pith. sign in

arxiv: 2604.24277 · v2 · submitted 2026-04-27 · 💻 cs.CR

Resolving Conflicts Between RTOS Timekeeping and Uninterruptable Trusted Computing

Antonio Joia Neto , Amarin Laohajirapan , Norrathep Rattanavipanon , Ivan De Oliveira Nunes This is my paper

Pith reviewed 2026-05-08 02:58 UTC · model grok-4.3

classification 💻 cs.CR
keywords Trusted Execution EnvironmentsRTOStimekeepingARM TrustZone-Msecure worldSysTickmicrocontrollersreal-time systems
0
0 comments X

The pith

The secure world can restore consistent RTOS timekeeping by measuring elapsed time and updating missed ticks in the non-secure data structures after atomic operations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies a basic conflict on microcontrollers: trusted execution environments must run some security operations uninterruptibly, yet real-time operating systems depend on periodic SysTick interrupts to advance their internal clocks and meet deadlines. It shows that the secure world itself can measure how much real time has passed during these blocked periods and then directly patch the RTOS time-keeping variables with the right number of missed ticks before handing control back. This produces a single, monotonic view of time that both worlds can rely on. The fix requires no changes to the RTOS source or binary and adds no measurable run-time cost.

Core claim

By letting the secure world measure elapsed real time during its uninterruptible trusted computing operations and then unobtrusively incrementing the RTOS time-keeping data structures with the corresponding number of missed SysTicks before re-enabling interrupts, the system regains a consistent monotonic notion of time across secure and non-secure worlds, permits secure services and real-time applications to coexist on the same microcontroller, and does so without any modification to the underlying RTOS or significant run-time overhead.

What carries the argument

The Secure-driven time synchronization mechanism that measures elapsed time inside the secure world and compensates the RTOS by updating its time-keeping data structures with missed ticks.

Load-bearing premise

The secure world can accurately measure real elapsed time while it runs uninterruptible, and directly editing the RTOS time data structures will always leave the RTOS internal state and real-time guarantees intact.

What would settle it

An execution trace in which an RTOS task's deadline or timer value deviates from real wall-clock time after a secure atomic operation that skipped multiple SysTicks, even though the secure world performed the described update.

Figures

Figures reproduced from arXiv: 2604.24277 by Amarin Laohajirapan, Antonio Joia Neto, Ivan De Oliveira Nunes, Norrathep Rattanavipanon.

Figure 1
Figure 1. Figure 1: SysTick loss diagram Threat Model. Our threat model is consistent with the standard TEE adversary model [6]. In this model, the entire Non-Secure World, including application tasks and the RTOS (along with its SysTick handler), is distrusted by the Secure World; that is, the Secure World should remain secure even if the Non-Secure World contains a vulnerability that can be compromised by the Adversary (Adv… view at source ↗
Figure 2
Figure 2. Figure 2: Drifted RTOS notion of time (CFI) view at source ↗
Figure 4
Figure 4. Figure 4: Secure Services and NS SysTick Pipeline Diagram. view at source ↗
Figure 5
Figure 5. Figure 5: Plant 1: DC-motor speed control under periodic Secure-world service. The Uncompensated run accumulates monotonic view at source ↗
Figure 6
Figure 6. Figure 6: Plant 2: Position servo under a single 190 tick freeze. The Uncompensated run misses the next controller release, producing a visible position deviation; the Compensated run remains aligned with Baseline. 𝑡 = 2.2199 s, the Uncompensated run misses that release entirely and resumes at 𝑡 = 2.2389 s. 7.2 Results Figures 5–6 summarize the results. In the periodic SysTick freeze experiment ( view at source ↗
read the original abstract

