{"id":"https://openalex.org/W7101400140","doi":"https://doi.org/10.1109/tifs.2025.3625394","title":"Microft: Exploring and Mitigating Cross-State Control-Flow Hijacking Attacks on ARM Cortex-M TrustZone","display_name":"Microft: Exploring and Mitigating Cross-State Control-Flow Hijacking Attacks on ARM Cortex-M TrustZone","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W7101400140","doi":"https://doi.org/10.1109/tifs.2025.3625394"},"language":null,"primary_location":{"id":"doi:10.1109/tifs.2025.3625394","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3625394","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Zheyuan Ma","orcid":"https://orcid.org/0009-0009-5631-0466"},"institutions":[{"id":"https://openalex.org/I63190737","display_name":"University at Buffalo, State University of New York","ror":"https://ror.org/01y64my43","country_code":"US","type":"education","lineage":["https://openalex.org/I63190737"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Zheyuan Ma","raw_affiliation_strings":["Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA","institution_ids":["https://openalex.org/I63190737"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Xi Tan","orcid":"https://orcid.org/0009-0001-8957-4507"},"institutions":[{"id":"https://openalex.org/I4210150620","display_name":"Spectral Imaging Laboratory (United States)","ror":"https://ror.org/03tw0yk66","country_code":"US","type":"company","lineage":["https://openalex.org/I4210150620"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xi Tan","raw_affiliation_strings":["CactiLab, Boston, USA"],"affiliations":[{"raw_affiliation_string":"CactiLab, Boston, USA","institution_ids":["https://openalex.org/I4210150620"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Lukasz Ziarek","orcid":"https://orcid.org/0000-0003-4353-1998"},"institutions":[{"id":"https://openalex.org/I63190737","display_name":"University at Buffalo, State University of New York","ror":"https://ror.org/01y64my43","country_code":"US","type":"education","lineage":["https://openalex.org/I63190737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lukasz Ziarek","raw_affiliation_strings":["Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA","institution_ids":["https://openalex.org/I63190737"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Ning Zhang","orcid":"https://orcid.org/0000-0003-0670-2161"},"institutions":[{"id":"https://openalex.org/I204465549","display_name":"Washington University in St. Louis","ror":"https://ror.org/01yc7t268","country_code":"US","type":"education","lineage":["https://openalex.org/I204465549"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ning Zhang","raw_affiliation_strings":["Department of Computer Science and Engineering, Washington University in St. Louis, St. Louis, MO, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, Washington University in St. Louis, St. Louis, MO, USA","institution_ids":["https://openalex.org/I204465549"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Shambhu Upadhyaya","orcid":"https://orcid.org/0000-0002-0596-1703"},"institutions":[{"id":"https://openalex.org/I63190737","display_name":"University at Buffalo, State University of New York","ror":"https://ror.org/01y64my43","country_code":"US","type":"education","lineage":["https://openalex.org/I63190737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Shambhu Upadhyaya","raw_affiliation_strings":["Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA","institution_ids":["https://openalex.org/I63190737"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Hongxin Hu","orcid":"https://orcid.org/0000-0001-8710-247X"},"institutions":[{"id":"https://openalex.org/I63190737","display_name":"University at Buffalo, State University of New York","ror":"https://ror.org/01y64my43","country_code":"US","type":"education","lineage":["https://openalex.org/I63190737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Hongxin Hu","raw_affiliation_strings":["Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, University at Buffalo, Buffalo, NY, USA","institution_ids":["https://openalex.org/I63190737"]}]},{"author_position":"last","author":{"id":null,"display_name":"Ziming Zhao","orcid":"https://orcid.org/0000-0002-4930-5556"},"institutions":[{"id":"https://openalex.org/I4210150620","display_name":"Spectral Imaging Laboratory (United States)","ror":"https://ror.org/03tw0yk66","country_code":"US","type":"company","lineage":["https://openalex.org/I4210150620"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ziming