{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:22:13Z","timestamp":1750220533279,"version":"3.41.0"},"reference-count":109,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2021,7,31]],"date-time":"2021-07-31T00:00:00Z","timestamp":1627689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000185","name":"DARPA","doi-asserted-by":"crossref","award":["HR0011-18-C-0019"],"award-info":[{"award-number":["HR0011-18-C-0019"]}],"id":[{"id":"10.13039\/100000185","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["J. Emerg. Technol. Comput. Syst."],"published-print":{"date-parts":[[2021,7,31]]},"abstract":"<jats:p>There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. This results in specific point defenses that aim to patch particular vulnerabilities. While these defenses are valuable, they are often blindsided by fresh attacks that exploit new vulnerabilities. This article aims to address this issue by suggesting ways to make future defenses more durable based on an organization of security vulnerabilities as they arise throughout the program life cycle. We classify these vulnerability sources through programming, compilation, and hardware realization, and we show how each source introduces unintended states and transitions into the implementation. Further, we show how security exploits gain control by moving the implementation to an unintended state using knowledge of these sources and how defenses work to prevent these transitions. This framework of analyzing vulnerability sources, exploits, and defenses provides insights into developing durable defenses that could defend against broader categories of exploits. We present illustrative case studies of four important attack genealogies\u2014showing how they fit into the presented framework and how the sophistication of the exploits and defenses have evolved over time, providing us insights for the future.<\/jats:p>","DOI":"10.1145\/3456299","type":"journal-article","created":{"date-parts":[[2021,8,1]],"date-time":"2021-08-01T17:58:11Z","timestamp":1627840691000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware Defenses"],"prefix":"10.1145","volume":"17","author":[{"given":"Lauren","family":"Biernacki","sequence":"first","affiliation":[{"name":"University of Michigan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mark","family":"Gallagher","sequence":"additional","affiliation":[{"name":"University of Michigan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zhixing","family":"Xu","sequence":"additional","affiliation":[{"name":"Princeton University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Misiker Tadesse","family":"Aga","sequence":"additional","affiliation":[{"name":"University of Michigan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Austin","family":"Harris","sequence":"additional","affiliation":[{"name":"University of Texas at Austin"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shijia","family":"Wei","sequence":"additional","affiliation":[{"name":"University of Texas at Austin"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohit","family":"Tiwari","sequence":"additional","affiliation":[{"name":"University of Texas at Austin"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Baris","family":"Kasikci","sequence":"additional","affiliation":[{"name":"University of Michigan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sharad","family":"Malik","sequence":"additional","affiliation":[{"name":"Princeton University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Todd","family":"Austin","sequence":"additional","affiliation":[{"name":"University of Michigan"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,8]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Mitre. 2001. CVE-2001-0144: SSH CRC-32 Compensation Attack Detector Vulnerability. Available from MITRE CVE-ID CVE-2001-0144. Retrieved from cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2001-0144.  Mitre. 2001. CVE-2001-0144: SSH CRC-32 Compensation Attack Detector Vulnerability. Available from MITRE CVE-ID CVE-2001-0144. Retrieved from cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2001-0144."},{"key":"e_1_2_1_2_1","unstructured":"Intel. 2018. Intel Analysis of Speculative Execution Side Channels. Retrieved from https:\/\/software.intel.com\/security-software-guidance\/api-app\/sites\/default\/files\/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf.  