Trusted Execution Environments (TEEs) on low-power microcontrollers (e.g., ARM TrustZone-M) enable isolation of Secure and Non-Secure software but still require both worlds to share resources, including interrupt controllers. In this model, real-time applications and real-time operating systems (RTOS-s) are executed in the Non-Secure sub-system, whereas the Secure sub-system is typically reserved for a small set of pre-defined security (e.g., cryptographic) operations referred to as trusted computing services. However, many RTOS-s rely on periodic interrupts (SysTicks) to advance their own notion of time (time-keeping), and the delivery of this interrupt is essential for preserving real-time behavior. On the other hand, the security of many trusted computing services requires atomicity vis-a-vis the Non-Secure sub-system (where the RTOS resides), precluding SysTick handling. This paper first characterizes this conflict and then introduces a Secure-driven time synchronization mechanism in which the Secure World measures elapsed time and compensates the Non-Secure RTOS by unobtrusively updating the RTOS time-keeping data structures with the appropriate number of missed ticks before re-enabling interrupts and resuming the execution of the Non-Secure system. This approach restores a consistent, monotonic notion of time across worlds and enables secure coexistence of trusted computing services and RTOS-s on microcontrollers. Importantly, the proposed approach requires no modifications to the underlying RTOS and yields no significant run-time overhead.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper characterizes the conflict in microcontroller TEEs (e.g., ARM TrustZone-M) between uninterruptible Secure-world trusted computing services and the SysTick interrupts required by Non-Secure RTOS for timekeeping. It proposes a Secure-driven mechanism in which the Secure world measures elapsed real time during atomic operations and compensates by updating the RTOS time-keeping data structures with the appropriate number of missed ticks before resuming Non-Secure execution, claiming this restores a consistent monotonic notion of time, requires no modifications to the RTOS, and incurs no significant run-time overhead.

Significance. If the mechanism can be shown to preserve RTOS invariants and real-time guarantees across representative implementations, the result would enable practical coexistence of trusted computing services and real-time applications on the same low-power microcontroller. This addresses a concrete systems-security tension in embedded and IoT devices without requiring changes to existing RTOS codebases.

major comments (2)
  1. [Abstract] Abstract: the central claim that the approach 'requires no modifications to the underlying RTOS' and 'yields no significant run-time overhead' while preserving real-time guarantees is load-bearing for the contribution, yet the manuscript provides no implementation details, performance measurements, or verification that direct updates to tick counters maintain scheduler, timer, and deadline invariants.
  2. The design assumes that measuring elapsed time in the Secure world and incrementing RTOS tick structures is always sufficient to restore correctness. However, many RTOS maintain derived state (task delay queues, software timers, monotonic bases with overflow handling) whose invariants are not addressed by a blind tick increment; the paper supplies no model of the safe update set or evidence that the chosen structures are complete for arbitrary RTOS.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive review and for recognizing the significance of the TEE-RTOS timekeeping conflict. We address each major comment below, indicating revisions where the manuscript will be strengthened.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the central claim that the approach 'requires no modifications to the underlying RTOS' and 'yields no significant run-time overhead' while preserving real-time guarantees is load-bearing for the contribution, yet the manuscript provides no implementation details, performance measurements, or verification that direct updates to tick counters maintain scheduler, timer, and deadline invariants.

    Authors: The manuscript provides a conceptual description of the mechanism together with pseudocode for the elapsed-time measurement and tick-compensation logic. We agree, however, that the load-bearing claims require concrete support. In the revised manuscript we will add an implementation section describing a prototype on an ARM Cortex-M platform with a representative RTOS, performance measurements quantifying run-time overhead, and an analysis demonstrating that direct updates to the primary tick counter preserve scheduler, timer, and monotonic-time invariants under the stated assumptions. revision: yes

  2. Referee: The design assumes that measuring elapsed time in the Secure world and incrementing RTOS tick structures is always sufficient to restore correctness. However, many RTOS maintain derived state (task delay queues, software timers, monotonic bases with overflow handling) whose invariants are not addressed by a blind tick increment; the paper supplies no model of the safe update set or evidence that the chosen structures are complete for arbitrary RTOS.