Zhao","raw_affiliation_strings":["CactiLab, Boston, USA"],"affiliations":[{"raw_affiliation_string":"CactiLab, Boston, USA","institution_ids":["https://openalex.org/I4210150620"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I63190737"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.76059815,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"20","issue":null,"first_page":"12096","last_page":"12111"},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9898999929428101,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9898999929428101,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.002199999988079071,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11005","display_name":"Radiation Effects in Electronics","score":0.0015999999595806003,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.5839999914169312},{"id":"https://openalex.org/keywords/state","display_name":"State (computer science)","score":0.5709999799728394},{"id":"https://openalex.org/keywords/microcode","display_name":"Microcode","score":0.5116999745368958},{"id":"https://openalex.org/keywords/kernel","display_name":"Kernel (algebra)","score":0.5109000205993652},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.49230000376701355},{"id":"https://openalex.org/keywords/isolation","display_name":"Isolation (microbiology)","score":0.4846999943256378},{"id":"https://openalex.org/keywords/microcontroller","display_name":"Microcontroller","score":0.4837000072002411},{"id":"https://openalex.org/keywords/protection-mechanism","display_name":"Protection mechanism","score":0.4357999861240387},{"id":"https://openalex.org/keywords/mechanism","display_name":"Mechanism (biology)","score":0.42669999599456787},{"id":"https://openalex.org/keywords/address-space","display_name":"Address space","score":0.4065999984741211}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8756999969482422},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.5839999914169312},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.5709999799728394},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.5652999877929688},{"id":"https://openalex.org/C22174128","wikidata":"https://www.wikidata.org/wiki/Q175869","display_name":"Microcode","level":2,"score":0.5116999745368958},{"id":"https://openalex.org/C74193536","wikidata":"https://www.wikidata.org/wiki/Q574844","display_name":"Kernel (algebra)","level":2,"score":0.5109000205993652},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.49230000376701355},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.4846999943256378},{"id":"https://openalex.org/C173018170","wikidata":"https://www.wikidata.org/wiki/Q165678","display_name":"Microcontroller","level":2,"score":0.4837000072002411},{"id":"https://openalex.org/C2778717966","wikidata":"https://www.wikidata.org/wiki/Q4189076","display_name":"Protection mechanism","level":3,"score":0.4357999861240387},{"id":"https://openalex.org/C89611455","wikidata":"https://www.wikidata.org/wiki/Q6804646","display_name":"Mechanism (biology)","level":2,"score":0.42669999599456787},{"id":"https://openalex.org/C144240696","wikidata":"https://www.wikidata.org/wiki/Q367204","display_name":"Address space","level":2,"score":0.4065999984741211},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.40459999442100525},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.3837999999523163},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.36730000376701355},{"id":"https://openalex.org/C26771161","wikidata":"https://www.wikidata.org/wiki/Q16980","display_name":"ARM architecture","level":2,"score":0.35899999737739563},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.34929999709129333},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.34850001335144043},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3440000116825104},{"id":"https://openalex.org/C167822520","wikidata":"https://www.wikidata.org/wiki/Q176452","display_name":"Finite-state machine","level":2,"score":0.3424000144004822},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.3395000100135803},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.33889999985694885},{"id":"https://openalex.org/C2985963534","wikidata":"https://www.wikidata.org/wiki/Q7603704","display_name":"State information","level":3,"score":0.3249000012874603},{"id":"https://openalex.org/C28420585","wikidata":"https://www.wikidata.org/wiki/Q2665075","display_name":"Timing attack","level":4,"score":0.320499986410141},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.30959999561309814},{"id":"https://openalex.org/C9390403","wikidata":"https://www.wikidata.org/wiki/Q3966","display_name":"Computer hardware","level":1,"score":0.29809999465942383},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2948000133037567},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.2883000075817108},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2770000100135803},{"id":"https://openalex.org/C39217717","wikidata":"https://www.wikidata.org/wiki/Q1432354","display_name":"Hardware security module","level":3,"score":0.274399995803833},{"id":"https://openalex.org/C2776175482","wikidata":"https://www.wikidata.org/wiki/Q1195816","display_name":"Transfer (computing)","level":2,"score":0.2741999924182892},{"id":"https://openalex.org/C2775877400","wikidata":"https://www.wikidata.org/wiki/Q1142183","display_name":"User space","level":2,"score":0.2711000144481659},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.2648000121116638},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2644999921321869},{"id":"https://openalex.org/C18131444","wikidata":"https://www.wikidata.org/wiki/Q163585","display_name":"Memory protection","level":5,"score":0.262800008058548},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.25940001010894775},{"id":"https://openalex.org/C176649486","wikidata":"https://www.wikidata.org/wiki/Q2308807","display_name":"Memory management","level":3,"score":0.2540999948978424}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2025.3625394","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3625394","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.6778492331504822,"id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G2601397984","display_name":null,"funder_award_id":"H98230-22-1-0307","funder_id":"https://openalex.org/F4320311089","funder_display_name":"National Security Agency"},{"id":"https://openalex.org/G2650971078","display_name":null,"funder_award_id":"2523436","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3534762291","display_name":null,"funder_award_id":"2512972","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3679172496","display_name":null,"funder_award_id":"2508320","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G4868349187","display_name":null,"funder_award_id":"2453496","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320311089","display_name":"National Security Agency","ror":"https://ror.org/0047bvr32"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W1975177131","https://openalex.org/W2056073317","https://openalex.org/W2345846953","https://openalex.org/W2507797218","https://openalex.org/W2612380866","https://openalex.org/W2664781091","https://openalex.org/W2913096406","https://openalex.org/W2934053005","https://openalex.org/W2982827547","https://openalex.org/W3092030485","https://openalex.org/W3122803386","https://openalex.org/W3125089468","https://openalex.org/W4205893197","https://openalex.org/W4206238988","https://openalex.org/W4210571882","https://openalex.org/W4280636196","https://openalex.org/W4288057749","https://openalex.org/W4293732311","https://openalex.org/W4297991389","https://openalex.org/W4386881452","https://openalex.org/W4409196894"],"related_works":[],"abstract_inverted_index":{"ARM":[0,70],"Cortex-M":[1,31,71,79],"is":[2,158],"one":[3],"of":[4,16,113,125,128,151],"the":[5,45,50,96,110,123,165,179],"most":[6],"popular":[7],"microcontroller":[8],"architectures":[9],"designed":[10],"for":[11,88],"deeply":[12],"embedded":[13],"and":[14,63,120,167,181,189],"Internet":[15],"Things":[17],"(IoT)":[18],"applications.":[19],"To":[20,134],"facilitate":[21],"efficient":[22,172],"execution,":[23],"it":[24],"has":[25,33],"some":[26],"unique":[27],"hardware":[28,132],"optimization.":[29],"Specifically,":[30],"TrustZone":[32],"a":[34,101,147,159],"fast":[35,81],"state":[36,47,52,82,98],"switch":[37,83],"mechanism":[38,84,157],"that":[39,177],"allows":[40],"direct":[41],"control-flow":[42,66],"transfer":[43],"from":[44],"secure":[46],"program":[48],"to":[49],"non-secure":[51,97],"userspace":[53,180],"program.":[54],"In":[55,73],"this":[56],"paper,":[57],"we":[58,75,139],"present":[59,109],"MICROFT":[60],"\u2013":[61],"exploring":[62],"mitigating":[64],"cross-state":[65],"hijacking":[67],"attacks":[68,115,129],"on":[69,130],"TrustZone.":[72],"particular,":[74],"first":[76,156],"demonstrate":[77],"how":[78],"TrustZone\u2019s":[80],"can":[85],"be":[86],"exploited":[87],"arbitrary":[89],"code":[90],"execution":[91],"with":[92],"escalated":[93],"privilege":[94],"in":[95,116,187],"by":[99],"introducing":[100],"new":[102],"exploitation":[103],"technique,":[104],"namely":[105],"return-to-non-secure":[106],"(ret2ns).":[107],"We":[108],"detailed":[111],"methodology":[112],"ret2ns":[114,137],"two":[117,131],"representative":[118],"cases":[119],"experimentally":[121],"confirm":[122],"feasibility":[124],"four":[126],"variants":[127],"platforms.":[133],"defend":[135],"against":[136],"attacks,":[138],"design":[140],"three":[141],"address":[142,162],"sanitizing":[143],"mechanisms":[144,169],"while":[145,164],"imposing":[146],"negligible":[148],"performance":[149],"overhead":[150],"less":[152],"than":[153],"0.1%.":[154],"The":[155],"generic":[160],"MPU-assisted":[161],"sanitizer,":[163],"second":[166],"third":[168],"are":[170,185],"more":[171],"software-fault":[173],"isolation":[174],"based":[175],"approaches":[176],"assume":[178],"kernel":[182],"space":[183],"programs":[184],"placed":[186],"different":[188],"known":[190],"memory":[191],"regions.":[192]},"counts_by_year":[],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-28T00:00:00"}