Intel. 2018. Intel Analysis of Speculative Execution Side Channels. Retrieved from https:\/\/software.intel.com\/security-software-guidance\/api-app\/sites\/default\/files\/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf."},{"key":"e_1_2_1_3_1","unstructured":"Polyverse. 2020. Polyverse. Retrieved from https:\/\/polyverse.com.  Polyverse. 2020. Polyverse. Retrieved from https:\/\/polyverse.com."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314466.1314469"},{"key":"e_1_2_1_6_1","volume-title":"RSA Conference. Springer, 225\u2013242","author":"Ac\u0131i\u00e7mez Onur","year":"2007","unstructured":"Onur Ac\u0131i\u00e7mez , \u00c7etin Kaya Ko\u00e7 , and Jean-Pierre Seifert . 2007 . Predicting secret keys via branch prediction. In Cryptographer\u2019s Track at the RSA Conference. Springer, 225\u2013242 . Onur Ac\u0131i\u00e7mez, \u00c7etin Kaya Ko\u00e7, and Jean-Pierre Seifert. 2007. Predicting secret keys via branch prediction. In Cryptographer\u2019s Track at the RSA Conference. Springer, 225\u2013242."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2019.8661202"},{"key":"e_1_2_1_8_1","unstructured":"Aleph One. 1996. Smashing the Stack for Fun and Profit. Retrieved from http:\/\/phrack.org\/issues\/49\/14.html.  Aleph One. 1996. Smashing the Stack for Fun and Profit. Retrieved from http:\/\/phrack.org\/issues\/49\/14.html."},{"key":"e_1_2_1_9_1","unstructured":"Apple Corporation. 2018. Undefined Behavior Sanitizer. Retrieved from https:\/\/developer.apple.com\/documentation\/code_diagnostics\/undefined_behavior_sanitizer.  Apple Corporation. 2018. Undefined Behavior Sanitizer. Retrieved from https:\/\/developer.apple.com\/documentation\/code_diagnostics\/undefined_behavior_sanitizer."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/2738600.2738611"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660378"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the USENIX Security Symposium. 433\u2013447","author":"Backes Michael","year":"2014","unstructured":"Michael Backes and Stefan N\u00fcrnberger . 2014 . Oxymoron: Making fine-grained memory randomization practical by allowing code sharing . In Proceedings of the USENIX Security Symposium. 433\u2013447 . Michael Backes and Stefan N\u00fcrnberger. 2014. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In Proceedings of the USENIX Security Symposium. 433\u2013447."},{"volume-title":"Proceedings of the 7th USENIX Workshop on Offensive Technologies.","author":"Bangert Julian","key":"e_1_2_1_13_1","unstructured":"Julian Bangert , Sergey Bratus , Rebecca Shapiro , and Sean W. Smith . 2013. The page-fault weird machine: Lessons in instruction-less computation . In Proceedings of the 7th USENIX Workshop on Offensive Technologies. Julian Bangert, Sergey Bratus, Rebecca Shapiro, and Sean W. Smith. 2013. The page-fault weird machine: Lessons in instruction-less computation. In Proceedings of the 7th USENIX Workshop on Offensive Technologies."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948147"},{"key":"e_1_2_1_15_1","unstructured":"Daniel J. Bernstein. 2005. Cache-timing attacks on AES. https:\/\/cr.yp.to\/antiforgery\/cachetiming-20050414.pdf.  Daniel J. Bernstein. 2005. Cache-timing attacks on AES. https:\/\/cr.yp.to\/antiforgery\/cachetiming-20050414.pdf."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813691"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.22"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the USENIX Workshop on Hot Topics in Parallelism (HotPar\u201911)","author":"Boehm Hans-Juergen","year":"2011","unstructured":"Hans-Juergen Boehm . 2011 . How to miscompile programs with \u201cBenign\u201d data races . In Proceedings of the USENIX Workshop on Hot Topics in Parallelism (HotPar\u201911) . 3\u20133. Hans-Juergen Boehm. 2011. How to miscompile programs with \u201cBenign\u201d data races. In Proceedings of the USENIX Workshop on Hot Topics in Parallelism (HotPar\u201911). 3\u20133."},{"key":"e_1_2_1_20_1","volume-title":"Exploit programming: From buffer overflows to weird machines and theory of computation. USENIX","author":"Bratus Sergey","year":"2011","unstructured":"Sergey Bratus , Michael E. Locasto , Meredith L. Patterson , Len Sassaman , and Anna Shubina . 2011. Exploit programming: From buffer overflows to weird machines and theory of computation. USENIX ; login 36, 6 ( 2011 ). Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, and Anna Shubina. 2011. Exploit programming: From buffer overflows to weird machines and theory of computation. USENIX; login 36, 6 (2011)."},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIXSecurity\u201918)","author":"Bulck Jo Van","year":"2018","unstructured":"Jo Van Bulck , Marina Minkin , Ofir Weisse , Daniel Genkin , Baris Kasikci , Frank Piessens , Mark Silberstein , Thomas F. Wenisch , Yuval Yarom , and Raoul Strackx . 2018 . Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution . In Proceedings of the 27th USENIX Security Symposium (USENIXSecurity\u201918) . USENIX Association, Baltimore, MD, 991\u20131008. Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In Proceedings of the 27th USENIX Security Symposium (USENIXSecurity\u201918). USENIX Association, Baltimore, MD, 991\u20131008."},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIXSecurity\u201919)","author":"Canella Claudio","year":"2019","unstructured":"Claudio Canella , Jo Van Bulck , Michael Schwarz , Moritz Lipp , Benjamin Von Berg , Philipp Ortner , Frank Piessens , Dmitry Evtyushkin , and Daniel Gruss . 2019 . A systematic evaluation of transient execution attacks and defenses . In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity\u201919) . 249\u2013266. Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity\u201919). 249\u2013266."},{"volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIXSecurity\u201915)","author":"Carlini Nicholas","key":"e_1_2_1_23_1","unstructured":"Nicholas Carlini , Antonio Barresi , Mathias Payer , David Wagner , and Thomas R. Gross . 2015. Control-flow bending: On the effectiveness of control-flow integrity . In Proceedings of the 24th USENIX Security Symposium (USENIXSecurity\u201915) . 161\u2013176. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIXSecurity\u201915). 161\u2013176."},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914)","author":"Carlini Nicholas","year":"2014","unstructured":"Nicholas Carlini and David Wagner . 2014 . ROP is still dangerous: Breaking modern defenses . In Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914) . 385\u2013399. Nicholas Carlini and David Wagner. 2014. ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914). 385\u2013399."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857726"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201914)","author":"Cheng Yueqiang","year":"2014","unstructured":"Yueqiang Cheng , Zongwei Zhou , Miao Yu , Xuhua Ding , and Robert H. Deng . 2014. ROPecker: A generic and practical approach for defending against ROP attacks . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201914) . Internet Society, Reston, VA. DOI:https:\/\/doi.org\/10.14722\/ndss. 2014 .23156 10.14722\/ndss.2014.23156 Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H. Deng. 2014. ROPecker: A generic and practical approach for defending against ROP attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201914). Internet Society, Reston, VA. DOI:https:\/\/doi.org\/10.14722\/ndss.2014.23156"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 12th conference on USENIX Security Symposium","volume":"12","author":"Cowan Crispin","year":"2003","unstructured":"Crispin Cowan , Steve Beattie , John Johansen , and Perry Wagle . 2003 . Pointguard TM: Protecting pointers from buffer overflow vulnerabilities . In Proceedings of the 12th conference on USENIX Security Symposium , Vol. 12 . USENIX Association, Berkeley, CA, 91\u2013104. Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. 2003. Pointguard TM: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium, Vol. 12. USENIX Association, Berkeley, CA, 91\u2013104."},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 7th Conference on USENIX Security Symposium (SSYM\u201998)","author":"Cowan Crispin","year":"1998","unstructured":"Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , and Qian Zhang . 1998 . StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks . In Proceedings of the 7th Conference on USENIX Security Symposium (SSYM\u201998) . 5\u20135. Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Conference on USENIX Security Symposium (SSYM\u201998). 5\u20135."