Bypassing CPU Protections using Function-Oriented Programming (FOP): A Linux Kernel Case Study
DOI:
https://doi.org/10.30998/faktor.exac.v19i1.807Keywords:
function oriented programming, gadgets, kernel, linux, proteksi CPUAbstract
Modern Central Processing Unit (CPU) hardware protections have significantly increased the difficulty of traditional code-reuse attacks, such as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). This study investigates the viability of Function-Oriented Programming (FOP), a novel exploitation technique, against systems implementing these modern architectural mitigations. Combining a comprehensive literature review with controlled simulations, this research introduces FOP Arbalest, an analytical artifact designed to identify, validate, and map exploitable FOP gadgets. Evaluation of the Linux kernel v5.19.17 demonstrates that FOP Arbalest identified 7,470, 18,541, and 52,285 gadgets at increasing analysis depths, yielding substantially more than conventional ROP and JOP techniques. Notably, FOP Arbalest is the first framework to integrate symbolic execution as the primary mechanism for FOP gadget detection, whereas prior x86-64 approaches relied exclusively on compiler plugins and static analysis. Future work will implement FOP techniques on Qualcomm Snapdragon system-on-chip (SoC) platforms to evaluate the portability and scalability of this vector across heterogeneous mobile computing environments.
Downloads
References
J. Ravichandran, W. T. Na, J. Lang, and M. Yan, “PACMAN,” in Proceedings of the 49th Annual International Symposium on Computer Architecture, New York, NY, USA: ACM, Jun. 2022, pp. 685–698. doi: 10.1145/3470496.3527429.
S. Ognawala, F. Kilger, and A. Pretschner, “Compositional Fuzzing Aided by Targeted Symbolic Execution,” Oct. 2019.
R. C. Goluch, “Trust, transforms, and control flow: A graph-theoretic method to verifying source and binary control flow equivalence,” Iowa State University, 2021. doi: 10.31274/etd-20210609-59.
M. Lipp et al., “Meltdown,” Commun ACM, vol. 63, no. 6, pp. 46–56, May 2020, doi: 10.1145/3357033.
S. Matsuoka, “Fugaku and A64FX: the First Exascale Supercomputer and its Innovative Arm CPU,” in 2021 Symposium on VLSI Circuits, IEEE, Jun. 2021, pp. 1–3. doi: 10.23919/VLSICircuits52068.2021.9492415.
X. Zhu, S. Wen, S. Camtepe, and Y. Xiang, “Fuzzing: A Survey for Roadmap,” ACM Comput Surv, vol. 54, no. 11s, pp. 1–36, Jan. 2022, doi: 10.1145/3512345.
V. Chipounov, V. Kuznetsov, and G. Candea, “The S2E Platform,” ACM Transactions on Computer Systems, vol. 30, no. 1, pp. 1–49, Feb. 2012, doi: 10.1145/2110356.2110358.
Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, “ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks,” in Proceedings 2014 Network and Distributed System Security Symposium, Reston, VA: Internet Society, 2014. doi: 10.14722/ndss.2014.23156.
R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, and I. Finocchi, “A Survey of Symbolic Execution Techniques,” ACM Comput Surv, vol. 51, no. 3, pp. 1–39, May 2019, doi: 10.1145/3182657.
S. Ozdemir, R. Saptarshi, A. Prakash, and D. Ponomarev, “Track Conventions, Not Attack Signatures: Fortifying X86 ABI and System Call Interfaces to Mitigate Code Reuse Attacks,” in 2021 International Symposium on Secure and Private Execution Environment Design (SEED), IEEE, Sep. 2021, pp. 176–188. doi: 10.1109/SEED51797.2021.00029.
D. Parygina, A. Vishnyakov, and A. Fedotov, “Strong Optimistic Solving for Dynamic Symbolic Execution,” in 2022 Ivannikov Memorial Workshop (IVMEM), IEEE, Sep. 2022, pp. 43–53. doi: 10.1109/IVMEM57067.2022.9983965.
S. Xu, P. Xie, and Y. Wang, “AT-ROP: Using static analysis and binary patch technology to defend against ROP attacks based on return instruction,” in 2020 International Symposium on Theoretical Aspects of Software Engineering (TASE), IEEE, Dec. 2020, pp. 209–216. doi: 10.1109/TASE49443.2020.00036.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Suryo Bramasto, Muhammad Ramli (Author)

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Under the CC BY-NC 4.0 License, users are permitted to:
-
Share: Copy, distribute, and transmit the material across any medium or format.
-
Adapt: Remix, transform, and build upon the work for non-commercial purposes.
These permissions are granted provided the following conditions are met:
-
Attribution (BY): Proper credit must be given to the original author(s) and Faktor Exacta, including a direct link to the license and a clear indication of any modifications made. This acknowledgment must not imply endorsement by the journal or the authors. Reusers are required to include the article’s Digital Object Identifier (DOI) for permanent citation reference.
-
NonCommercial (NC): The material may not be exploited for commercial purposes or monetary gain. Any commercial utilization, republication, or integration into commercial goods requires explicit, prior written permission from the copyright holder(s).
-
No Additional Restrictions: No legal provisions or technological protection measures (such as DRM) may be applied to restrict others from exercising the freedoms granted by this license.
Official Legal Code: For the full and legally binding terms, please review the official Creative Commons Attribution-NonCommercial 4.0 International Public License.

