-
Even in OSes with fully randomized address spaces and data execution protection, you can use return oriented programming to patch together malicious code from sequences of instructions that are in memory from common executables (“ransom note exploits”). The lesson: shift the game from focusing on injection vulnerabilities to minimizing the damage an attacker can cause. One of the best papers from SOURCE: Boston in 2010.