{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T11:40:34Z","timestamp":1761824434456,"version":"3.37.3"},"reference-count":48,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/100006190","name":"Research and Development","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100006190","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833723","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1623-1637","source":"Crossref","is-referenced-by-count":9,"title":["Finding SMM Privilege-Escalation Vulnerabilities in UEFI Firmware with Protocol-Centric Static Analysis"],"prefix":"10.1109","author":[{"given":"Jiawei","family":"Yin","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences,Beijing,China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Menghao","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences,Beijing,China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Wu","sequence":"additional","affiliation":[{"name":"Huawei Technologies"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dandan","family":"Sun","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences,Beijing,China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jianhua","family":"Zhou","sequence":"additional","affiliation":[{"name":"UNSW Sydney"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Huo","sequence":"additional","affiliation":[{"name":"UNSW Sydney"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jingling","family":"Xue","sequence":"additional","affiliation":[{"name":"UNSW Sydney"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref13","article-title":"Static detection of c++ vtable escape vulnerabilities in binary code","author":"dewey","year":"2012","journal-title":"NDSS"},{"journal-title":"Introducing project mu","year":"2018","key":"ref35"},{"journal-title":"uefi org","year":"2019","key":"ref12"},{"journal-title":"EDK II Project","year":"2021","key":"ref34"},{"journal-title":"Hex-rays ida pro A powerful disassembler and a versatile debugger","year":"2021","key":"ref15"},{"key":"ref37","first-page":"167","article-title":"kafl: Hardware-assisted feedback fuzzing for OS kernels","author":"schumilo","year":"2017","journal-title":"26th USENIX Security Symposium (USENIX Security 17)"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24386"},{"journal-title":"2020 CWE Top 25 Most Dangerous Software Weaknesses","year":"2020","key":"ref36"},{"key":"ref31","first-page":"1769","article-title":"Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferences","author":"lu","year":"2019","journal-title":"28th USENIX Security Symposium (USENIX Security 19)"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00052"},{"journal-title":"Finding bios vulnerabilities with symbolic execution and virtual platforms","year":"2017","author":"engblom","key":"ref11"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"journal-title":"Using the intel stm for protected execution","year":"2018","author":"myers","key":"ref10"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243844"},{"journal-title":"Exploiting ami aptio firmware on example of intel nuc","year":"2016","author":"oleksiuk","key":"ref2"},{"journal-title":"Total unit shipments of personal computers (PCs) worldwide from 2006 to 2020","year":"2021","key":"ref1"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/CNS48642.2020.9162164"},{"journal-title":"TriforceAFL","year":"2017","author":"hertz","key":"ref39"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref38","first-page":"33","article-title":"Coverage-guided kernel fuzzing with syzkaller","volume":"2","author":"drysdale","year":"2016","journal-title":"Linux Weekly News"},{"journal-title":"Remote Procedure Call","year":"2021","key":"ref19"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23225"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.44"},{"key":"ref46","first-page":"2379","article-title":"FIRMSCOPE: Automatic uncovering of privilege-escalation vulnerabilities in pre-installed apps in android firmware","author":"elsabagh","year":"2020","journal-title":"29th USENIX Security Symposium (USENIX Security 20)"},{"journal-title":"Intel hardware shield Trustworthy smm on the intel vpro platform","year":"2020","key":"ref23"},{"key":"ref45","first-page":"1007","article-title":"DR. CHECKER: A soundy analysis for linux kernel drivers","author":"machiry","year":"2017","journal-title":"26th USENIX Security Symposium (USENIX Security 17)"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813673"},{"key":"ref48","first-page":"255","article-title":"Effective static analysis of concurrency use-after-free bugs in linux device drivers","author":"bai","year":"2019","journal-title":"Proceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference ser USENIX ATC ’19"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.60"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00034"},{"journal-title":"Component Object Model","year":"2021","key":"ref20"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00036"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/CGO53902.2022.9741274"},{"key":"ref22","first-page":"16","article-title":"Attacking smm memory via intel cpu cache poisoning","author":"wojtczuk","year":"2009","journal-title":"The Invisible Things Lab"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"journal-title":"uefi org","year":"2019","key":"ref21"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3183575"},{"key":"ref28","article-title":"Cryptorex: Large-scale analysis of cryptographic misuse in iot devices","author":"zhang","year":"2019","journal-title":"RAID"},{"key":"ref27","article-title":"Defeating signed bios enforcement","author":"kallenberg","year":"2013","journal-title":"EkoParty Buenos Aires"},{"journal-title":"RFC 4122","year":"0","key":"ref29"},{"journal-title":"Smm unchecked pointer vulnerability","year":"2016","author":"lab","key":"ref8"},{"journal-title":"Through the smm-class and a vulnerability found there","year":"2020","key":"ref7"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"journal-title":"The lojax attack What you need to know","year":"2018","key":"ref4"},{"journal-title":"Thinkpwn","year":"2017","author":"oleksiuk\u201d","key":"ref3"},{"journal-title":"Code check (mate) in smm","year":"2018","key":"ref6"},{"journal-title":"A tour beyond bios secure smm communication in the efi developer kit ii","year":"2020","author":"jarlstrom","key":"ref5"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354244"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","start":{"date-parts":[[2022,5,22]]},"location":"San Francisco, CA, USA","end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833723.pdf?arnumber=9833723","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:13:38Z","timestamp":1699485218000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833723\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":48,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833723","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}