    Authors: The mechanism compensates the core SysTick counter that serves as the monotonic time base for standard RTOS timekeeping. Upon resumption, the RTOS scheduler and timer subsystems operate on the corrected base, allowing derived structures such as delay queues to be processed at the next interrupt. We acknowledge that the paper does not supply a complete formal model covering every possible derived structure across arbitrary RTOS implementations. The revision will explicitly define the safe update set (primary tick counter and base monotonic time) and add a limitations paragraph noting that RTOS-specific extensions may be required for highly customized derived-state logic; the current contribution targets the common case of unmodified, standard RTOS kernels. revision: partial

Circularity Check

0 steps flagged

No circularity: design proposal with no derivation chain

full rationale

The paper is a systems design proposal that characterizes a conflict between TEE atomicity and RTOS SysTick timekeeping, then describes a compensation mechanism of measuring elapsed time in the secure world and updating non-secure tick counters. No equations, fitted parameters, predictions, or first-principles derivations appear in the provided text. Claims of preserved invariants and zero overhead are engineering assertions to be validated empirically, not results that reduce to self-referential inputs or self-citations by construction. The derivation chain is therefore self-contained and non-circular.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on hardware assumptions about TEE interrupt isolation and the ability of secure code to read a reliable time source; no free parameters or new entities are introduced.

axioms (2)
  • domain assumption The secure world has access to an accurate, independent time source that can measure elapsed time during atomic operations.
    Required for the compensation count to be correct; invoked implicitly when describing measurement of elapsed time.
  • domain assumption Direct updates to RTOS time-keeping data structures by secure code will not violate RTOS internal state or scheduling invariants.
    Necessary for the claim of no RTOS modifications and preserved real-time behavior.

pith-pipeline@v0.9.0 · 5576 in / 1350 out tokens · 31891 ms · 2026-05-08T02:58:39.096266+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

48 extracted references · 48 canonical work pages

  1. [1]

    Control-flow integrity principles, implementations, and applications.ACM Transactions on Information and System Security (TISSEC), 13(1):1–40, 2009

    Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications.ACM Transactions on Information and System Security (TISSEC), 13(1):1–40, 2009

    work page 2009

  2. [2]

    C-flat: control-flow attestation for embedded systems software

    Tigist Abera, N Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, Andrew Paverd, Ahmad-Reza Sadeghi, and Gene Tsudik. C-flat: control-flow attestation for embedded systems software. InACM CCS, 2016

    work page 2016

  3. [3]

    Sok: Integrity, attestation, and auditing of program execution

    Mahmoud Ammar, Adam Caulfield, and Ivan De Oliveira Nunes. Sok: Integrity, attestation, and auditing of program execution. InS&P. IEEE, 2025

    work page 2025

  4. [4]

    Delegated attestation: scalable remote attestation of commodity cps by blending proofs of execution with software attestation

    Mahmoud Ammar et al. Delegated attestation: scalable remote attestation of commodity cps by blending proofs of execution with software attestation. In ACM WiSec, pages 37–47, 2021

    work page 2021

  5. [5]

    Anonymous artifact

    Anonymous. Anonymous artifact. https://anonymous.4open.science/r/secure- systick-B6BC/README.md, 2025. Anonymous GitHub repository for artifact evaluation

    work page 2025

  6. [6]

    Trusted firmware-m generic threat model

    Arm. Trusted firmware-m generic threat model. https://trustedfirmware-m. readthedocs.io/en/latest/security/threat_models/generic_threat_model.html

    work page

  7. [7]

    usfi: Ultra-lightweight software fault isolation for iot-class devices

    Zelalem Birhanu Aweke and Todd Austin. usfi: Ultra-lightweight software fault isolation for iot-class devices. In2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1015–1020. IEEE, 2018

    work page 2018

  8. [8]

    Sanctuary: Arming trustzone with user-space enclaves

    Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. Sanctuary: Arming trustzone with user-space enclaves. In NDSS, 2019

    work page 2019

  9. [9]

    Toctou, traps, and trusted computing

    Sergey Bratus, Nihal D’Cunha, Evan Sparks, and Sean W Smith. Toctou, traps, and trusted computing. InInternational Conference on Trusted Computing, pages 14–32. Springer, 2008

    work page 2008

  10. [10]