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.52"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314601"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2744769.2744847"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23262"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2015.33"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/TETC.2017.2785299"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813646"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2016.7783743"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304037"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23262"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.43"},{"key":"e_1_2_1_40_1","volume-title":"ANI vulnerability: History repeats","author":"Gonchigar Shashank","year":"2007","unstructured":"Shashank Gonchigar . 2007. ANI vulnerability: History repeats . SANS Institute Information Security Reading Room (Oct . 2007 ), 51. Retrieved from https:\/\/www.sans.org\/reading-room\/whitepapers\/threats\/ani-vulnerability-history-repeats-1926. Shashank Gonchigar. 2007. ANI vulnerability: History repeats. SANS Institute Information Security Reading Room (Oct. 2007), 51. Retrieved from https:\/\/www.sans.org\/reading-room\/whitepapers\/threats\/ani-vulnerability-history-repeats-1926."},{"key":"e_1_2_1_41_1","unstructured":"Google [n.d.]. Retpoline: A software construct for preventing branch-target-injection. Google. Retrieved from https:\/\/support.google.com\/faqs\/answer\/7625886.  Google [n.d.]. Retpoline: A software construct for preventing branch-target-injection. Google. Retrieved from https:\/\/support.google.com\/faqs\/answer\/7625886."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23271"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2016.7446102"},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 571\u2013585","author":"Hiser Jason","year":"2012","unstructured":"Jason Hiser , Anh Nguyen-Tuong , Michele Co , Matthew Hall , and Jack W. Davidson . 2012. ILR: Where\u2019d my gadgets go? In Proceedings of the IEEE Symposium on Security and Privacy. 571\u2013585 . DOI:https:\/\/doi.org\/10.1109\/SP. 2012 .39 10.1109\/SP.2012.39 Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where\u2019d my gadgets go? In Proceedings of the IEEE Symposium on Security and Privacy. 571\u2013585. DOI:https:\/\/doi.org\/10.1109\/SP.2012.39"},{"key":"e_1_2_1_45_1","unstructured":"Jann Horn. 2018. speculative execution variant 4: Speculative store bypass. Retrieved from https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=1528.  Jann Horn. 2018. speculative execution variant 4: Speculative store bypass. Retrieved from https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=1528."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.62"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.23"},{"key":"e_1_2_1_48_1","unstructured":"Intel [n.d.]. Retpoline: A Branch Target Injection Mitigation. Intel. Retrieved from https:\/\/software.intel.com\/sites\/default\/files\/managed\/1d\/46\/Retpoline-A-Branch-Target-Injection-Mitigation.pdf.  Intel [n.d.]. Retpoline: A Branch Target Injection Mitigation. Intel. Retrieved from https:\/\/software.intel.com\/sites\/default\/files\/managed\/1d\/46\/Retpoline-A-Branch-Target-Injection-Mitigation.pdf."},{"volume-title":"Intel 64 and IA-32 Architectures Software Developer\u2019s Manual","author":"Intel Corporation","key":"e_1_2_1_49_1","unstructured":"Intel Corporation . 2019. Intel 64 and IA-32 Architectures Software Developer\u2019s Manual , Volume 3A: System Programming Guide, Part 1 . Intel Corporation, Santa Clara , CA. Order No. 253668-070US. Intel Corporation. 2019. Intel 64 and IA-32 Architectures Software Developer\u2019s Manual, Volume 3A: System Programming Guide, Part 1. Intel Corporation, Santa Clara, CA. Order No. 253668-070US."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948146"},{"key":"e_1_2_1_51_1","unstructured":"John Kennedy and Michael Satran. 2018. Control Flow Guard\u2014Windows Applications | Microsoft Docs. Retrieved from https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/secbp\/control-flow-guard.  John Kennedy and Michael Satran. 2018. Control Flow Guard\u2014Windows Applications | Microsoft Docs. Retrieved from https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/secbp\/control-flow-guard."