{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T09:41:29Z","timestamp":1773481289194,"version":"3.50.1"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2017,4,21]],"date-time":"2017-04-21T00:00:00Z","timestamp":1492732800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"MSIP","award":["R-20160222-002755"],"award-info":[{"award-number":["R-20160222-002755"]}]},{"name":"NRF","award":["2014R1A2A1A10051792"],"award-info":[{"award-number":["2014R1A2A1A10051792"]}]},{"name":"IITP","award":["R0190-16-2010"],"award-info":[{"award-number":["R0190-16-2010"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Des. Autom. Electron. Syst."],"published-print":{"date-parts":[[2017,7,31]]},"abstract":"\n The ARM CoreSight Program Trace Macrocell (PTM) has been widely deployed in recent ARM processors for real-time debugging and tracing of software. Using PTM, the external debugger can extract execution behaviors of applications running on an ARM processor. Recently, some researchers have been using this feature for other purposes, such as fault-tolerant computation and security monitoring. This motivated us to develop an external security monitor that can detect control hijacking attacks, of which the goal is to maliciously manipulate the control flow of victim applications at an attacker\u2019s disposal. This article focuses on detecting a special type of attack called\n code reuse attacks<\/jats:italic>\n (CRA), which use a recently introduced technique that allows attackers to perform arbitrary computation without injecting their code by reusing only existing code fragments. Our external monitor is attached to the outside of the host system via the system bus and ARM CoreSight PTM, and is fed with execution traces of a victim application running on the host. As a majority of CRAs violates the normal execution behaviors of a program, our monitor constantly watches and analyzes the execution traces of the victim application and detects a symptom of attacks when the execution behaviors violate certain rules that normal applications are known to adhere. We present two different implementations for this purpose: a hardware-based solution in which all CRA detection components are implemented in hardware, and a hardware\/software mixed solution that can be employed in a more resource-constrained environment where the deployment of full hardware-level CRA detection is burdensome.\n <\/jats:p>","DOI":"10.1145\/3035965","type":"journal-article","created":{"date-parts":[[2017,4,21]],"date-time":"2017-04-21T12:51:10Z","timestamp":1492779070000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC"],"prefix":"10.1145","volume":"22","author":[{"given":"Yongje","family":"Lee","sequence":"first","affiliation":[{"name":"Seoul National University, Seoul, South Korea"}]},{"given":"Jinyong","family":"Lee","sequence":"additional","affiliation":[{"name":"Electronics and Telecommunications Research Institute (ETRI), Daejeon, South Korea"}]},{"given":"Ingoo","family":"Heo","sequence":"additional","affiliation":[{"name":"Samsung Electronics Co., Ltd., Gyeonggi-do, South Korea"}]},{"given":"Dongil","family":"Hwang","sequence":"additional","affiliation":[{"name":"Seoul National University, Seoul, South Korea"}]},{"given":"Yunheung","family":"Paek","sequence":"additional","affiliation":[{"name":"Seoul National University, Seoul, South Korea"}]}],"member":"320","published-online":{"date-parts":[[2017,4,21]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"e_1_2_1_2_1","volume-title":"Retrieved","author":"Andersen Starr","year":"2004","unstructured":"Starr Andersen and Vincent Abella . 2004 . Data Execution Prevention: Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies . Retrieved January 26, 2017, from https:\/\/technet.microsoft.com\/en-us\/library\/bb457155.aspx. Starr Andersen and Vincent Abella. 2004. Data Execution Prevention: Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. Retrieved January 26, 2017, from https:\/\/technet.microsoft.com\/en-us\/library\/bb457155.aspx."},{"key":"e_1_2_1_3_1","volume-title":"Retrieved","author":"ARM Co.","year":"2013","unstructured":"ARM Co. , Ltd. 2013 a. ARM CoreSight Architecture Specification v2.0 . Retrieved January 26, 2017, from http:\/\/infocenter.arm.com\/help\/topic\/com.arm.doc.ihi0029d\/IHI0029D_coresight_architecture_spec_v2_0.pdf. ARM Co., Ltd. 2013a. ARM CoreSight Architecture Specification v2.0. Retrieved January 26, 2017, from http:\/\/infocenter.arm.com\/help\/topic\/com.arm.doc.ihi0029d\/IHI0029D_coresight_architecture_spec_v2_0.pdf."