    Sok: Shining light on shadow stacks

    Nathan Burow, Xinping Zhang, and Mathias Payer. Sok: Shining light on shadow stacks. In2019 IEEE Symposium on Security and Privacy (SP), pages 985–999. IEEE, 2019

    work page 2019

  11. [11]

    Temporal consistency of integrity-ensuring computations and applications to embedded systems security

    Xavier Carpent, Karim Eldefrawy, Norrathep Rattanavipanon, and Gene Tsudik. Temporal consistency of integrity-ensuring computations and applications to embedded systems security. InProceedings of the 2018 on Asia Conference on Computer and Communications Security, pages 313–327, 2018

    work page 2018

  12. [12]

    On the difficulty of software-based attestation of embedded devices

    Claude Castelluccia, Aurélien Francillon, Daniele Perito, and Claudio Soriente. On the difficulty of software-based attestation of embedded devices. InProceedings of the 16th ACM conference on Computer and communications security, pages 400–409, 2009

    work page 2009

  13. [13]

    Traces: Tee-based runtime auditing for commodity embed- ded systems

    Adam Caulfield et al. Traces: Tee-based runtime auditing for commodity embed- ded systems. 2024

    work page 2024

  14. [14]

    Sum: Effi- cient shadow stack protection on arm cortex-m.Computers & Security, 136:103568, 2024

    Wonwoo Choi, Minjae Seo, Seongman Lee, and Brent Byunghoon Kang. Sum: Effi- cient shadow stack protection on arm cortex-m.Computers & Security, 136:103568, 2024

    work page 2024

  15. [15]

    When firmware modifications attack: A case study of embedded exploitation

    Ang Cui, Michael Costello, and Salvatore Stolfo. When firmware modifications attack: A case study of embedded exploitation. 2013

    work page 2013

  16. [16]

    Casu: Compromise avoidance via secure update for low-end embedded systems

    Ivan De Oliveira Nunes et al. Casu: Compromise avoidance via secure update for low-end embedded systems. InIEEE/ACM ICCAD, pages 1–9, 2022

    work page 2022

  17. [17]

    Parsel: Towards a verified root-of-trust over sel4

    Ivan De Oliveira Nunes et al. Parsel: Towards a verified root-of-trust over sel4. InIEEE/ACM ICCAD). IEEE, 2023

    work page 2023

  18. [18]

    On the toctou problem in remote attestation

    Ivan De Oliveira Nunes, Sashidhar Jakkamsetti, Norrathep Rattanavipanon, and Gene Tsudik. On the toctou problem in remote attestation. InProceedings of the 2021 ACM SIGSAC conference on computer and communications security, pages 2921–2936, 2021

    work page 2021

  19. [19]

    Eclipse, 2024

    Eclipse Corporation.Eclipse RTOS ThreadX. Eclipse, 2024. Accessed: 2025-01-01

    work page 2024

  20. [20]

    HYDRA: hybrid design for remote attestation (using a formally verified microkernel)

    Karim Eldefrawy et al. HYDRA: hybrid design for remote attestation (using a formally verified microkernel). InWiSec. ACM, 2017

    work page 2017

  21. [21]

    SMART: Secure and minimal architecture for (establishing dynamic) root of trust

    Karim Eldefrawy, Gene Tsudik, Aurélien Francillon, and Daniele Perito. SMART: Secure and minimal architecture for (establishing dynamic) root of trust. InNDSS, 2012

    work page 2012

  22. [22]

    Amazon Web Services, 2024

    FreeRTOS Community.FreeRTOS Kernel. Amazon Web Services, 2024

    work page 2024

  23. [23]

    {PISTIS}: Trusted computing architecture for low-end embedded systems

    Michele Grisafi, Mahmoud Ammar, Marco Roveri, and Bruno Crispo. {PISTIS}: Trusted computing architecture for low-end embedded systems. In31st USENIX Security Symposium (USENIX Security 22), pages 3843–3860, 2022

    work page 2022

  24. [24]

    Bobba, and Rodolfo Pellizzoni

    Monowar Hasan, Sibin Mohan, Rakesh B. Bobba, and Rodolfo Pellizzoni. Explor- ing opportunistic execution for integrating security into legacy hard real-time systems. In2016 IEEE Real-Time Systems Symposium (RTSS), pages 123–134, 2016

    work page 2016

  25. [25]

