[tptacek]

Yeah this just doesn't seem like an illuminating example in practice. In practice, gadgets for ROP chains are harvested from program text. It's for that reason that so much effort is expended in many exploits on memory leaks that reveal the locations of libraries loaded into memory.

[mafribe]

Thanks. Is this because it's mostly programs that live in executable space on a well-maintained machine or because gadgets can be precomputed (at least in parts) which makes compilation easier? (Not that that is mutually exclusive!)

[tptacek]

Both of those are true.