},{"key":"e_1_2_1_4_1","volume-title":"Retrieved","author":"ARM Co.","year":"2013","unstructured":"ARM Co. , Ltd. 2013 b. ARM System Memory Management Unit Architecture Specification . Retrieved January 26, 2017, from http:\/\/infocenter.arm.com\/help\/topic\/com.arm.doc.ihi0062c\/IHI0062C_system_mmu_architecture_specification.pdf. ARM Co., Ltd. 2013b. ARM System Memory Management Unit Architecture Specification. Retrieved January 26, 2017, from http:\/\/infocenter.arm.com\/help\/topic\/com.arm.doc.ihi0062c\/IHI0062C_system_mmu_architecture_specification.pdf."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)","author":"Carlini Nicholas","unstructured":"Nicholas Carlini , Antonio Barresi , Mathias Payer , David Wagner , and Thomas R. Gross . 2015. Control-flow bending: On the effectiveness of control-flow integrity . In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915) . 161--176. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/carlini. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915). 161--176. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/carlini."},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Carlini Nicholas","year":"2014","unstructured":"Nicholas Carlini and David Wagner . 2014 . ROP is still dangerous: Breaking modern defenses . In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914) . Nicholas Carlini and David Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-10772-6_13"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23156"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDSC.2001.918971"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 2012 NDSS Symposium.","author":"Davi Lucas","year":"2012","unstructured":"Lucas Davi , Alexandra Dmitrienko , Manuel Egele , Thomas Fischer , Thorsten Holz , Ralf Hund , Stefan N\u00fcrnberger , and Ahmad-Reza Sadeghi . 2012 . MoCFI: A framework to mitigate control-flow attacks on smartphones . In Proceedings of the 2012 NDSS Symposium. Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan N\u00fcrnberger, and Ahmad-Reza Sadeghi. 2012. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 2012 NDSS Symposium."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2744769.2744847"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2593069.2596656"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Davi Lucas","year":"2014","unstructured":"Lucas Davi , Daniel Lehmann , Ahmad-Reza Sadeghi , and Fabian Monrose . 2014 b. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection . In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914) . Lucas Davi, Daniel Lehmann, Ahmad-Reza Sadeghi, and Fabian Monrose. 2014b. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966920"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813646"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.43"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"G\u00f6kta\u015f Enes","year":"2014","unstructured":"Enes G\u00f6kta\u015f , Elias Athanasopoulos , Michalis Polychronakis , Herbert Bos , and Georgios Portokalidis . 2014 . Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard . In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914) . Enes G\u00f6kta\u015f, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, and Georgios Portokalidis. 2014. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/SMARTCOMP-W.2014.7046672"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1186736.1186737"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.5555\/2337159.2337171"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2013.6522324"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2768566.2768569"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813644"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2006.166"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913)","author":"Pappas Vasilis","unstructured":"Vasilis Pappas , Michalis Polychronakis , and Angelos D. Keromytis . 2013. Transparent ROP exploit mitigation using indirect branch tracing . In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913) . 447--462. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913). 447--462."},{"key":"e_1_2_1_29_1","volume-title":"Retrieved","author":"Team X","year":"2003","unstructured":"Pa X Team . 2003 . Address Space Layout Randomization . Retrieved January 26, 2017, from http:\/\/pax.grsecurity.net\/docs\/aslr.txt. PaX Team. 2003. Address Space Layout Randomization. Retrieved January 26, 2017, from http:\/\/pax.grsecurity.net\/docs\/aslr.txt."},{"key":"e_1_2_1_30_1","volume-title":"The Shell-Storm Linux Shellcode Repository. Retrieved","author":"Salwan Jonathan","year":"2017","unstructured":"Jonathan Salwan . 