The Geometry of Innocent Flesh on the Bone is a fantastic paper for an introduction to learning how return oriented programming actually works. It’s okay as the first introduction, but this paper has fantastic concrete examples that readers can step through in order to really understand the power of these attacks. It may be worth running through a few as a group in order to make sure students are on the right path running through these, it can be easy to get stuck.

Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (CCS ’07). ACM, New York, NY, USA, 552-561. DOI=10.1145/1315245.1315313 http://doi.acm.org/10.1145/1315245.1315313

On The Effectiveness of Address Space Layout Randomization is a fantastic introduction to the concepts of virtual versus physical memory, process layout, Write XOR Execute, and the basic idea of a return oriented programming (ROP) attack as well as why it bypasses Write XOR Execute. Finally, ASLR is covered in detail as the authors explain why it is circumventable in a 32 bit architecture.

 
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security (CCS ’04). ACM, New York, NY, USA, 298-307. DOI=10.1145/1030083.1030124 http://doi.acm.org/10.1145/1030083.1030124