Return-Oriented Programming on a Cortex-M Processor

Microcontrollers are found in many everyday devices and will only become more prevalent as the Internet of Things (IoT) gains momentum. As such, it is increasingly important that they are reasonably secure from known vulnerabilities. If we do not improve the security posture of these devices, then attackers will find ways to exploit vulnerabilities for their own gain. Due to the security protections in modern systems which prevent execution of injected shellcode, Return Oriented Programming (ROP) has emerged as a more reliable way to execute malicious code following such attacks. ROP is a method used to take over the execution of a program by causing the return address of a function to be modified through an exploit vector, then returning to small segments of otherwise innocuous code located in executable memory one after the other to carry out the attacker’s aims. It will be shown that the Tiva TM4C123GH6PM microcontroller, which utilizes a Cortex-M4F processor, can be fully controlled with this technique. Sufficient code is pre-loaded into a ROM on Tiva microcontrollers to erase and rewrite the flash memory where the program resides. Then, that same ROM is searched for a Turing-complete gadget set which would allow for arbitrary execution. This would allow an attacker to re-purpose the microcontroller, altering the original functionality to his own malicious end.