{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T13:41:35Z","timestamp":1773841295444,"version":"3.50.1"},"reference-count":229,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/501100009318","name":"Helmholtz Association (HGF) through the Energy System Design (ESD) program","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100009318","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100009133","name":"KIT-Publication Fund of the Karlsruhe Institute of Technology","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100009133","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2022]]},"DOI":"10.1109\/access.2022.3171922","type":"journal-article","created":{"date-parts":[[2022,5,2]],"date-time":"2022-05-02T20:22:02Z","timestamp":1651522922000},"page":"48242-48273","source":"Crossref","is-referenced-by-count":10,"title":["Binary Exploitation in Industrial Control Systems: Past, Present and Future"],"prefix":"10.1109","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9334-953X","authenticated-orcid":false,"given":"Qi","family":"Liu","sequence":"first","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology, Eggenstein-Leopoldshafen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8231-4331","authenticated-orcid":false,"given":"Kaibin","family":"Bao","sequence":"additional","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology, Eggenstein-Leopoldshafen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3572-9083","authenticated-orcid":false,"given":"Veit","family":"Hagenmeyer","sequence":"additional","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology, Eggenstein-Leopoldshafen, Germany"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Recommended Practice: Improving Industrial Control System Cybersecurity With Defense-in-Depth Strategies","year":"2016"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.IR.8219"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33338-5_5"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.13"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3129743"},{"key":"ref6","volume-title":"Control Flow Enforcement Technology (CET)","year":"2017"},{"key":"ref7","volume-title":"How to Survive the Hardware-Assisted Control Flow Integrity Enforcement","author":"Sun","year":"2021"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3129743.3129745"},{"key":"ref9","volume-title":"Return-Oriented Programming Without Returns on ARM","author":"Davi","year":"2021"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-18178-8_30"},{"key":"ref11","article-title":"Killing the myth of Cisco IOS diversity: Recent advances in reliable shellcode design","volume-title":"Proc. 5th USENIX Conf. Offensive Technol.","author":"Cui"},{"key":"ref12","volume-title":"Don\u2019t be Silly\u2014It\u2019s Only a Lightbulb\u2014Check Point Research","author":"Itkin","year":"2020"},{"key":"ref13","volume-title":"Router Exploitation","author":"Lindner","year":"2009"},{"key":"ref14","volume-title":"MAR-17-352-01 HatMan\u2014Safety System Targeted Malware (Update B)","year":"2019"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455775"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2015.71"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455776"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/CPSNA.2013.6614242"},{"key":"ref19","article-title":"Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage","volume-title":"Proc. Electron. Voting Technol. Workshop\/Workshop Trustworthy Elections","author":"Checkoway"},{"key":"ref20","article-title":"Comprehensive experimental analyses of automotive attack surfaces","volume-title":"Proc. 20th USENIX Conf. Secur.","author":"Checkoway"},{"key":"ref21","volume-title":"24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them","author":"Howard","year":"2010"},{"key":"ref22","volume-title":"CWE\u2014CWE-121-Stack-Based Buffer Overflow","year":"2021"},{"key":"ref23","volume-title":"CWE\u2014CWE-122-Heap-Based Buffer Overflow","year":"2021"},{"key":"ref24","volume-title":"CWE\u2014CWE-124-Buffer Underwrite (\u2018Buffer Underflow\u2019)","year":"2021"},{"key":"ref25","volume-title":"CWE\u2014CWE-126-Buffer Over-Read","year":"2021"},{"key":"ref26","volume-title":"CWE\u2014CWE-127-Buffer Under-Read","year":"2021"},{"key":"ref27","volume-title":"CWE\u2014CWE-680-Integer Overflow to Buffer Overflow","year":"2021"},{"key":"ref28","volume-title":"CWE\u2014CWE-191-Integer Underflow (Wrap or Wraparound)","year":"2021"},{"key":"ref29","volume-title":"CWE\u2014CWE-193-Off-By-One Error","year":"2021"},{"key":"ref30","volume-title":"CWE\u2014CWE-843-Access of Resource Using Incompatible Type (\u2018Type Confusion\u2019)","year":"2021"},{"key":"ref31","volume-title":"CWE\u2014CWE-134-Use of Externally-Controlled Format String (4.5)","year":"2021"},{"key":"ref32","volume-title":"CWE\u2014CWE-416-Use After Free","year":"2021"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336769"},{"issue":"66","key":"ref34","article-title":"Malloc des-maleficarum","volume":"13","year":"2009","journal-title":"Phrack Mag."