{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,4,25]],"date-time":"2025-04-25T04:22:23Z","timestamp":1745554943565,"version":"3.40.4"},"publisher-location":"Singapore","reference-count":58,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819650316","type":"print"},{"value":"9789819650323","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-981-96-5032-3_8","type":"book-chapter","created":{"date-parts":[[2025,4,24]],"date-time":"2025-04-24T18:41:25Z","timestamp":1745520085000},"page":"127-143","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Evaluating Kernel Anti-Exploitation Capabilities: A Scalable and\u00a0General Framework Based on\u00a0Evaluatology"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8123-0806","authenticated-orcid":false,"given":"Simin","family":"Chen","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-8038-9904","authenticated-orcid":false,"given":"Dong","family":"Li","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1777-8110","authenticated-orcid":false,"given":"Chenggang","family":"Wu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3728-6837","authenticated-orcid":false,"given":"Jianfeng","family":"Zhan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,4,25]]},"reference":[{"key":"8_CR1","unstructured":"Anvin, H.P.: Supervisor mode access prevention. https:\/\/lwn.net\/Articles\/517475\/ (2012)"},{"key":"8_CR2","unstructured":"ATT &CK, M.: Mitre att &ck framework. https:\/\/attack.mitre.org\/ (2024)"},{"key":"8_CR3","unstructured":"Chen, W., Zou, X., Li, G., Qian, Z.: KOOBE: towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1093\u20131110 (2020)"},{"key":"8_CR4","doi-asserted-by":"crossref","unstructured":"Chen, Y., Lin, Z., Xing, X.: A systematic study of elastic objects in kernel exploitation. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 1165\u20131184 (2020)","DOI":"10.1145\/3372297.3423353"},{"key":"8_CR5","doi-asserted-by":"crossref","unstructured":"Chen, Y., Xing, X.: Slake: Facilitating slab manipulation for exploiting vulnerabilities in the linux kernel. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1707\u20131722 (2019)","DOI":"10.1145\/3319535.3363212"},{"key":"8_CR6","unstructured":"Cho, H., et al.: Exploiting uses of uninitialized stack variables in linux kernels to leak kernel pointers. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)"},{"key":"8_CR7","unstructured":"Corporation, M.: Common vulnerabilities and exposures (cve). https:\/\/www.cve.org\/"},{"key":"8_CR8","unstructured":"of\u00a0Defense, U.D.: Department of defense trusted computer system evaluation criteria. https:\/\/csrc.nist.gov\/files\/pubs\/conference\/1998\/10\/08\/proceedings-of-the-21st-nissc-1998\/final\/docs\/early-cs-papers\/dod85.pdf (1985)"},{"key":"8_CR9","doi-asserted-by":"crossref","unstructured":"Ding, Y., Wei, T., Wang, T., Liang, Z., Zou, W.: Heap taichi: exploiting memory allocation granularity in heap-spraying attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 327\u2013336 (2010)","DOI":"10.1145\/1920261.1920310"},{"key":"8_CR10","unstructured":"Enterprise, H.P.: Netperf. https:\/\/github.com\/HewlettPackard\/netperf"},{"key":"8_CR11","unstructured":"Fischer, A.: Supervisor mode execution prevention (smep). https:\/\/socsvn.freebsd.org\/socsvn\/soc2014\/op\/docs\/intel\/fischer-smep.pdf (2011)"},{"key":"8_CR12","doi-asserted-by":"crossref","unstructured":"Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 179\u2013194. IEEE (2016)","DOI":"10.1109\/EuroSP.2016.24"},{"key":"8_CR13","doi-asserted-by":"crossref","unstructured":"G\u00f6ktas, E., Razavi, K., Portokalidis, G., Bos, H., Giuffrida, C.: Speculative probing: Hacking blind in the spectre era. