Control-data attacks are a well known attack vector; these attacks either inject new code into running applications or reuse existing code in an unintended way to execute their malicious payload. Current software systems are protected against control-data attacks using numerous mechanisms like Data Execution Prevention (DEP), stack canaries, and Address Space Layout Randomization (ASLR). ASLR turns deterministic attacks into probabilistic attacks and reduces the probability of a successful attack. Unfortunately, the current ASLR implementation for Linux leaves some memory regions non-randomized. These static memory regions can be used to exploit applications that have ASLR, DEP, and stack canaries enabled. Format string exploits are an often overlooked attack vector that enables attacker-controlled memory writes in an application. A format string bug exists if a user-supplied string is passed as a first argument to any printf function. The only prerequisite for a successful format string exploit is that the attacker must be able to control that format string. This paper presents String Oriented Programming (SOP), an approach that exploits static memory regions in ASLR enabled applications. SOP uses a format string bug to exploit applications that are protected by a combination of weak ASLR, DEP, and stack canaries. Similar to return oriented programming or jump oriented programming, SOP does not rely on existing code but concatenates gadgets in the application using static program analysis. © 2013 ACM.