Function-oriented programming attacks on ARM Cortex-M processors

In recent years, code-reuse attacks have been used to exploit software vulnerabilities and gain control in numerous software programs and embedded devices. Several measures have been put in place to prevent this type of attack, such as Control-Flow Integrity (CFI) systems, and some of these systems have already been integrated into hardware. Regardless, one attack persists, Function-Oriented Programming (FOP) attacks, a code-reuse attack in which a chain of functions is used to perform malicious actions. In this work, we perform the first analysis on the implications and feasibility of FOP attacks on microcontrollers, namely, on processors of the ARM Cortex-M family, that support PACBTI, a hardware feature for the implementation of CFI systems. During this process, we identified multiple dispatch gadgets in two common Real-time Operating System (RTOS). These gadgets were identified in the core features of the embedded Operating Systems (OSs), and therefore included in many operating systems. Furthermore, we also present CortexMFopper , a tool specially built to identify FOP gadgets in embedded devices as a way to raise awareness of this technique and was used for the identification of gadgets during this research.