Memory corruption vulnerabilities remain a critical security concern in modern computing systems, often leading to exploits such as arbitrary code execution, privilege escalation, and system compromise. These vulnerabilities typically arise due to programming errors (such as buffer overflows, use-after-free, or integer overflow) that allow attackers to manipulate memory and alter program execution. Among the various exploitation techniques, Return-Oriented Programming (ROP) [1] has emerged as one of the most effective and sophisticated methods for bypassing traditional security mechanisms like Data Execution Prevention (DEP). ROP attacks leverage existing executable code within a program's memory space, chaining together small instruction sequences (gadgets) to execute arbitrary operations without injecting new code. This technique makes ROP attacks particularly challenging to mitigate and detect, as they do not introduce new code into the system, making them difficult to distinguish from legitimate program behavior. 

ROP attacks pose a serious threat to embedded and IoT devices, which typically operate under much stricter resource constraints than general-purpose computing systems. To enable effective ROP detection in such constrained environments, we have developed PROPS (Precision ROP Scanner), a novel detection mechanism that analyzes stack contents to determine whether a ROP chain is present. Our approach targets 32-bit ARMv7 (and earlier) architectures, which represent a large class of embedded and IoT platforms that remain widely deployed in practice.

So far, PROPS has been evaluated primarily using a large number of artificially generated ROP chains, but not on real-world exploits. The goal of this student project is therefore to identify vulnerable programs and existing exploits that employ ROP on ARM platforms — or to design and implement a custom exploit if necessary — and to reproduce these attacks on a Raspberry Pi 3 Model B (RPI3) running the 32-bit version of Raspberry Pi OS Lite. The student will then validate and evaluate the effectiveness of PROPS in detecting these real-world ROP attacks.

Required interests and background:
 • Memory corruption and low-level software vulnerabilities
 • Hands-on experimentation with real-world exploits
 • ARM architecture and embedded platforms

[1] Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (CCS '07).