Tools
Tools
Omotosho, Adebayo 
ORCID: https://orcid.org/0000-0002-1642-7610, Welearegai, Gebrehiwet B. and Hammer, Christian
(2022)
Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters.
In:
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing.
ACM, New York, NY, USA, pp. 510-519.
ISBN 9781450387132
![[thumbnail of 15787 Omotosho A et al (2022) Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters.pdf]](https://eprints.glos.ac.uk/style/images/fileicons/text.png "15787 Omotosho A et al (2022) Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters.pdf") |
Text
15787 Omotosho A et al (2022) Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters.pdf - Published Version Restricted to Repository staff only Available under License Creative Commons Attribution 4.0. Download (1MB) |
Abstract
Return-oriented programming (ROP) relies on in-memory code sequences ending in return instructions to chain together arbitrary malware. ROP is one of the most dangerous security exploits because, if wittingly crafted, it can be used to wreak havoc on the system, network, and nodes connected to it. It is not surprising that ROP has been studied on architectures such as x86 and ARM, mostly with an operating system (OS). Xtensa is one of the most popular industry standards for digital signal processors and it is present in many resource-constrained firmware-based embedded WiFi home automation devices, which operate by reading instructions directly from flash memory. Despite leveraging no real OS, Xtensa is not immune to ROP, and there have been reports of buffer overflow vulnerability exploitations leading to ROP in Xtensa. Therefore, we present the first detection of ROP, and its variant Jump-oriented programming (JOP), in a firmware-only environment using hardware performance counters (HPCs). Our approach discerns the variations in the HPC micro-architectural events triggered by ROP attacks and benign program execution. We implemented attack scenarios using instrumented programs and exploits that perform tasks similar to those in a known microprocessor benchmark programs. We recorded micro-architectural events to train a machine learning binary classifier. The learned model identifies relevant HPCs, which could serve as predictors of ROP/JOP execution even in embedded firmware-only configurations, where features atypical to conventional processors, like instruction memory and data memory, are available. Our evaluation results indicate a high precision, recall, and accuracy of the classifier predictions.
| Item Type: | Book Section |
|---|---|
| Article Type: | Article |
| Uncontrolled Keywords: | Microprocessor; Xtensa; ROP; JOP |
| Subjects: | H Social Sciences > HD Industries. Land use. Labor > HD28 Management. Industrial Management > HD61 Risk in industry. Risk management Q Science > QA Mathematics > QA76 Computer software |
| Divisions: | Schools and Research Institutes > School of Business, Computing and Social Sciences |
| Depositing User: | Kamila Niekoraniec |
| Date Deposited: | 03 Feb 2026 14:28 |
| Last Modified: | 04 Feb 2026 10:45 |
| URI: | https://eprints.glos.ac.uk/id/eprint/15787 |
University Staff: Request a correction | Repository Editors: Update this record
