{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T23:52:57Z","timestamp":1769125977106,"version":"3.49.0"},"reference-count":57,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2021,7,1]],"date-time":"2021-07-01T00:00:00Z","timestamp":1625097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62002151"],"award-info":[{"award-number":["62002151"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2021,7,1]]},"DOI":"10.1109\/tdsc.2021.3071092","type":"journal-article","created":{"date-parts":[[2021,4,6]],"date-time":"2021-04-06T15:48:36Z","timestamp":1617724116000},"page":"1920-1932","source":"Crossref","is-referenced-by-count":6,"title":["A Coprocessor-Based Introspection Framework Via Intel Management Engine"],"prefix":"10.1109","volume":"18","author":[{"given":"Lei","family":"Zhou","sequence":"first","affiliation":[{"name":"Department of Computer Science and Engineering, Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3365-2526","authenticated-orcid":false,"given":"Fengwei","family":"Zhang","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6807-9999","authenticated-orcid":false,"given":"Jidong","family":"Xiao","sequence":"additional","affiliation":[{"name":"Boise State University, Boise, ID, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4001-3442","authenticated-orcid":false,"given":"Kevin","family":"Leach","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Westley","family":"Weimer","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3974-590X","authenticated-orcid":false,"given":"Xuhua","family":"Ding","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9815-749X","authenticated-orcid":false,"given":"Guojun","family":"Wang","sequence":"additional","affiliation":[{"name":"Guangzhou University, Guangzhou, China"}]}],"member":"263","reference":[{"key":"ref39","article-title":"Stream","author":"mccalpin","year":"2018"},{"key":"ref38","article-title":"ToorKit","year":"2015"},{"key":"ref33","first-page":"199","article-title":"Membrane: A posteriori detection of malicious code loading by memory paging analysis","author":"p\u00e9k","year":"2016","journal-title":"Eur Symp Research in Computer Security"},{"key":"ref32","article-title":"Adore-ng","year":"2018"},{"key":"ref31","first-page":"1751","article-title":"Back to the whiteboard: A principled approach for the assessment and design of memory forensic techniques","author":"pagani","year":"2019","journal-title":"Proc Conf USENIX Secur Symp"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23260"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2013.6575343"},{"key":"ref36","first-page":"1","article-title":"Getting into the SMRAM: SMM Reloaded","author":"duflot","year":"2009","journal-title":"Proc CanSecWest"},{"key":"ref35","article-title":"Wireshark","author":"combs","year":"2019"},{"key":"ref34","article-title":"On the viability of memory forensics in compromised environments","author":"stuettgen","year":"2015"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2016.07.019"},{"key":"ref27","article-title":"General purpose hash function algorithms","author":"partow","year":"2018"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/TPDS.2018.2831202"},{"key":"ref2","article-title":"RootKits list","year":"2018"},{"key":"ref1","article-title":"National vulnerability database","year":"2018"},{"key":"ref20","article-title":"Meshcommander","year":"2019"},{"key":"ref22","article-title":"TBoot","year":"2018"},{"key":"ref21","article-title":"embARC","year":"2019"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.45"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4302-6572-6"},{"key":"ref26","article-title":"Intel 3 series express chipset family","year":"2007"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660303"},{"key":"ref50","first-page":"1","article-title":"Intel ME: Flash file system explained","author":"sklyarov","year":"2017","journal-title":"in Proc Black Hat Europe"},{"key":"ref51","first-page":"1","article-title":"Intel ME: The way of the static analysis","author":"sklyarov","year":"2017","journal-title":"in Proc TROOPERS17"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11203-9_13"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1535\/itj.1003.02"},{"key":"ref55","article-title":"Neutralize ME firmware on SandyBridge and IvyBridge platforms","year":"2016"},{"key":"ref54","article-title":"Disabling Intel ME 11 via undocumented mode","author":"ermolov","year":"2017"},{"key":"ref53","article-title":"ME cleaner: Tool for partial deblobbing of Intel ME\/TXE firmware images","author":"corna","year":"2017"},{"key":"ref52","first-page":"21","article-title":"Understanding DMA malware","author":"stewin","year":"2012","journal-title":"Detection of Intrusions and Malware and Vulnerability Assessment"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866313"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2013.53"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945464"},{"key":"ref12","first-page":"1","article-title":"How to hack a turned-off computer, or running unsigned code in intel management engine","author":"ermolov","year":"2017","journal-title":"in Proc Black Hat Eur"},{"key":"ref13","first-page":"1","article-title":"Introducing ring-3 rootkits","author":"tereshkin","year":"2009","journal-title":"Proc Black Hat USA"},{"key":"ref14","first-page":"217","article-title":"Nighthawk: Transparent system introspection from ring-3","author":"zhou","year":"2019","journal-title":"Eur Symp Research in Computer Security"},{"key":"ref15","article-title":"Intel AMT and the intel ME","author":"gael","year":"2009"},{"key":"ref16","article-title":"Innovation Engine","year":"2015"},{"key":"ref17","article-title":"Intel trusted execution technology (intel txt): Software development guide","year":"2017"},{"key":"ref18","article-title":"Attacking SMM Memory via Intel CPU Cache Poisoning","author":"wojtczuk","year":"0"},{"key":"ref19","article-title":"SMM protection in EDK II","author":"yao","year":"2017"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/1346256.1346269"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315262"},{"key":"ref6","first-page":"179","article-title":"Copilot&#x2013;A coprocessor-based kernel runtime integrity monitor","author":"petroni","year":"2004","journal-title":"Usenix Security Symp"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382202"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/2775054.2694355"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.11"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134622"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23121"},{"key":"ref46","article-title":"AMD memory encryption, White Paper","author":"kaplan","year":"2016"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354241"},{"key":"ref48","first-page":"541","article-title":"vTZ: Virtualizing ARM trustzone","author":"hua","year":"2017","journal-title":"Proc Conf USENIX Secur Symp"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2019.2946250"},{"key":"ref42","article-title":"ARM Security Technology - Building a Secure System using TrustZone Technology","year":"2009"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294294"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2487726.2488370"},{"key":"ref43","article-title":"64 and IA-32 Architectures Software Developer's Manual","year":"2018"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/9478312\/09397383.pdf?arnumber=9397383","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,4]],"date-time":"2025-11-04T18:38:40Z","timestamp":1762281520000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9397383\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,1]]},"references-count":57,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2021.3071092","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,7,1]]}}}