    Monowar Hasan, Sibin Mohan, Rodolfo Pellizzoni, and Rakesh B. Bobba. A design-space exploration for allocating security tasks in multicore real-time systems. In2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 225–230, 2018

    work page 2018

  26. [26]

    Securing real-time microcontroller systems through customized memory view switching

    Chung Hwan Kim, Taegyu Kim, Hongjun Choi, Zhongshu Gu, Byoungyoung Lee, Xiangyu Zhang, and Dongyan Xu. Securing real-time microcontroller systems through customized memory view switching. InNDSS, 2018

    work page 2018

  27. [27]

    TrustLite: A security architecture for tiny embedded devices

    Patrick Koeberl, Steffen Schulz, Ahmad-Reza Sadeghi, and Vijay Varadharajan. TrustLite: A security architecture for tiny embedded devices. InEuroSys, 2014

    work page 2014

  28. [28]

    Abstract timers and their implementation onto the arm cortex-m family of mcus.ACM SIGBED Review, 13(1):48–53, 2016

    Per Lindgren, Emil Fresk, Marcus Lindner, Andreas Lindner, David Pereira, and Luís Miguel Pinho. Abstract timers and their implementation onto the arm cortex-m family of mcus.ACM SIGBED Review, 13(1):48–53, 2016

    work page 2016

  29. [29]

    Minitee—a lightweight trustzone-assisted tee for real-time systems.Electronics, 9(7):1130, 2020

    Songran Liu, Nan Guan, Zhishan Guo, and Wang Yi. Minitee—a lightweight trustzone-assisted tee for real-time systems.Electronics, 9(7):1130, 2020

    work page 2020

  30. [30]

    A survey of microar- chitectural side-channel vulnerabilities, attacks, and defenses in cryptography

    Xiaoxuan Lou, Tianwei Zhang, Jun Jiang, and Yinqian Zhang. A survey of microar- chitectural side-channel vulnerabilities, attacks, and defenses in cryptography. ACM Computing Surveys (CSUR), 54(6):1–37, 2021

    work page 2021

  31. [31]

    Kintsugi: Secure hotpatching for Code-Shadowing Real-Time em- bedded systems

    Philipp Mackensen, Christian Niesler, Roberto Blanco, Lucas Davi, and Veelasha Moonsamy. Kintsugi: Secure hotpatching for Code-Shadowing Real-Time em- bedded systems. In34th USENIX Security Symposium (USENIX Security 25), pages 1847–1866, 2025

    work page 2025

  32. [32]

    Enabling trusted scheduling in embedded systems

    Ramya Jayaram Masti, Claudio Marforio, Aanjhan Ranganathan, Aurélien Fran- cillon, and Srdjan Capkun. Enabling trusted scheduling in embedded systems. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 61–70, 2012

    work page 2012

  33. [33]

    Optimized trusted execution for hard real-time applications on cots processors

    Anway Mukherjee, Tanmaya Mishra, Thidapat Chantem, Nathan Fisher, and Ryan Gerdes. Optimized trusted execution for hard real-time applications on cots processors. InProceedings of the 27th International Conference on Real-Time Networks and Systems, pages 50–60, 2019

    work page 2019

  34. [34]

    Isc-flat: On the conflict between control flow attestation and real-time operations

    Antonio Joia Neto and Ivan De Oliveira Nunes. Isc-flat: On the conflict between control flow attestation and real-time operations. InRTAS. IEEE, 2023

    work page 2023

  35. [35]

    Hera: Hotpatching of embedded real-time applications

    Christian Niesler, Sebastian Surminski, and Lucas Davi. Hera: Hotpatching of embedded real-time applications. InNDSS, 2021

    work page 2021

  36. [36]

    Sancus 2.0: A low-cost security architecture for iot devices.TOPS, 2017

    Job Noorman, Jo Van Bulck, Jan Tobias Mühlberg, Frank Piessens, Pieter Maene, Bart Preneel, Ingrid Verbauwhede, Johannes Götzfried, Tilo Müller, and Felix Freiling. Sancus 2.0: A low-cost security architecture for iot devices.TOPS, 2017

    work page 2017

  37. [37]