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 1871\u20131885 (2020)","DOI":"10.1145\/3372297.3417289"},{"key":"8_CR14","doi-asserted-by":"crossref","unstructured":"Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: Bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 368\u2013379 (2016)","DOI":"10.1145\/2976749.2978356"},{"key":"8_CR15","unstructured":"Han, S., Kim, S.J., Shin, W., Kim, B.J., Ryou, J.C.: Page-Oriented programming: subverting control-flow integrity of commodity operating system kernels with non-writable code pages. In: 33rd USENIX Security Symposium (USENIX Security 24), pp. 199\u2013216 (2024)"},{"key":"8_CR16","unstructured":"Hansen, D.: A page-table isolation update. https:\/\/lwn.net\/Articles\/752621\/ (2018)"},{"key":"8_CR17","unstructured":"kdlucas: byte-unixbench. https:\/\/github.com\/kdlucas\/byte-unixbench (2024)"},{"key":"8_CR18","unstructured":"Kellermann, M.: The dirty pipe vulnerability. https:\/\/dirtypipe.cm4all.com\/ (2022)"},{"key":"8_CR19","unstructured":"Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: ret2dir: rethinking kernel isolation. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 957\u2013972 (2014)"},{"key":"8_CR20","unstructured":"Kendra, C.: Dirty PageDirectory: a new linux kernel vulnerability. https:\/\/www.cyberkendra.com\/2024\/04\/dirty-pagedirectory-new-linux-kernel.html (2024)"},{"key":"8_CR21","unstructured":"Konovalov, A.: Exploiting the linux kernel via packet sockets (2017). https:\/\/googleprojectzero.blogspot.com\/2017\/05\/exploiting-linux-kernel-via-packet.html"},{"key":"8_CR22","unstructured":"Korkin, I., Tanda, S.: Detect kernel-mode rootkits via real time logging & controlling memory access. arXiv preprint arXiv:1705.06784 (2017)"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Lee, J., Ham, H., Kim, I., Song, J.: Poster: Page table manipulation attack. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1644\u20131646 (2015)","DOI":"10.1145\/2810103.2810121"},{"key":"8_CR24","unstructured":"Lee, Y., Kwak, J., Kang, J., Jeon, Y., Lee, B.: Pspray: timing side-channel based linux kernel heap exploitation technique. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 6825\u20136842 (2023)"},{"key":"8_CR25","unstructured":"Lee, Y., Min, C., Lee, B.: ExpRace: exploiting kernel races through raising interrupts. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2363\u20132380 (2021)"},{"key":"8_CR26","doi-asserted-by":"crossref","unstructured":"Liang, Z., Zou, X., Song, C., Qian, Z.: K-LEAK: towards automating the generation of multi-step infoleak exploits against the linux kernel. In: 31st Annual Network and Distributed System Security Symposium, NDSS (2024)","DOI":"10.14722\/ndss.2024.24935"},{"key":"8_CR27","doi-asserted-by":"crossref","unstructured":"Lin, Z., Wu, Y., Xing, X.: Dirtycred: Escalating privilege in linux kernel. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 1963\u20131976 (2022)","DOI":"10.1145\/3548606.3560585"},{"issue":"6","key":"8_CR28","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1145\/3357033","volume":"63","author":"M Lipp","year":"2020","unstructured":"Lipp, M., et al.: Meltdown: reading kernel memory from user space. Commun. ACM 63(6), 46\u201356 (2020)","journal-title":"Commun. ACM"},{"key":"8_CR29","doi-asserted-by":"crossref","unstructured":"Liu, W., Ravichandran, J., Yan, M.: Entrybleed: a universal kaslr bypass against kpti on linux. In: Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 10\u201318 (2023)","DOI":"10.1145\/3623652.3623669"},{"key":"8_CR30","unstructured":"Liu, Y.: Usma: share kernel code. https:\/\/i.blackhat.com\/Asia-22\/Thursday-Materials\/AS-22-YongLiu-USMA-Share-Kernel-Code.pdf (2022)"},{"key":"8_CR31","unstructured":"LKMidas: Linux kernel pwn part 1: the simplest exploit - ret2usr. https:\/\/lkmidas.github.io\/posts\/20210123-linux-kernel-pwn-part-1\/#the-simplest-exploit---ret2usr (2021)"},{"key":"8_CR32","doi-asserted-by":"crossref","unstructured":"Lu, K., Walter, M.T., Pfaff, D., N\u00fcrnberger, S., Lee, W., Backes, M.: Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying. In: Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS) (2017)","DOI":"10.14722\/ndss.2017.23387"},{"key":"8_CR33","unstructured":"Lutas, A., Lutas, D.: Bypassing kpti using the speculative behavior of the swapgs instruction (2019). https:\/\/i.blackhat.com\/eu-19\/Thursday\/eu-19-Lutas-Bypassing-KPTI-Using-The-Speculative-Behavior-Of-The-SWAPGS-Instruction-wp.pdf"},{"key":"8_CR34","unstructured":"Maar, L., Gast, S., Unterguggenberger, M., Oberhuber, M., Mangard, S.: Slubstick: arbitrary memory writes through practical software cross-cache attacks within the linux kernel. In: USENIX Security (2024)"},{"key":"8_CR35","unstructured":"McCalpin, J.D.: Stream benchmark. https:\/\/www.cs.virginia.edu\/stream\/ref.html#what (1995)"},{"key":"8_CR36","unstructured":"McVoy, L.W., Staelin, C., et\u00a0al.: Lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, pp. 279\u2013294. San Diego, CA, USA (1996)"},{"key":"8_CR37","unstructured":"Nikolenko, V.: CVE-2016-6187: Exploiting linux kernel heap off-by-one. https:\/\/repository.root-me.org\/Exploitation%20-%20Syst%C3%A8me\/Unix\/EN%20-%20CVE-2016-6187%3A%20Exploiting%20Linux%20kernel%20heap%20off-by-one%20-%20Vitaly%20Nikolenko.pdf (2016)"},{"key":"8_CR38","doi-asserted-by":"crossref","unstructured":"Park, Y.J., Lee, G.: Repairing return address stack for buffer overflow protection. In: Proceedings of the 1st Conference on Computing Frontiers, pp. 335\u2013342 (2004)","DOI":"10.1145\/977091.977139"},{"key":"8_CR39","unstructured":"Perla, E., Oldani, M.: A guide to kernel exploitation: attacking the core. Elsevier (2010)"},{"key":"8_CR40","unstructured":"Portal, C.C.: Common criteria for information technology security evaluation. https:\/\/www.commoncriteriaportal.org\/"},{"key":"8_CR41","unstructured":"Project, D.C.: Vulnerability details. https:\/\/github.com\/dirtycow\/dirtycow.github.i o\/wiki\/VulnerabilityDetails (2024)"},{"key":"8_CR42","unstructured":"Ragab, H., Mambretti, A., Kurmus, A., Giuffrida, C.: Ghostrace: exploiting and mitigating speculative race conditions. In: USENIX Security (2024)"},{"issue":"1","key":"8_CR43","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3297714","volume":"52","author":"F Reghenzani","year":"2019","unstructured":"Reghenzani, F., Massari, G., Fornaciari, W.: The real-time linux kernel: a survey on preempt_rt. ACM Comput. Surv. (CSUR) 52(1), 1\u201336 (2019)","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"8_CR44","doi-asserted-by":"publisher","unstructured":"Shirey, R.: Internet security glossary. RFC 2828, May 2000. https:\/\/doi.org\/10.17487\/RFC2828, https:\/\/www.rfc-editor.org\/rfc\/rfc2828","DOI":"10.17487\/RFC2828"},{"key":"8_CR45","unstructured":"of\u00a0Standards, N.I., (NIST), T.: Framework for improving critical infrastructure cybersecurity, https:\/\/www.nist.gov\/cyberframework"},{"key":"8_CR46","unstructured":"of\u00a0Standards, N.I., Technology: Common vulnerability scoring system (cvss). https:\/\/nvd.nist.gov\/vuln-metrics\/cvss"},{"key":"8_CR47","doi-asserted-by":"crossref","unstructured":"Sun, J., Zhou, X., Shen, W., Zhou, Y., Ren, K.: Pesc: a per system-call stack canary design for linux kernel. In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, pp. 365\u2013375 (2020)","DOI":"10.1145\/3374664.3375734"},{"key":"8_CR48","unstructured":"Vangoor, B.K.R., Tarasov, V., Zadok, E.: To FUSE or not to FUSE: performance of user-space file systems. In: 15th USENIX Conference on File and Storage Technologies (FAST 17), pp. 59\u201372 (2017)"},{"key":"8_CR49","unstructured":"Wang, M.: Ret2page: the art of exploiting use-after-free vulnerabilities in the dedicated cache. https:\/\/i.blackhat.com\/USA-22\/Thursday\/US-22-WANG-Ret2page-The-Art-of-Exploiting-Use-After-Free-Vulnerabilities-in-the-Dedicated-Cache.pdf (2022)"},{"key":"8_CR50","unstructured":"Wang, Y.: KSMA: breaking android kernel isolation and rooting with arm mmu features. https:\/\/i.blackhat.com\/briefings\/asia\/2018\/asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf (2018)"},{"key":"8_CR51","unstructured":"Wiki, C.: Cross-cache overflow & page-level heap fengshui. https:\/\/ctf-wiki.org\/pwn\/linux\/kernel-mode\/exploitation\/heap\/buddy\/cross-cache\/"},{"key":"8_CR52","unstructured":"Wu, W., Chen, Y., Xing, X., Zou, W.: KEPLER: facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1187\u20131204 (2019)"},{"key":"8_CR53","unstructured":"Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., Zou, W.: FUZE: towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 781\u2013797 (2018)"},{"key":"8_CR54","unstructured":"Yang, L.: Dirty pagetable: a deep dive into the dirtycow vulnerability. https:\/\/yanglingxi1993.github.io\/dirty_pagetable\/dirty_pagetable.html (2024)"},{"key":"8_CR55","doi-asserted-by":"crossref","unstructured":"Zeng, K., et al.: Retspill: igniting user-controlled data to burn away linux kernel protections. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp. 3093\u20133107 (2023)","DOI":"10.1145\/3576915.3623220"},{"issue":"1","key":"8_CR56","doi-asserted-by":"publisher","first-page":"100162","DOI":"10.1016\/j.tbench.2024.100162","volume":"4","author":"J Zhan","year":"2024","unstructured":"Zhan, J., et al.: Evaluatology: the science and engineering of evaluation. BenchCouncil Trans. Benchmarks, Stand. Evaluations 4(1), 100162 (2024)","journal-title":"BenchCouncil Trans. Benchmarks, Stand. Evaluations"},{"key":"8_CR57","unstructured":"Zhou, J., et al.: Beyond control: exploring novel file system objects for data-only attacks on linux systems. arXiv preprint arXiv:2401.17618 (2024)"},{"key":"8_CR58","doi-asserted-by":"crossref","unstructured":"Ziad, M.T.I., Arroyo, M.A., Manzhosov, E., Sethumadhavan, S.: ZeRO: zero-overhead resilient operation under pointer integrity attacks. In: 2021 ACM\/IEEE 48th Annual International Symposium on Computer Architecture (ISCA), pp. 999\u20131012. IEEE (2021)","DOI":"10.1109\/ISCA52012.2021.00082"}],"container-title":["Lecture Notes in Computer Science","Benchmarking, Measuring, and Optimizing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-96-5032-3_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,24]],"date-time":"2025-04-24T18:41:48Z","timestamp":1745520108000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-96-5032-3_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9789819650316","9789819650323"],"references-count":58,"URL":"https:\/\/doi.org\/10.1007\/978-981-96-5032-3_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"25 April 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"Bench","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Symposium on Benchmarking, Measuring and Optimization","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Guangzhou","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 December 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 December 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"bench2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}