in modern browsers that contain rich gadget sets. Many enterprise phishing and watering hole attacks chain a browser or document vulnerability with an ROP payload to achieve initial access.
  • Kernel-Level Code-Reuse: Kernel exploits increasingly use code-reuse techniques to bypass kernel code signing and SMEP/SMAP protections. Privilege escalation exploits targeting vulnerable kernel drivers—a technique widely used by ransomware and APT groups for BYOVD (bring your own vulnerable driver) attacks—commonly employ ROP chains to manipulate kernel data structures and disable security features from within the kernel address space.
  • Exploit Kits and Commodity Threat Actor Adoption: Exploit kit operators and commodity malware distribution networks have automated the generation of ROP chains for common browser and plugin vulnerabilities, lowering the technical barrier to deploying code-reuse exploits at scale. Security operations teams should treat drive-by downloads and malvertising campaigns as code-reuse attack delivery mechanisms and ensure that browser isolation, EDR coverage, and network monitoring address this threat vector.

Organizations managing high-value targets—financial systems, industrial control infrastructure, and sensitive data repositories—should conduct application security assessments to evaluate code-reuse vulnerability exposure and validate that deployed mitigations specifically are correctly configured and actively enforced.

Conclusion

Code-reuse attacks represent a fundamental evolution in memory exploitation techniques that has permanently changed the defensive equation for application security—defeating the injected shellcode model entirely while exploiting the same memory corruption vulnerabilities through a different mechanism. Effective enterprise defense requires hardware-level enforcement through Intel CET and ARM PAC, consistent compiler hardening across the software supply chain, EDR platforms with behavioral memory monitoring, and security operations teams equipped to recognize and respond to the exploitation patterns these techniques produce.

Deepwatch® is the pioneer of AI- and human-driven cyber resilience. By combining AI, security data, intelligence, and human expertise, the Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation. Ready to Become Cyber Resilient? Meet with our managed security experts to discuss your use cases, technology, and pain points, and learn how Deepwatch can help.

Related Content

  • Move Beyond Detection and Response to Accelerate Cyber Resilience: This resource explores how security operations teams can evolve beyond reactive detection and response toward proactive, adaptive resilience strategies. It outlines methods to reduce dwell time, accelerate threat mitigation, and align SOC capabilities with business continuity goals.
  • The Dawn of Collaborative Agentic AI in MDR: In this whitepaper, learn about the groundbreaking collaborative agentic AI ecosystem that is redefining managed detection and response services. Discover how the Deepwatch platform’s dual focus on both security operations (SOC) enhancement and customer experience ultimately drives proactive defense strategies that align with organizational goals.
  • 2024 Deepwatch Adversary Tactics & Intelligence Annual Threat Report: The 2024 threat report offers an in-depth analysis of evolving adversary tactics, including keylogging, credential theft, and the use of remote access tools. It provides actionable intelligence, MITRE ATT&CK mapping, and insights into the behaviors of threat actors targeting enterprise networks.