2014. The Shell-Storm Linux Shellcode Repository. Retrieved January 26, 2017 , from http:\/\/www.shell-storm.org Samsung Electronics Co., Ltd. 2012. Exynos 4. Available at http:\/\/www.samsung.com. Jonathan Salwan. 2014. The Shell-Storm Linux Shellcode Repository. Retrieved January 26, 2017, from http:\/\/www.shell-storm.org Samsung Electronics Co., Ltd. 2012. Exynos 4. Available at http:\/\/www.samsung.com."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.51"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 20th USENIX Security Symposium (USENIX Security\u201911)","author":"Schwartz Edward J.","year":"2011","unstructured":"Edward J. Schwartz , Thanassis Avgerinos , and David Brumley . 2011 . Q: Exploit hardening made easy . In Proceedings of the 20th USENIX Security Symposium (USENIX Security\u201911) . Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2011. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Security Symposium (USENIX Security\u201911)."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_2_1_34_1","unstructured":"Saravanan Sinnadurai Qin Zhao and Weng Fai Wong. 2008. Transparent Runtime Shadow Stack: Protection Against Malicious Return Address Modifications. Available at http:\/\/citeseerx.ist.psu.edu\/viewdoc\/summary?doi=10.1.1.120.5702 Saravanan Sinnadurai Qin Zhao and Weng Fai Wong. 2008. Transparent Runtime Shadow Stack: Protection Against Malicious Return Address Modifications. Available at http:\/\/citeseerx.ist.psu.edu\/viewdoc\/summary?doi=10.1.1.120.5702"},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Tice Caroline","year":"2014","unstructured":"Caroline Tice , Tom Roeder , Peter Collingbourne , Stephen Checkoway , \u00dalfar Erlingsson , Luis Lozano , and Geoff Pike . 2014 . Enforcing forward-edge control-flow integrity in GCC 8 LLVM . In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914) . 941--955. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/tice. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, \u00dalfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC 8 LLVM. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914). 941--955. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/tice."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813673"},{"key":"e_1_2_1_37_1","volume-title":"Technique Protection Tool for Linux. Retrieved","year":"2000","unstructured":"Vendicator. 2000 . StackShield: A \u201cStack Mashing \u201d Technique Protection Tool for Linux. Retrieved January 26, 2017, from http:\/\/www.angelfire.com\/sk\/stackshield\/. Vendicator. 2000. StackShield: A \u201cStack Mashing\u201d Technique Protection Tool for Linux. Retrieved January 26, 2017, from http:\/\/www.angelfire.com\/sk\/stackshield\/."},{"key":"e_1_2_1_38_1","volume-title":"Retrieved","author":"Xilinx Inc.","year":"2012","unstructured":"Xilinx Inc. 2012 . ZC702 Evaluation Board for the Zynq-7000 XC7Z020 Extensible Processing Platform: User Guide (UG850 v1.0) . Retrieved January 26, 2017, from http:\/\/dl.btc.pl\/kamami_wa\/zynq-7000-kit-user-guide.pdf. Xilinx Inc. 2012. ZC702 Evaluation Board for the Zynq-7000 XC7Z020 Extensible Processing Platform: User Guide (UG850 v1.0). Retrieved January 26, 2017, from http:\/\/dl.btc.pl\/kamami_wa\/zynq-7000-kit-user-guide.pdf."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.44"},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913)","author":"Zhang M.","unstructured":"M. Zhang and R. Sekar . 2013. Control flow integrity for COTS binaries . In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913) . 337--352. M. Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913). 337--352."}],"container-title":["ACM Transactions on Design Automation of Electronic Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3035965","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3035965","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:36:42Z","timestamp":1750217802000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3035965"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,4,21]]},"references-count":39,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,31]]}},"alternative-id":["10.1145\/3035965"],"URL":"https:\/\/doi.org\/10.1145\/3035965","relation":{},"ISSN":["1084-4309","1557-7309"],"issn-type":[{"value":"1084-4309","type":"print"},{"value":"1557-7309","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,4,21]]},"assertion":[{"value":"2016-04-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-04-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}