{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T00:20:07Z","timestamp":1760660407742,"version":"build-2065373602"},"reference-count":52,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T00:00:00Z","timestamp":1757376000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T00:00:00Z","timestamp":1757376000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&D Program of China","doi-asserted-by":"crossref","award":["2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900"],"award-info":[{"award-number":["2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900","2022YFB3103900"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,10]]},"DOI":"10.1007\/s10207-025-01124-x","type":"journal-article","created":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T11:20:25Z","timestamp":1757416825000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Flow Hijacking in eBPF: Exploitation and Mitigation Across both Interpreter and JIT Execution"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-2783-8623","authenticated-orcid":false,"given":"Yifei","family":"Wu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-1917-0397","authenticated-orcid":false,"given":"Qirui","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2899-6121","authenticated-orcid":false,"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7896-1694","authenticated-orcid":false,"given":"Zhuoruo","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7621-2015","authenticated-orcid":false,"given":"Jiayi","family":"Hu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0178-0171","authenticated-orcid":false,"given":"Rui","family":"Chang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,9,9]]},"reference":[{"key":"1124_CR1","unstructured":"Calavera, D., Fontana, L.: Linux Observability with BPF: Advanced Programming for Performance Analysis and Networking. O\u2019Reilly Media (2019)"},{"key":"1124_CR2","doi-asserted-by":"publisher","unstructured":"Miano, S., Bertrone, M., Risso, F., Tumolo, M., Bernal, M.V.: Creating complex network services with ebpf: Experience and lessons learned. In: 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), pp. 1\u20138 (2018). https:\/\/doi.org\/10.1109\/HPSR.2018.8850758","DOI":"10.1109\/HPSR.2018.8850758"},{"key":"1124_CR3","unstructured":"Sysdig: Prometheus. https:\/\/sysdig.com\/opensource\/prometheus\/ (2023). Accessed 27 June 2024"},{"key":"1124_CR4","unstructured":"Sysdig: Threat detection built on falco. https:\/\/sysdig.com\/opensource\/falco\/ (2016). Accessed 27 June 2024"},{"key":"1124_CR5","unstructured":"Google: Buzzer - an ebpf fuzzer toolchain. https:\/\/github.com\/google\/buzzer (2023). Accessed 27 June 2024"},{"key":"1124_CR6","unstructured":"Luke, Nelson, X., Wang, E., Torlak: A proof-carrying approach to building correct and flexible in-kernel verifiers. https:\/\/homes.cs.washington.edu\/~lukenels\/slides\/2021-09-23-lpc21.pdf (2021). Accessed 27 June 2024"},{"key":"1124_CR7","unstructured":"Wang, X., Lazar, D., Zeldovich, N., Chlipala, A., Tatlock, Z.: Jitk: A trustworthy in-kernel interpreter infrastructure. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pp. 33\u201347 (2014)"},{"key":"1124_CR8","doi-asserted-by":"publisher","unstructured":"Gershuni, E., Amit, N., Gurfinkel, A., Narodytska, N., Navas, J.A., Rinetzky, N., Ryzhyk, L., Sagiv, M.: Simple and precise static analysis of untrusted linux kernel extensions. