Exploiting software vulnerabilities on IoT devices is becoming increasingly prevalent. These exploits corrupt program state information maintained in application memory to induce unauthorized program actions. In particular, return-oriented programming attacks allow an attacker to hijack IoT devices without requiring injection of malicious code. In this talk, we elaborate on the different classes of software exploitation techniques in the IoT space and present recent research on control-flow attestation and control-flow integrity to detect and prevent these attacks.