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3316781.3317903"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.9"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/2678373.2665726"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00083"},{"key":"e_1_2_1_56_1","unstructured":"Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. Retrieved from https:\/\/arXiv:cs\/1807.03757.  Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. Retrieved from https:\/\/arXiv:cs\/1807.03757."},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"volume-title":"RSA, DSS, and other systems. In Advances in Cryptology| Crypto","author":"Kocher Paul C.","key":"e_1_2_1_58_1","unstructured":"Paul C. Kocher . 1996. Timing attacks on implementations of Die-Hellman , RSA, DSS, and other systems. In Advances in Cryptology| Crypto , Vol. 96 . 104113. Paul C. Kocher. 1996. Timing attacks on implementations of Die-Hellman, RSA, DSS, and other systems. In Advances in Cryptology| Crypto, Vol. 96. 104113."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.5555\/3307423.3307426"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.5555\/2685048.2685061"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3140587.3062343"},{"key":"e_1_2_1_62_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp , Michael Schwarz , Daniel Gruss , Thomas Prescher , Werner Haas , Anders Fogh , Jann Horn , Stefan Mangard , Paul Kocher , Daniel Genkin , Yuval Yarom , and Mike Hamburg . 2018 . Meltdown: Reading kernel memory from user space . In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918) . USENIX Association, Baltimore, MD, 973\u2013990. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/lipp. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, Baltimore, MD, 973\u2013990. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/lipp."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 605\u2013622","author":"Liu Fangfei","key":"e_1_2_1_63_1","unstructured":"Fangfei Liu , Yuval Yarom , Qian Ge , Gernot Heiser , and Ruby B. Lee . 2015. Last-level cache side-channel attacks are practical . In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 605\u2013622 . Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-level cache side-channel attacks are practical. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 605\u2013622."},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23173"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243761"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2366231.2337173"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813676"},{"volume-title":"Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP\u201913)","author":"McKeen Frank","key":"e_1_2_1_68_1","unstructured":"Frank McKeen , Ilya Alexandrovich , Alex Berenzon , Carlos V. Rozas , Hisham Shafi , Vedvyas Shanbhogue , and Uday R. Savagaonkar . 2013. Innovative instructions and software model for isolated execution . In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP\u201913) . ACM, New York, NY, Article 10, 8 pages. DOI:https:\/\/doi.org\/10.1145\/2487726.2488368 10.1145\/2487726.2488368 Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP\u201913). ACM, New York, NY, Article 10, 8 pages. DOI:https:\/\/doi.org\/10.1145\/2487726.2488368"},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363219"},{"key":"e_1_2_1_70_1","volume-title":"Proceedings of the International Conference on Information Security and Cryptology. Springer, 156\u2013168","author":"Molnar David","year":"2005","unstructured":"David Molnar , Matt Piotrowski , David Schultz , and David Wagner . 2005 . The program counter security model: Automatic detection and removal of control-flow side channel attacks . In Proceedings of the International Conference on Information Security and Cryptology. Springer, 156\u2013168 . David Molnar, Matt Piotrowski, David Schultz, and David Wagner. 2005. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Proceedings of the International Conference on Information Security and Cryptology. Springer, 156\u2013168."},{"key":"e_1_2_1_71_1","volume-title":"RSA Conference. Springer, 1\u201320","author":"Osvik Dag Arne","year":"2006","unstructured":"Dag Arne Osvik , Adi Shamir , and Eran Tromer . 2006 . Cache attacks and countermeasures: The case of AES. In Cryptographer\u2019s Track at the RSA Conference. Springer, 1\u201320 . Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: The case of AES. In Cryptographer\u2019s Track at the RSA Conference. Springer, 1\u201320."