{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,16]],"date-time":"2025-10-16T07:05:24Z","timestamp":1760598324997,"version":"3.40.3"},"publisher-location":"Cham","reference-count":39,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031708954"},{"type":"electronic","value":"9783031708961"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"DOI":"10.1007\/978-3-031-70896-1_10","type":"book-chapter","created":{"date-parts":[[2024,9,5]],"date-time":"2024-09-05T12:03:57Z","timestamp":1725537837000},"page":"194-214","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Interp-flow Hijacking: Launching Non-control Data Attack via\u00a0Hijacking eBPF Interpretation Flow"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-1917-0397","authenticated-orcid":false,"given":"Qirui","family":"Liu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2899-6121","authenticated-orcid":false,"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1725-7371","authenticated-orcid":false,"given":"Jinmeng","family":"Zhou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7896-1694","authenticated-orcid":false,"given":"Zhuoruo","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7621-2015","authenticated-orcid":false,"given":"Jiayi","family":"Hu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-7633-5521","authenticated-orcid":false,"given":"Shukai","family":"Ni","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4763-7354","authenticated-orcid":false,"given":"Kangjie","family":"Lu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0178-0171","authenticated-orcid":false,"given":"Rui","family":"Chang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,9,6]]},"reference":[{"key":"10_CR1","doi-asserted-by":"crossref","unstructured":"Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)","DOI":"10.1145\/2660267.2660350"},{"key":"10_CR2","unstructured":"Azad, B.: Project zero: An ios hacker tries android (2020). https:\/\/googleprojectzero.blogspot.com\/2020\/12\/an-ios-hacker-tries-android.html"},{"key":"10_CR3","unstructured":"Calavera, D., Fontana, L.: Linux Observability with BPF: Advanced Programming for Performance Analysis and Networking. O\u2019Reilly Media (2019)"},{"key":"10_CR4","unstructured":"Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161\u2013176 (2015)"},{"key":"10_CR5","unstructured":"Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX security symposium, vol.\u00a05, p. 146 (2005)"},{"key":"10_CR6","doi-asserted-by":"crossref","unstructured":"Cheng, L., et al.: Exploitation techniques for data-oriented attacks with existing and potential defense approaches. ACM Trans. Privacy Secur. (TOPS) 24(4), 1\u201336 (2021)","DOI":"10.1145\/3462699"},{"key":"10_CR7","unstructured":"chompie1337. chompie1337\/linux_lpe_io_uring_cve-2021-41073 (2022). https:\/\/github.com\/chompie1337\/Linux_LPE_io_uring_CVE-2021-41073"},{"key":"10_CR8","unstructured":"Corbet, J.: Supervisor mode access prevention [lwn.net] (2012). https:\/\/lwn.net\/Articles\/517475\/"},{"key":"10_CR9","doi-asserted-by":"crossref","unstructured":"Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: Practical mitigation of data-only attacks against page tables. In: NDSS, Pt-rand (2017)","DOI":"10.14722\/ndss.2017.23421"},{"key":"10_CR10","unstructured":"Dileo, J.: Evil ebpf in-depth: Practical abuses of an in-kernel bytecode runtime. https:\/\/defcon.org\/html\/defcon-27\/dc-27-speakers.html#Dileo (2019)"},{"key":"10_CR11","unstructured":"Dileo, J.: Evil ebpf: Practical abuses of an in-kernel bytecode runtime (2019)"},{"key":"10_CR12","unstructured":"Edge, J.: Control-flow integrity for the kernel [lwn.net] (2020). https:\/\/lwn.net\/Articles\/810077\/"},{"key":"10_CR13","doi-asserted-by":"crossref","unstructured":"Frassetto, T., Gens, D., Liebchen, C., Sadeghi, A.-R.: Jitguard: hardening just-in-time compilers with sgx. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2405\u20132419 (2017)","DOI":"10.1145\/3133956.3134037"},{"key":"10_CR14","doi-asserted-by":"crossref","unstructured":"Gershuni, E., et al.: Simple and precise static analysis of untrusted linux kernel extensions. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 1069\u20131084 (2019)","DOI":"10.1145\/3314221.3314590"},{"key":"10_CR15","unstructured":"Google. Kernel control flow integrity (2022). https:\/\/source.android.com\/docs\/security\/test\/kcfi"},{"key":"10_CR16","unstructured":"Google. Buzzer - an ebpf fuzzer toolchain (2023). https:\/\/github.com\/google\/buzzer"},{"key":"10_CR17","unstructured":"Fournier, S.A.G., Baubeau, S.: ebpf, i thought we were friends! (2021). https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#fournier"},{"key":"10_CR18","unstructured":"Fournier, S.A.G., Baubeau, S.:. With friends like ebpf, who needs enemies? (2021). https:\/\/www.blackhat.com\/us-21\/briefings\/schedule\/#with-friends-like-ebpf-who-needs-enemies-23619"},{"key":"10_CR19","unstructured":"Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 177\u2013192 (2015)"},{"key":"10_CR20","doi-asserted-by":"crossref","unstructured":"Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: On the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969\u2013986. IEEE (2016)","DOI":"10.1109\/SP.2016.62"},{"key":"10_CR21","unstructured":"Jin, D., Atlidakis, V., Kemerlis, V.P.: $$\\{$$EPF$$\\}$$: Evil packet filter. In: 2023 USENIX Annual Technical Conference (USENIX ATC 23), pp. 735\u2013751 (2023)"},{"key":"10_CR22","unstructured":"Jurczyk, M., Coldwind, G.: Smep: what is it, and how to beat it on windows (2011). https:\/\/j00ru.vexillium.org\/2011\/06\/smep-what-is-it-and-how-to-beat-it-on-windows"},{"key":"10_CR23","doi-asserted-by":"crossref","unstructured":"Lin, Z., Wu, Y., Xing, X.: Dirtycred: escalating privilege in linux kernel. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 1963\u20131976 (2022)","DOI":"10.1145\/3548606.3560585"},{"key":"10_CR24","unstructured":"Lu, H., Wang, S., Wu, Y., He, W., Zhang, F.: Moat: towards safe bpf kernel extension. arXiv preprint\u00a0arXiv:2301.13421 (2023)"},{"key":"10_CR25","unstructured":"Luke, X.N., Wang, E., Torlak: A proof-carrying approach to building correct and flexible in-kernel verifiers (2021). https:\/\/homes.cs.washington.edu\/~lukenels\/slides\/2021-09-23-lpc21.pdf"},{"key":"10_CR26","doi-asserted-by":"crossref","unstructured":"Miano, S., Bertrone, M., Risso, E., Tumolo, M., Bernal, M.V.: Creating complex network services with ebpf: experience and lessons learned. In: 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), pp. 1\u20138 (2018)","DOI":"10.1109\/HPSR.2018.8850758"},{"key":"10_CR27","unstructured":"CVE MITRE. Cve - cve-2021-29154 (2021). https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-29154"},{"key":"10_CR28","unstructured":"CVE MITRE. Cve - cve-2021-3490 (2021). https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-3490"},{"key":"10_CR29","unstructured":"Nelson, L., Van\u00a0Geffen, J., Torlak, E., Wang, X.: Specification and verification in the field: applying formal methods to BPF just-in-time compilers in the Linux kernel. In: Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation, pp. 41\u201361 (2020)"},{"key":"10_CR30","unstructured":"PatH. Warping reality - creating and countering the next generation of Linux rootkits using ebpf (2021). https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#path"},{"key":"10_CR31","unstructured":"Starovoitov, A.: [patch v7 bpf-next 0\/3]. https:\/\/lore.kernel.org\/bpf\/6f56ba3e-144f-29be-c35d-0506fe16830f@iogearbox.net\/T\/"},{"key":"10_CR32","unstructured":"Sysdig. Threat detection built on falco (2016). https:\/\/sysdig.com\/opensource\/falco\/"},{"key":"10_CR33","unstructured":"Sysdig. Prometheus (2023). https:\/\/sysdig.com\/opensource\/prometheus\/"},{"key":"10_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1007\/978-3-642-23644-0_7","volume-title":"Recent Advances in Intrusion Detection","author":"M Tran","year":"2011","unstructured":"Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121\u2013141. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-23644-0_7"},{"key":"10_CR35","doi-asserted-by":"crossref","unstructured":"Vishwanathan, H., Shachnai, M., Narayana, S., Nagarakatte, S.: Sound, precise, and fast abstract interpretation with tristate numbers. In: 2022 IEEE\/ACM International Symposium on Code Generation and Optimization (CGO), pp. 254\u2013265. IEEE (2022)","DOI":"10.1109\/CGO53902.2022.9741267"},{"key":"10_CR36","unstructured":"Wang, X., Lazar, D., Zeldovich, N., Chlipala, A., Tatlock, Z.: Jitk: a trustworthy in-kernel interpreter infrastructure. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pp. 33\u201347 (2014)"},{"key":"10_CR37","unstructured":"Wu, W., Chen, Y., Xing, X., Zou, W.: Kepler: facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In: USENIX Security Symposium, pp. 1187\u20131204 (2019)"},{"key":"10_CR38","unstructured":"Xingyu, J., Neal, R.: The art of exploiting uaf by ret2bpf in android kernel (2021). https:\/\/www.blackhat.com\/eu-21\/briefings\/schedule\/#the-art-of-exploiting-uaf-by-retbpf-in-android-kernel-24544"},{"key":"10_CR39","unstructured":"Zhou, J., et al.: Beyond control: exploring novel file system objects for data-only attacks on linux systems (2024). arXiv preprint arXiv:2401.17618"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2024"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-70896-1_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,5]],"date-time":"2024-09-05T12:07:01Z","timestamp":1725538021000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-70896-1_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031708954","9783031708961"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-70896-1_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"6 September 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Bydgoszcz","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Poland","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 September 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 September 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/esorics2024.org","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}