},{"key":"ref35","volume-title":"CWE\u2014CWE-415-Double Free","year":"2021"},{"key":"ref36","volume-title":"CWE\u2014CWE-761-Free of Pointer Not at Start of Buffer","year":"2021"},{"key":"ref37","volume-title":"CWE\u2014CWE-590-Free of Memory Not on the Heap","year":"2021"},{"key":"ref38","volume-title":"CWE\u2014CWE-762-Mismatched Memory Management Routines","year":"2021"},{"key":"ref39","volume-title":"CWE\u2014CWE-457-Use of Uninitialized Variable","year":"2021"},{"key":"ref40","volume-title":"CWE\u2014CWE-908-Use of Uninitialized Resource","year":"2021"},{"key":"ref41","volume-title":"CWE\u2014CWE-824-Access of Uninitialized Pointer","year":"2021"},{"key":"ref42","volume-title":"CWE\u2014CWE-476-Null Pointer Dereference","year":"2021"},{"key":"ref43","volume-title":"CWE\u2014CWE-364-Signal Handler Race Condition","year":"2021"},{"key":"ref44","volume-title":"CWE\u2014CWE-365-Race Condition in Switch","year":"2021"},{"key":"ref45","volume-title":"CWE\u2014CWE-367-Time-of-Check Time-of-Use (TOCTOU) Race Condition","year":"2021"},{"key":"ref46","volume-title":"CWE\u2014CWE-368-Context Switching Race Condition","year":"2021"},{"key":"ref47","volume-title":"2021 CWE Top 25 Most Dangerous Software Weaknesses","year":"2021"},{"key":"ref48","article-title":"Trends and challenges in the vulnerability mitigation landscape","volume-title":"Proc. 13th USENIX Workshop Offensive Technol.","author":"Miller"},{"issue":"49","key":"ref49","first-page":"14","article-title":"Smashing the stack for fun and profit","volume":"7","author":"One","year":"1996","journal-title":"Phrack Mag."},{"key":"ref50","first-page":"177","article-title":"Non-control-data attacks are realistic threats","volume-title":"Proc. 14th Conf. USENIX Secur. Symp.","author":"Chen"},{"key":"ref51","volume-title":"Getting Around Non-Executable Stack (and Fix)","year":"2021"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"ref53","first-page":"177","article-title":"Automatic generation of data-oriented exploits","volume-title":"Proc. 24th USENIX Secur. Symp.","author":"Hu"},{"key":"ref54","first-page":"161","article-title":"Control-flow bending on the effectiveness of control-flow integrity","volume-title":"Proc. 24th USENIX Secur. Symp.","author":"Carlini"},{"issue":"58","key":"ref55","article-title":"The advanced return-into-lib(c) exploits","volume":"11","year":"2001","journal-title":"Phrack Mag."},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_7"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/2133375.2133377"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.87"},{"key":"ref59","volume-title":"Exec Shield","author":"van de Ven","year":"2004"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.43"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-10772-6_13"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/1655108.1655117"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/1755913.1755934"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.62"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"ref69","volume-title":"Practical Return-Oriented Programming","author":"Zovi","year":"2010"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3129743"},{"key":"ref71","volume-title":"Nozzle: A Defense Against Heap-Spraying Code Injection Attacks","author":"Ratanaworabhan","year":"2008"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11747-3_1"},{"key":"ref73","volume-title":"Heap Feng Shui in JavaScript","author":"Sotirov","year":"2007"},{"key":"ref74","first-page":"1647","article-title":"MAZE: Towards automated heap Feng Shui","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Wang"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.17"},{"key":"ref76","article-title":"Automatic generation of control flow hijacking exploits for software vulnerabilities","author":"Heelan","year":"2009"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/2560217.2560219"},{"key":"ref78","article-title":"Q: Exploit hardening made easy","volume-title":"Proc. 20th USENIX Conf. Secur.","author":"Schwartz"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46598-2_15"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"ref81","first-page":"1914","article-title":"Revery: From proof-of-concept to exploitable: (one step towards automatic exploit generation)","volume-title":"Proc. ACM SIGSAC Conf. Comput. Commun. Secur.","author":"Wang"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354224"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/3139337.3139346"},{"key":"ref84","first-page":"99","article-title":"Heaphopper: Bringing bounded model checking to heap implementation security","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Eckert"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243739"},{"key":"ref86","volume-title":"Analysis of the Shadow Brokers Release and Mitigation With Windows 10 Virtualization-Based Security","year":"2017"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/2678373.2665726"},{"key":"ref88","article-title":"Exploiting the dram