},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516670"},{"key":"e_1_2_1_73_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 601\u2013615","author":"Pappas Vasilis","year":"2012","unstructured":"Vasilis Pappas , Michalis Polychronakis , and Angelos D. Keromytis . 2012. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization . In Proceedings of the IEEE Symposium on Security and Privacy. 601\u2013615 . DOI:https:\/\/doi.org\/10.1109\/SP. 2012 .41 10.1109\/SP.2012.41 Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the IEEE Symposium on Security and Privacy. 601\u2013615. DOI:https:\/\/doi.org\/10.1109\/SP.2012.41"},{"volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913)","author":"Pappas Vasilis","key":"e_1_2_1_74_1","unstructured":"Vasilis Pappas , Michalis Polychronakis , and Angelos D. Keromytis . 2013. Transparent ROP exploit mitigation using indirect branch tracing . In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913) . 447\u2013462. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913). 447\u2013462."},{"key":"e_1_2_1_75_1","unstructured":"PaX Team. 2003. PaX address space layout randomization (ASLR). Retrieved from http:\/\/pax.grsecurity.net\/docs\/aslr.txt.  PaX Team. 2003. PaX address space layout randomization (ASLR). Retrieved from http:\/\/pax.grsecurity.net\/docs\/aslr.txt."},{"key":"e_1_2_1_76_1","unstructured":"Jennifer Paykin Eric Mertens Mark Tullsen Luke Maurer Beno\u00eet Razet Alexander Bakst and Scott Moore. 2019. Weird machines as insecure compilation. Retrieved from https:\/\/arXiv:1911.00157.  Jennifer Paykin Eric Mertens Mark Tullsen Luke Maurer Beno\u00eet Razet Alexander Bakst and Scott Moore. 2019. Weird machines as insecure compilation. Retrieved from https:\/\/arXiv:1911.00157."},{"key":"e_1_2_1_77_1","unstructured":"Colin Percival. 2005. Cache missing for fun and profit. Retrieved from http:\/\/css.csail.mit.edu\/6.858\/2014\/readings\/ht-cache.pdf.  Colin Percival. 2005. Cache missing for fun and profit. Retrieved from http:\/\/css.csail.mit.edu\/6.858\/2014\/readings\/ht-cache.pdf."},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00068"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1145\/3307650.3322246"},{"key":"e_1_2_1_80_1","unstructured":"John Regehr. 2010. A Guide to Undefined Behaviour in C and C++. Retrieved from https:\/\/blog.regehr.org\/archives\/213.  John Regehr. 2010. A Guide to Undefined Behaviour in C and C++. Retrieved from https:\/\/blog.regehr.org\/archives\/213."},{"key":"e_1_2_1_81_1","article-title":"Return-oriented programming: Systems, languages, and applications","volume":"15","author":"Roemer Ryan","year":"2012","unstructured":"Ryan Roemer , Erik Buchanan , Hovav Shacham , and Stefan Savage . 2012 . Return-oriented programming: Systems, languages, and applications . ACM Trans. Info. Syst. Secur. 15 , 1, Article 2 (Mar. 2012), 34 pages. DOI:https:\/\/doi.org\/10.1145\/2133375.2133377 10.1145\/2133375.2133377 Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Trans. Info. Syst. Secur. 15, 1, Article 2 (Mar. 2012), 34 pages. DOI:https:\/\/doi.org\/10.1145\/2133375.2133377","journal-title":"ACM Trans. Info. Syst. Secur."},{"volume-title":"Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 73\u201386","author":"Saileshwar Gururaj","key":"e_1_2_1_82_1","unstructured":"Gururaj Saileshwar and Moinuddin K. Qureshi . 2019. CleanupSpec: An undo approach to safe speculation . In Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 73\u201386 . Gururaj Saileshwar and Moinuddin K. Qureshi. 2019. CleanupSpec: An undo approach to safe speculation. In Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 73\u201386."},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/3307650.3322216"},{"key":"e_1_2_1_84_1","volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX ATC\u201912)","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany , Derek Bruening , Alexander Potapenko , and Dmitriy Vyukov . 2012 . AddressSanitizer: A fast address sanity checker . In Proceedings of the USENIX Annual Technical Conference (USENIX ATC\u201912) . 309\u2013318. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC\u201912). 309\u2013318."},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030124"},{"volume-title":"Proceedings of the 7th USENIX Workshop on Offensive Technologies.","author":"Shapiro Rebecca","key":"e_1_2_1_86_1","unstructured":"Rebecca Shapiro , Sergey Bratus , and Sean W. Smith . 