Memory Corruption Attacks: The (almost) Complete History...
There's a party at Ring0 (and you're invited)
Return-Oriented Exploitation
Understanding the Low- Fragmentation Heap: From Allocation to Exploitation
Advanced AIX Heap Exploitation Methods