Attacks targeting software on embedded systems are becoming increasingly prevalent. In particular, software exploits based on return-oriented programming are challenging to prevent as they perform malicious operations without requiring the attacker to inject any malicious code. Both academia and industry have recently proposed defense techniques to mitigate these attacks. However, a continuous arms race has evolved between new attacks and improved defenses. In this talk, we elaborate on the different classes of software exploits and present recent research on mitigation technologies such as control-flow integrity and attestation targeting embedded systems software.