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 1069\u20131084 (2019). https:\/\/doi.org\/10.1145\/3314221.3314590","DOI":"10.1145\/3314221.3314590"},{"key":"1124_CR9","doi-asserted-by":"publisher","unstructured":"Vishwanathan, H., Shachnai, M., Narayana, S., Nagarakatte, S.: Sound, precise, and fast abstract interpretation with tristate numbers. In: 2022 IEEE\/ACM International Symposium on Code Generation and Optimization (CGO), pp. 254\u2013265. IEEE (2022). https:\/\/doi.org\/10.1109\/CGO53902.2022.9741267","DOI":"10.1109\/CGO53902.2022.9741267"},{"key":"1124_CR10","unstructured":"Xingyu, Jin, R., Neal: The art of exploiting uaf by ret2bpf in android kernel. https:\/\/www.blackhat.com\/eu-21\/briefings\/schedule\/#the-art-of-exploiting-uaf-by-retbpf-in-android-kernel-24544 (2021). Accessed 27 June 2024"},{"key":"1124_CR11","unstructured":"chompie1337: chompie1337\/linux_lpe_io_uring_cve-2021-41073. https:\/\/github.com\/chompie1337\/Linux_LPE_io_uring_CVE-2021-41073 (2022). Accessed 27 June 2024"},{"key":"1124_CR12","unstructured":"Elena, Reshetova, F., Bonazzi, N., Asokan: Randomization can\u2019t stop bpf jit spray. https:\/\/www.blackhat.com\/eu-16\/briefings\/schedule\/#randomization-cant-stop-bpf-jit-spray-4516 (2016). Accessed 27 June 2024"},{"key":"1124_CR13","unstructured":"Samsung: Hardening hostile code in ebpf. https:\/\/samsung.github.io\/kspp-study\/bpf.html (2023). Accessed 27 June 2024"},{"key":"1124_CR14","unstructured":"Starovoitov, A.: [patch v7 bpf-next 0\/3]. https:\/\/lore.kernel.org\/bpf\/6f56ba3e-144f-29be-c35d-0506fe16830f@iogearbox.net\/T\/. Accessed 27 June 2024"},{"key":"1124_CR15","unstructured":"Dileo, J.: Evil ebpf: Practical abuses of an in-kernel bytecode runtime. DEF CON (2019)"},{"key":"1124_CR16","unstructured":"Lu, H., Wang, S., Wu, Y., He, W., Zhang, F.: Moat: Towards safe bpf kernel extension. arXiv preprint arXiv:2301.13421 (2023)"},{"key":"1124_CR17","doi-asserted-by":"publisher","unstructured":"Azab, A.M., Ning, P., Shah, J., Chen, Q., Bhutkar, R., Ganesh, G., Ma, J., Shen, W.: Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90\u2013102 (2014). https:\/\/doi.org\/10.1145\/2660267.2660350","DOI":"10.1145\/2660267.2660350"},{"key":"1124_CR18","unstructured":"Jin, D., Atlidakis, V., Kemerlis, V.P.: $$\\{$$EPF$$\\}$$: Evil packet filter. In: 2023 USENIX Annual Technical Conference (USENIX ATC 23), pp. 735\u2013751 (2023)"},{"key":"1124_CR19","doi-asserted-by":"publisher","unstructured":"Lin, Z., Wu, Y., Xing, X.: Dirtycred: Escalating privilege in linux kernel. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 1963\u20131976 (2022). https:\/\/doi.org\/10.1145\/3548606.3560585","DOI":"10.1145\/3548606.3560585"},{"key":"1124_CR20","unstructured":"Righi, A.: temporarily disable config_x86_kernel_ibt (2022). https:\/\/bugs.launchpad.net\/ubuntu\/+source\/linux\/+bug\/1980484. Accessed 13 May 2025"},{"key":"1124_CR21","unstructured":"The Linux Kernel Community: BPF ABI Recommended Conventions and Guidelines v1.0. https:\/\/www.kernel.org\/doc\/html\/latest\/bpf\/standardization\/abi.html#id1. Accessed 13 May 2025"},{"key":"1124_CR22","unstructured":"Amit, N., Wei, M.: The design and implementation of hyperupcalls. In: 2018 USENIX Annual Technical Conference (USENIX ATC 18), pp. 97\u2013112. USENIX Association, Boston, MA (2018). https:\/\/www.usenix.org\/conference\/atc18\/presentation\/amit"},{"issue":"2","key":"1124_CR23","doi-asserted-by":"publisher","first-page":"205","DOI":"10.1007\/s10009-021-00644-w","volume":"24","author":"PA Arras","year":"2022","unstructured":"Arras, P.A., Andronidis, A., Pina, L., Mituzas, K., Shu, Q., Grumberg, D., Cadar, C.: Sabre: load-time selective binary rewriting. Int. J. Softw. Tools Technol. Transfer 24(2), 205\u2013223 (2022). https:\/\/doi.org\/10.1007\/s10009-021-00644-w","journal-title":"Int. J. Softw. Tools Technol. Transfer"},{"key":"1124_CR24","doi-asserted-by":"publisher","unstructured":"Miano, S., Bertrone, M., Risso, F., Bernal, M.V., Lu, Y., Pi, J., Shaikh, A.: A service-agnostic software framework for fast and efficient in-kernel network services. In: 2019 ACM\/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), pp. 1\u20139 (2019). https:\/\/doi.org\/10.1109\/ANCS.2019.8901880","DOI":"10.1109\/ANCS.2019.8901880"},{"key":"1124_CR25","unstructured":"Azad, B.: Project zero: An ios hacker tries android. https:\/\/googleprojectzero.blogspot.com\/2020\/12\/an-ios-hacker-tries-android.html (2020). Accessed 27 June 2024"},{"key":"1124_CR26","unstructured":"MITRE, C.: Cve - cve-2021-29154. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-29154 (2021). Accessed 27 June 2024"},{"key":"1124_CR27","unstructured":"MITRE, C.: Cve - cve-2021-3490. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-3490 (2021). Accessed 27 June 2024"},{"key":"1124_CR28","unstructured":"Nelson, L., Van\u00a0Geffen, J., Torlak, E., Wang, X.: Specification and verification in the field: Applying formal methods to bpf just-in-time compilers in the linux kernel. In: Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation, pp. 41\u201361 (2020)"},{"key":"1124_CR29","unstructured":"Dileo, J.: Evil ebpf in-depth: Practical abuses of an in-kernel bytecode runtime. https:\/\/defcon.org\/html\/defcon-27\/dc-27-speakers.html#Dileo (2019). Accessed 27 June 2024"},{"key":"1124_CR30","unstructured":"Guillaume\u00a0Fournier, S.A., Baubeau, S.: ebpf, i thought we were friends ! https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#fournier (2021). Accessed 27 June 2024"},{"key":"1124_CR31","unstructured":"PatH: Warping reality - creating and countering the next generation of linux rootkits using ebpf. https:\/\/defcon.org\/html\/defcon-29\/dc-29-speakers.html#path (2021). Accessed 27 June 2024"},{"key":"1124_CR32","unstructured":"Guillaume\u00a0Fournier, S.A., Baubeau, S.: With friends like ebpf, who needs enemies? https:\/\/www.blackhat.com\/us-21\/briefings\/schedule\/#with-friends-like-ebpf-who-needs-enemies-23619 (2021). Accessed 27 June 2024"},{"key":"1124_CR33","unstructured":"Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kguard: Lightweight kernel protection against return-to-user attacks. In: USENIX Security Symposium, vol.\u00a016 (2012)"},{"key":"1124_CR34","unstructured":"Jurczyk, M., Coldwind, G.: Smep: What is it, and how to beat it on windows. https:\/\/j00ru.vexillium.org\/2011\/06\/smep-what-is-it-and-how-to-beat-it-on-windows (2011). Accessed 27 June 2024"},{"key":"1124_CR35","unstructured":"Corbet, J.: Supervisor mode access prevention [lwn.net]. https:\/\/lwn.net\/Articles\/517475\/ (2012). Accessed 27 June 2024"},{"key":"1124_CR36","unstructured":"Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: ret2dir: Rethinking kernel isolation. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 957\u2013972 (2014)"},{"key":"1124_CR37","doi-asserted-by":"publisher","unstructured":"Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Recent Advances in Intrusion Detection: 14th International Symposium, RAID 2011, Menlo Park, CA, USA, September 20-21, 2011. Proceedings 14, pp. 121\u2013141. Springer (2011). https:\/\/doi.org\/10.1007\/978-3-642-23644-0_7","DOI":"10.1007\/978-3-642-23644-0_7"},{"key":"1124_CR38","unstructured":"Wu, W., Chen, Y., Xing, X., Zou, W.: Kepler: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities. In: USENIX Security Symposium, pp. 1187\u20131204 (2019)"},{"key":"1124_CR39","doi-asserted-by":"publisher","unstructured":"Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: Complete control-flow integrity for commodity operating system kernels. In: 2014 IEEE symposium on security and privacy, pp. 292\u2013307. IEEE (2014).https:\/\/doi.org\/10.1109\/SP.2014.26","DOI":"10.1109\/SP.2014.26"},{"key":"1124_CR40","unstructured":"Edge, J.: Control-flow integrity for the kernel [lwn.net]. https:\/\/lwn.net\/Articles\/810077\/ (2020). Accessed 27 June 2024"},{"key":"1124_CR41","doi-asserted-by":"publisher","unstructured":"Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 179\u2013194. IEEE (2016). https:\/\/doi.org\/10.1109\/EuroSP.2016.24","DOI":"10.1109\/EuroSP.2016.24"},{"key":"1124_CR42","unstructured":"Yoo, S., Park, J., Kim, S., Kim, Y., Kim, T.: In-kernel control-flow integrity on commodity oses using arm pointer authentication. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 89\u2013106 (2022)"},{"key":"1124_CR43","unstructured":"Google: Kernel control flow integrity. https:\/\/source.android.com\/docs\/security\/test\/kcfi (2022). Accessed 27 June 2024"},{"key":"1124_CR44","first-page":"146","volume":"5","author":"S Chen","year":"2005","unstructured":"Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX security symposium 5, 146 (2005)","journal-title":"In: USENIX security symposium"},{"issue":"4","key":"1124_CR45","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3462699","volume":"24","author":"L Cheng","year":"2021","unstructured":"Cheng, L., Ahmed, S., Liljestrand, H., Nyman, T., Cai, H., Jaeger, T., Asokan, N., Yao, D.: Exploitation techniques for data-oriented attacks with existing and potential defense approaches. ACM Transactions on Privacy and Security (TOPS) 24(4), 1\u201336 (2021). https:\/\/doi.org\/10.1145\/3462699","journal-title":"ACM Transactions on Privacy and Security (TOPS)"},{"key":"1124_CR46","unstructured":"Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 177\u2013192 (2015)"},{"key":"1124_CR47","unstructured":"Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: On the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161\u2013176 (2015)"},{"key":"1124_CR48","unstructured":"Shapiro, R., Bratus, S., Smith, S.W.: \u201cweird machines\u201d in elf: A spotlight on the underappreciated metadata. In: 7th USENIX Workshop on Offensive Technologies (WOOT 13) (2013)"},{"key":"1124_CR49","unstructured":"Oakley, J.: Exploiting the hard-working dwarf: Trojan and exploit techniques with no native executable code. In: 5th USENIX Workshop on Offensive Technologies (WOOT 11) (2011)"},{"key":"1124_CR50","unstructured":"Bangert, J., Bratus, S., Shapiro, R., Smith, S.W.: The page-fault weird machine: Lessons in instruction-less computation. In: 7th USENIX Workshop on Offensive Technologies ($$\\{$$WOOT$$\\}$$ 13) (2013)"},{"key":"1124_CR51","unstructured":"Rushanan, M., Checkoway, S.: Run-dma. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15) (2015)"},{"key":"1124_CR52","doi-asserted-by":"publisher","unstructured":"Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: On the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969\u2013986. IEEE (2016). https:\/\/doi.org\/10.1109\/SP.2016.62","DOI":"10.1109\/SP.2016.62"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01124-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01124-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01124-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,16]],"date-time":"2025-10-16T11:38:22Z","timestamp":1760614702000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01124-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,9]]},"references-count":52,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,10]]}},"alternative-id":["1124"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01124-x","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2025,9,9]]},"assertion":[{"value":"30 June 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 August 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 September 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"204"}}