rowhammer bug to gain kernel privileges: How to cause and exploit single bit errors","volume":"15","author":"Seaborn","year":"2015","journal-title":"Black Hat"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978406"},{"key":"ref90","volume-title":"MITRE ATT&CKr: Design and Philosophy","author":"Strom","year":"2020"},{"key":"ref91","volume-title":"ICS-CERT Monitor September 2014-February 2015","year":"2015"},{"key":"ref92","volume-title":"NCCIC\/ICS-Cert Year in Review 2015","year":"2015"},{"key":"ref93","volume-title":"To Kill a Centrifuge: A Technical Analysis of What Stuxnet\u2019s Creators Tried to Achieve","author":"Langner","year":"2013"},{"key":"ref94","volume-title":"W32.Stuxnet Dossier","author":"Falliere","year":"2010"},{"key":"ref95","volume-title":"Duqu: A Stuxnet-Like Malware Found in the Wild","year":"2011"},{"key":"ref96","volume-title":"W32.Duqu: The Precursor to the Next Stuxnet","year":"2011"},{"key":"ref97","volume-title":"The Duqu 2.0 Technical Details","year":"2015"},{"key":"ref98","volume-title":"The Flame: Questions and Answers","author":"Gostev","year":"2012"},{"key":"ref99","volume-title":"Skywiper (a.k.a. Flame a.k.a. Flamer): A Complex Malware for Targeted Attacks","year":"2012"},{"key":"ref100","volume-title":"Dragonfly: Cyberespionage Attacks Against Energy Suppliers","year":"2021"},{"key":"ref101","volume-title":"When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure","author":"Stycznski","year":"2016"},{"key":"ref102","volume-title":"CVE-2014-4114: Details on August Blackenergy Powerpoint Campaigns","author":"Lipovsky","year":"2016"},{"key":"ref103","article-title":"Blackenergy\u2014What we really know about the notorious cyber attacks","volume-title":"Proc. Virus Bull. Conf.","author":"Cherepanov"},{"key":"ref104","volume-title":"Crashoverride: Analyzing the Threat to Electric Grid Operations","year":"2017"},{"key":"ref105","volume-title":"Win32\/Industroyer: A New Threat for Industrial Control Systems","author":"Cherepanov","year":"2017"},{"key":"ref106","volume-title":"Crashoverride: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack","author":"Slowik","year":"2019"},{"key":"ref107","volume-title":"Wannacry on Industrial Networks-Error Correction","year":"2017"},{"key":"ref108","volume-title":"Wannacry Aftershock","author":"Mackenzie","year":"2019"},{"key":"ref109","volume-title":"More Than 50% of Organizations Attacked by Expetr (Petya) Cryptolocker are Industrial Companies","year":"2017"},{"key":"ref110","volume-title":"Notpetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery","author":"Hurley","year":"2017"},{"key":"ref111","volume-title":"Bad Rabbit: Not-Petya is Back With Improved Ransomware","author":"L\u00e9veill\u00e9","year":"2021"},{"key":"ref112","volume-title":"Bad Rabbit Ransomware","author":"Mamedov","year":"2017"},{"key":"ref113","volume-title":"Doublepulsar Initial SMB Backdoor Ring 0 Shellcode Analysis","year":"2017"},{"key":"ref114","volume-title":"Threat Spotlight: Follow the Bad Rabbit","author":"Talos","year":"2017"},{"key":"ref115","volume-title":"Triton: The First ICS Cyberattack on Safety Instrument Systems. USA","author":"Di Pinto","year":"2018"},{"key":"ref116","volume-title":"New VPNFilter Malware Targets at Least 500K Networking Devices Worldwide","author":"Talos","year":"2018"},{"key":"ref117","volume-title":"VPNFilter: New Router Malware With Destructive Capabilities","year":"2018"},{"key":"ref118","volume-title":"VPNFilter Update\u2014VPNFilter Exploits Endpoints, Targets New Devices","author":"Talos","year":"2018"},{"key":"ref119","volume-title":"MITRE ATT&CKr for Industrial Control Systems: Design and Philosophy","author":"Alexander","year":"2020"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1016\/0166-3615(94)90017-5"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1016\/c2013-0-06836-3"},{"key":"ref122","volume-title":"Is the Purdue Model Dead?","author":"Peterson","year":"2019"},{"key":"ref123","volume-title":"Triton is the World\u2019s Most Murderous Malware, and It\u2019s Spreading","author":"Giles","year":"2019"},{"key":"ref124","volume-title":"A Comprehensive Guide to Operational Technology (OT) Cybersecurity","year":"2021"},{"key":"ref125","volume-title":"Building Security to Achieve Engineering and Business Requirements","author":"Crowther","year":"2018"},{"key":"ref126","article-title":"Quantitatively assessing and visualising industrial system attack surfaces","author":"Leverett","year":"2011"},{"key":"ref127","volume-title":"TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping","author":"Miller","year":"2019"},{"key":"ref128","article-title":"Out of control: Demonstrating SCADA exploitation","author":"Meixell","year":"2013"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1201\/b19629"},{"key":"ref130","volume-title":"Sans 2019 State of OT\/ICS Cybersecurity Survey","author":"Filkins"},{"key":"ref131","article-title":"Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks","volume-title":"7th USENIX