2013. \u201cWeird Machines\u201d in ELF: A spotlight on the underappreciated metadata . In Proceedings of the 7th USENIX Workshop on Offensive Technologies. Rebecca Shapiro, Sergey Bratus, and Sean W. Smith. 2013. \u201cWeird Machines\u201d in ELF: A spotlight on the underappreciated metadata. In Proceedings of the 7th USENIX Workshop on Offensive Technologies."},{"key":"e_1_2_1_87_1","unstructured":"Gennadiy Shvets. 2018. Enhanced Virus Protection\/Execute Disable Bit. Retrieved from http:\/\/www.cpu-world.com\/Glossary\/E\/EVP_XD.html.  Gennadiy Shvets. 2018. Enhanced Virus Protection\/Execute Disable Bit. Retrieved from http:\/\/www.cpu-world.com\/Glossary\/E\/EVP_XD.html."},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2017.7951732"},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2018.00056"},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.45"},{"key":"e_1_2_1_91_1","unstructured":"Solar Designer. 1997. Linux Kernel Patch from the Openwall Project: README. Retrieved from https:\/\/www.openwall.com\/linux\/README.shtml.  Solar Designer. 1997. Linux Kernel Patch from the Openwall Project: README. Retrieved from https:\/\/www.openwall.com\/linux\/README.shtml."},{"key":"e_1_2_1_92_1","unstructured":"Solar Designer. 1997. lpr LIBC RETURN exploit. Retrieved from http:\/\/insecure.org\/sploits\/linux.libc.return.lpr.sploit.html.  Solar Designer. 1997. lpr LIBC RETURN exploit. Retrieved from http:\/\/insecure.org\/sploits\/linux.libc.return.lpr.sploit.html."},{"key":"e_1_2_1_93_1","unstructured":"Julian Stecklina and Thomas Prescher. 2018. LazyFP: Leaking FPU Register State Using Microarchitectural Side-Channels. Retrieved from https:\/\/arXiv:cs\/1806.07480.  Julian Stecklina and Thomas Prescher. 2018. LazyFP: Leaking FPU Register State Using Microarchitectural Side-Channels. Retrieved from https:\/\/arXiv:cs\/1806.07480."},{"key":"e_1_2_1_94_1","volume-title":"Proceedings of the IEEE International Symposium on Hardware-oriented Security and Trust (HOST\u201917)","author":"Theodorides M.","year":"2017","unstructured":"M. Theodorides and D. Wagner . 2017. Breaking active-set backward-edge CFI . In Proceedings of the IEEE International Symposium on Hardware-oriented Security and Trust (HOST\u201917) . 85\u201389. DOI:https:\/\/doi.org\/10.1109\/HST. 2017 .7951803 10.1109\/HST.2017.7951803 M. Theodorides and D. Wagner. 2017. Breaking active-set backward-edge CFI. In Proceedings of the IEEE International Symposium on Hardware-oriented Security and Trust (HOST\u201917). 85\u201389. DOI:https:\/\/doi.org\/10.1109\/HST.2017.7951803"},{"volume-title":"Proceedings of 25 years of the International Symposia on Computer Architecture (ISCA\u201998)","author":"Tullsen Dean M.","key":"e_1_2_1_95_1","unstructured":"Dean M. Tullsen , Susan J. Eggers , and Henry M. Levy . 1998. Simultaneous multithreading: Maximizing on-chip parallelism . In Proceedings of 25 years of the International Symposia on Computer Architecture (ISCA\u201998) . ACM, New York, NY, 533\u2013544. DOI:https:\/\/doi.org\/10.1145\/285930.286011 10.1145\/285930.286011 Dean M. Tullsen, Susan J. Eggers, and Henry M. Levy. 1998. Simultaneous multithreading: Maximizing on-chip parallelism. In Proceedings of 25 years of the International Symposia on Computer Architecture (ISCA\u201998). ACM, New York, NY, 533\u2013544. DOI:https:\/\/doi.org\/10.1145\/285930.286011"},{"key":"e_1_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00087"},{"key":"e_1_2_1_97_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2014.37"},{"key":"e_1_2_1_98_1","unstructured":"w00w00. 1999. w00w00 on Heap Overflows. Retrieved from https:\/\/www.cgsecurity.org\/exploit\/heaptut.txt.  w00w00. 1999. w00w00 on Heap Overflows. Retrieved from https:\/\/www.cgsecurity.org\/exploit\/heaptut.txt."},{"volume-title":"Proceedings of the Asia-Pacific Workshop on Systems. ACM, 9.","author":"Wang Xi","key":"e_1_2_1_99_1","unstructured":"Xi Wang , Haogang Chen , Alvin Cheung , Zhihao Jia , Nickolai Zeldovich , and M. Frans Kaashoek . 2012. Undefined behavior: What happened to my code? In Proceedings of the Asia-Pacific Workshop on Systems. ACM, 9. Xi Wang, Haogang Chen, Alvin Cheung, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Undefined behavior: What happened to my code? In Proceedings of the Asia-Pacific Workshop on Systems. ACM, 9."