Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-oriented programming (as described in e.g. the paper Jump-Oriented Programming: A New Class of Code-Reuse Attack the JOP-Attack (after the attack has been successfully initiated) works in a general-loop where the dispatcher gadget jumps to some functional gadget, then the functional gadget jumps back to the dispatcher gadget (and then the dispatcher gadget jumps to some other functional gadget and so on).
Main question:
What I don't understand is why it is easier to always jump back to the dispatcher gadget from a functional-gadget instead of directly jumping to another functional gadget?
Whether you jump from a functional gadget to the dispatcher-gadget or another functional-gadget you need to have the address-to-jump-to stored/kept somewhere. So is the idea of the dispatcher gadget basically that it's just easier when leaving a functional gadget to always jump to the same address (as you can store it at the same place throughout many gadget-calls even though you occasionally need to switch the storage around a bit depending on which register the functional gadget bases its jump on) or is there another reason?
(The paper also describes jumping directly from one gadget to another "For example, one gadget may end in jmp [edx], then a second may use the edx register for a computation before loading esi with the dispatcher address and terminating with jmp esi.”, but it seems to be uncommon/not normal to use (maybe more used for repeatedly sequentually executed gadgets idk) as they also write "To maintain control of the execution, all functional gadgets executed by the dispatcher must conclude by jumping back to it, so that the next gadget can be launched.")
Minor questions:
And is there a hard requirement for a dispatcher that increments the current dispatch-table address and then also directly jumps to the gadget pointed to by the current dispatch-table address or could that not just as well be two different gadgets (one that increments it and then always jumps to another one that then jumps to the incremented dispatch-table address) and having one dispatcher for both is just more convenient?