Secur. Symp.","author":"Cowan"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1109\/ICDSC.2001.918971"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_17"},{"key":"ref134","first-page":"81","article-title":"Code-pointer integrity","volume-title":"Proc. 11th USENIX Symp. Oper. Syst. Design","author":"Kuznetsov"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.53"},{"key":"ref136","volume-title":"Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, Data Execution Prevention","author":"Andersen","year":"2004"},{"key":"ref137","volume-title":"PAX Address Space Layout Randomization (ASLR)","year":"2003"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.39"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_1"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(93)90054-9"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2013.6494997"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.25"},{"key":"ref143","first-page":"105","article-title":"Address obfuscation: An efficient approach to combat a broad range of memory error exploits","volume-title":"Proc. 12th USENIX Secur. Symp.","author":"Bhatkar"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948146"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.9"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382216"},{"key":"ref147","first-page":"475","article-title":"Enhanced operating system security through efficient and fine-grained address space randomization","volume-title":"Proc. 21st USENIX Secur. Symp.","author":"Giuffrida"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.41"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813691"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24174-6_4"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.52"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.45"},{"key":"ref153","first-page":"1","article-title":"Interpreter exploitation","volume-title":"Proc. 4th USENIX Workshop Offensive Technol.","author":"Blazakis"},{"key":"ref154","article-title":"SoK: Make JIT-spray great again","volume-title":"Proc. 12th USENIX Workshop Offensive Technol.","author":"Gawlik"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.23"},{"key":"ref156","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660309"},{"key":"ref157","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23477"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1145\/1609956.1609960"},{"key":"ref159","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.30"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.44"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594295"},{"key":"ref162","first-page":"941","article-title":"Enforcing forward-edge control-flow integrity in GCC & LLVM","volume-title":"Proc. 23rd USENIX Secur. Symp.","author":"Tice"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.1145\/1181309.1181316"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1109\/DAC.2014.6881460"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1145\/2744769.2744847"},{"key":"ref166","doi-asserted-by":"publisher","DOI":"10.1145\/2897937.2898098"},{"key":"ref167","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857722"},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2018.2866164"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1145\/3337167.3337175"},{"key":"ref170","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134026"},{"key":"ref171","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev.2019.00022"},{"key":"ref172","first-page":"147","article-title":"Securing software by enforcing data-flow integrity","volume-title":"Proc. 7th Symp. Oper. Syst. Design Implement.","author":"Castro"},{"key":"ref173","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23218"},{"key":"ref174","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"ref175","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23326"},{"key":"ref176","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345665"},{"key":"ref177","first-page":"275","article-title":"Cyclone: A safe dialect of C","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Jim"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1145\/1065887.1065892"},{"key":"ref179","doi-asserted-by":"publisher","DOI":"10.1145\/1543135.1542504"},{"key":"ref180","doi-asserted-by":"publisher","DOI":"10.1145\/1837855.1806657"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.1145\/168619.168635"},{"key":"ref182","first-page":"209","article-title":"Evaluating SFI for a CISC architecture","volume-title":"Proc. 15th USENIX Secur. Symp.","author":"McCamant"},{"key":"ref183","first-page":"75","article-title":"XFI: Software guards for system address spaces","volume-title":"Proc. 7th Symp. Oper. Syst. Design Implement.","author":"Erlingsson"},{"key":"ref184","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629581"},{"key":"ref185","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.25"},{"key":"ref186","doi-asserted-by":"publisher","DOI":"10.1561\/3300000013"},{"key":"ref187","volume-title":"Software Guard Extensions Programming