    VRASED: A verified Hardware/Software Co-Design for remote attestation

    Ivan De Oliveira Nunes, Karim Eldefrawy, Norrathep Rattanavipanon, Michael Steiner, and Gene Tsudik. VRASED: A verified Hardware/Software Co-Design for remote attestation. InUSENIX Security Symposium, 2019

    work page 2019

  38. [38]

    Freetee: When real-time and security meet

    Sandro Pinto, Daniel Oliveira, Jorge Pereira, Jorge Cabral, and Adriano Tavares. Freetee: When real-time and security meet. In2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), pages 1–4. IEEE, 2015

    work page 2015

  39. [39]

    Virtualization on trustzone-enabled microcontrollers? voilà! In2019 IEEE Real- Time and Embedded Technology and Applications Symposium (RTAS), pages 293–

    Sanndro Pinto, Hugo Araujo, Daniel Oliveira, Jose Martins, and Adriano Tavares. Virtualization on trustzone-enabled microcontrollers? voilà! In2019 IEEE Real- Time and Embedded Technology and Applications Symposium (RTAS), pages 293–

    work page

  40. [40]

    Real time scheduling theory: A historical perspective.Real-time systems, 28(2):101–155, 2004

    Lui Sha, Tarek Abdelzaher, Karl-Erik Årzén, Anton Cervin, Theodore Baker, Alan Burns, Giorgio Buttazzo, Marco Caccamo, John Lehoczky, and Aloysius K Mok. Real time scheduling theory: A historical perspective.Real-time systems, 28(2):101–155, 2004

    work page 2004

  41. [41]

    Oat: Attesting operation integrity of embedded devices

    Zhichuang Sun, Bo Feng, Long Lu, and Somesh Jha. Oat: Attesting operation integrity of embedded devices. InS&P. IEEE, 2020

    work page 2020

  42. [42]

    Principles and implementation techniques of software-based fault isolation.Foundations and Trends®in Privacy and Security, 1(3):137–198, 2017

    Gang Tan et al. Principles and implementation techniques of software-based fault isolation.Foundations and Trends®in Privacy and Security, 1(3):137–198, 2017

    work page 2017

  43. [43]

    Sherloc: Secure and holistic control-flow violation detection on embedded systems

    Xi Tan and Ziming Zhao. Sherloc: Secure and holistic control-flow violation detection on embedded systems. InCCS. ACM, 2023

    work page 2023

  44. [44]

    Enforcing {Forward-Edge} {Control- Flow} integrity in {GCC} & {LLVM}

    Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. Enforcing {Forward-Edge} {Control- Flow} integrity in {GCC} & {LLVM}. In23rd USENIX security symposium (USENIX security 14), pages 941–955, 2014

    work page 2014

  45. [45]

    Rt-tee: Real-time system availability for cyber-physical systems using arm trustzone

    Jinwen Wang, Ao Li, Haoran Li, Chenyang Lu, and Ning Zhang. Rt-tee: Real-time system availability for cyber-physical systems using arm trustzone. InS&P. IEEE, 2022

    work page 2022

  46. [46]

    Insectacide: Debugger-based holistic asynchronous cfi for embedded system

    Yujie Wang, Cailani Lemieux Mack, Xi Tan, Ning Zhang, Ziming Zhao, Sanjoy Baruah, and Bryan C Ward. Insectacide: Debugger-based holistic asynchronous cfi for embedded system. InRTAS. IEEE, 2024

    work page 2024

  47. [47]

    Linux Foundation, 2024

    Zephyr Project.Zephyr Real-Time Operating System. Linux Foundation, 2024

    work page 2024

  48. [48]

    Silhouette: Efficient protected shadow stacks for embedded systems

    Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J Walls. Silhouette: Efficient protected shadow stacks for embedded systems. In29th USENIX Security Symposium (USENIX Security 20), pages 1219–1236, 2020

    work page 2020