},{"key":"e_1_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273440.1250723"},{"volume-title":"Proceedings of the 41st annual IEEE\/ACM International Symposium on Microarchitecture. IEEE Computer Society, 83\u201393","author":"Wang Zhenghong","key":"e_1_2_1_101_1","unstructured":"Zhenghong Wang and Ruby B. Lee . 2008. A novel cache architecture with enhanced performance and security . In Proceedings of the 41st annual IEEE\/ACM International Symposium on Microarchitecture. IEEE Computer Society, 83\u201393 . Zhenghong Wang and Ruby B. Lee. 2008. A novel cache architecture with enhanced performance and security. In Proceedings of the 41st annual IEEE\/ACM International Symposium on Microarchitecture. IEEE Computer Society, 83\u201393."},{"key":"e_1_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358306"},{"key":"e_1_2_1_103_1","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201916)","author":"Williams-King David","year":"2016","unstructured":"David Williams-King , Graham Gobieski , Kent Williams-King , James P. Blake , Xinhao Yuan , Patrick Colp , Michelle Zheng , Vasileios P. Kemerlis , Junfeng Yang , and William Aiello . 2016 . Shuffler: Fast and deployable continuous code re-randomization . In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201916) . 367\u2013382. David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201916). 367\u2013382."},{"key":"e_1_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2014.6853201"},{"key":"e_1_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00042"},{"key":"e_1_2_1_106_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.10"},{"key":"e_1_2_1_107_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914)","author":"Yarom Yuval","year":"2014","unstructured":"Yuval Yarom and Katrina Falkner . 2014 . FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack . In Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914) . 719\u2013732. Yuval Yarom and Katrina Falkner. 2014. FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914). 719\u2013732."},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201919)","author":"Yu Jiyong","key":"e_1_2_1_108_1","unstructured":"Jiyong Yu , Lucas Hsiung , Mohamad El Hajj , and Christopher W. Fletcher . 2019. Data oblivious ISA extensions for side channel-resistant and high performance computing . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201919) . Jiyong Yu, Lucas Hsiung, Mohamad El Hajj, and Christopher W. Fletcher. 2019. Data oblivious ISA extensions for side channel-resistant and high performance computing. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201919)."},{"volume-title":"Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 954\u2013968","author":"Yu Jiyong","key":"e_1_2_1_109_1","unstructured":"Jiyong Yu , Mengjia Yan , Artem Khyzha , Adam Morrison , Josep Torrellas , and Christopher W. Fletcher . 2019. Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data . In Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 954\u2013968 . Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative taint tracking (STT): A comprehensive protection for speculatively accessed data. In Proceedings of the 52nd Annual IEEE\/ACM International Symposium on Microarchitecture. ACM, 954\u2013968."}],"container-title":["ACM Journal on Emerging Technologies in Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3456299","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3456299","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3456299","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:58Z","timestamp":1750195498000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3456299"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,31]]},"references-count":109,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,7,31]]}},"alternative-id":["10.1145\/3456299"],"URL":"https:\/\/doi.org\/10.1145\/3456299","relation":{},"ISSN":["1550-4832","1550-4840"],"issn-type":[{"type":"print","value":"1550-4832"},{"type":"electronic","value":"1550-4840"}],"subject":[],"published":{"date-parts":[[2021,7,31]]},"assertion":[{"value":"2020-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-03-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-08-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}