Reference","year":"2013"},{"key":"ref188","first-page":"1213","article-title":"The guard\u2019s dilemma: Efficient code-reuse attacks against Intel SGX","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Biondo"},{"key":"ref189","first-page":"841","article-title":"Discovery and exploitation of memory corruption vulnerabilities in SGX enclaves","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Cloosters"},{"key":"ref190","volume-title":"2015 Embedded Markets Study: Changes in Today\u2019s Design, Development & Processing Environments","year":"2015"},{"key":"ref191","volume-title":"2019 Embedded Markets Study","year":"2019"},{"key":"ref192","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030124"},{"key":"ref193","volume-title":"ARMv7-M Architecture Reference Manual","year":"2014"},{"key":"ref194","first-page":"1","volume-title":"Memory Protection Unit (MPU) for Keystone Devices User\u2019s Guide"},{"key":"ref195","doi-asserted-by":"publisher","DOI":"10.1145\/1655077.1655083"},{"key":"ref196","first-page":"1","article-title":"Control-flow integrity for real-time embedded systems","volume-title":"Proc. 31st Euromicro Conf. Real-Time Syst.","author":"Walls"},{"key":"ref197","first-page":"1219","article-title":"Silhouette: Efficient protected shadow stacks for embedded systems","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Zhou"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24016"},{"key":"ref199","volume-title":"ARM Architecture Reference Manual, ARMv8, for ARMv8-A Architecture Profile","year":"2021"},{"key":"ref200","volume-title":"Pointer Authentication on ARMV8.3: Design and Analysis of the New Software Security Instructions","year":"2017"},{"key":"ref201","first-page":"177","article-title":"PAC it up: Towards pointer integrity using ARM pointer authentication","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Liljestrand"},{"key":"ref202","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.30"},{"key":"ref203","first-page":"231","article-title":"uXOM: Efficient execute-only memory on ARM cortex-M","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Kwon"},{"key":"ref204","volume-title":"ARM Security Technology: Building a Secure System Using Trustzone technology","year":"2009"},{"key":"ref205","volume-title":"Trust Issues-Exploiting Trustzone TEEs","author":"Beniamini","year":"2017"},{"key":"ref206","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23448"},{"key":"ref207","article-title":"Memory tagging and how it improves C\/C++ memory safety","author":"Serebryany","year":"2018","journal-title":"arXiv:1802.09517"},{"key":"ref208","volume-title":"ARMV8.5\u2014A Memory Tagging Extension","year":"2019"},{"issue":"2","key":"ref209","first-page":"12","article-title":"ARM memory tagging extension and how it improves C\/C++ memory safety","volume":"44","author":"Serebryany","year":"2019","journal-title":"Login USENIX Mag."},{"key":"ref210","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3071263"},{"key":"ref211","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-36084-0_15"},{"key":"ref212","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.37"},{"key":"ref213","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02918-9_6"},{"key":"ref214","doi-asserted-by":"publisher","DOI":"10.1007\/11790754_4"},{"key":"ref215","doi-asserted-by":"publisher","DOI":"10.1145\/1229285.1229291"},{"key":"ref216","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920305"},{"key":"ref217","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2010.5461950"},{"key":"ref218","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2011.6112327"},{"key":"ref219","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966920"},{"key":"ref220","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23156"},{"key":"ref221","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04897-0_1"},{"key":"ref222","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134640"},{"key":"ref223","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978358"},{"key":"ref224","doi-asserted-by":"publisher","DOI":"10.1145\/3061639.3062276"},{"key":"ref225","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2017.8203803"},{"key":"ref226","doi-asserted-by":"publisher","DOI":"10.1145\/3240765.3240821"},{"key":"ref227","volume-title":"The Art of Computer Virus Research and Defense","author":"Szor","year":"2005"},{"key":"ref228","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_19"},{"key":"ref229","first-page":"385","article-title":"ROP is still dangerous: Breaking modern defenses","volume-title":"Proc. 23rd USENIX Secur. Symp.","author":"Carlini"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/9668973\/09766127.pdf?arnumber=9766127","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,22]],"date-time":"2024-01-22T22:30:40Z","timestamp":1705962640000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9766127\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"references-count":229,"URL":"https:\/\/doi.org\/10.1109\/access.2022.3171922","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]}}}