{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T18:10:11Z","timestamp":1778091011170,"version":"3.51.4"},"reference-count":85,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833683","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"2078-2095","source":"Crossref","is-referenced-by-count":31,"title":["GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs"],"prefix":"10.1109","author":[{"given":"Zhenpeng","family":"Lin","sequence":"first","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yueqi","family":"Chen","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuhang","family":"Wu","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dongliang","family":"Mu","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, HUST"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chensheng","family":"Yu","sequence":"additional","affiliation":[{"name":"George Washington University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinyu","family":"Xing","sequence":"additional","affiliation":[{"name":"Northwestern University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kang","family":"Li","sequence":"additional","affiliation":[{"name":"Baidu,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref13","article-title":"Grebe&#x2019;s source code","author":"lin","year":"2021"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134103"},{"key":"ref12","article-title":"BUG: unable to handle kernel paging request in check memory region","year":"2018"},{"key":"ref56","article-title":"Exploit for #6a03986","year":"2021"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423353"},{"key":"ref59","article-title":"AEG: Automatic exploit generation","author":"avgerinos","year":"2011","journal-title":"Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS)"},{"key":"ref14","article-title":"Where Does It Go? Refining indirect-call targets with multi-layer type analysis","author":"lu","year":"2019","journal-title":"Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS)"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23176"},{"key":"ref53","article-title":"KASAN: slab-out-of-bounds write in sha512 final","year":"2018"},{"key":"ref52","article-title":"KASAN: slab-out-of-bounds read in hci extended inquiry result evt","year":"2020"},{"key":"ref11","article-title":"KASAN: slab-out-of-bounds Read in default write copy kernel","year":"2019"},{"key":"ref55","article-title":"KASAN: use-after-free read in tipc nl node dump monitor peer","year":"2019"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1016\/S0169-7552(98)00110-X"},{"key":"ref54","article-title":"KASAN: use-after-free read in cma bind port","year":"2018"},{"key":"ref17","article-title":"MoonShine: Optimizing os fuzzer seed selection with trace distillation","author":"pailoor","year":"2018","journal-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security)"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/0-387-25465-X_7"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134085"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24018"},{"key":"ref51","article-title":"KASAN: use-after-free read in sctp_auth_free","year":"2020"},{"key":"ref50","article-title":"KASAN: use-after-free read in ip6_dst_destroy","year":"2020"},{"key":"ref46","article-title":"WARNING: Odebug bug in tcf_queue_work","year":"2020"},{"key":"ref45","article-title":"general protection fault in kernel_accept","year":"2019"},{"key":"ref48","article-title":"general protection fault in syscall_return_slowpath","year":"2020"},{"key":"ref47","article-title":"WARNING: bad unlock balance in ucma_event_handler","year":"2020"},{"key":"ref42","article-title":"general protection fault in bpf_tcp_close","year":"2018"},{"key":"ref41","article-title":"BUG: corrupted list in mousedev_release","year":"2020"},{"key":"ref85","article-title":"Warning in snd_usbmidi_submit_urb\/usb_submit_urb","year":"2020"},{"key":"ref44","article-title":"BUG: unable to handle kernel paging request in pcpu_freelist_populate","year":"2020"},{"key":"ref43","article-title":"general protection fault in hci_event_packet","year":"2020"},{"key":"ref49","article-title":"KASAN: slab-out-of-bounds read in bitmap_ip_add","year":"2020"},{"key":"ref8","article-title":"general protection fault in hrtimer active","year":"2017"},{"key":"ref7","article-title":"AURORA: Statistical crash analysis for automated root cause explanation","author":"blazytko","year":"2020","journal-title":"Proceeding of the 28th USENIX Security Symposium (USENIX Security)"},{"key":"ref9","article-title":"Linux kernel design patterns &#x2013; part 2","year":"2009"},{"key":"ref4","article-title":"Syzkaller","author":"vyukov","year":"2020"},{"key":"ref3","article-title":"In memory safety, the soundness of attacks is what matters","author":"vanegue","year":"2020"},{"key":"ref6","article-title":"Trinity","author":"jones","year":"2020"},{"key":"ref5","article-title":"kAFL: Hardware-assisted feedback fuzzing for os kernels","author":"schumilo","year":"2019","journal-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security)"},{"key":"ref82","article-title":"KASAN: use-after-free read in devlink_health reporter destroy","year":"2020"},{"key":"ref81","article-title":"WARNING in snd_info_get_line","year":"2020"},{"key":"ref40","article-title":"general protection fault in scatter-walk_copychunks","year":"2018"},{"key":"ref84","article-title":"KASAN: use-after-free read in do_madvise","year":"2020"},{"key":"ref83","article-title":"WARNING: refcount bug in qdisc_put (2)","year":"2020"},{"key":"ref80","article-title":"kernel BUG at security\/keys\/keyring.c:line!","year":"2019"},{"key":"ref35","article-title":"WARNING in vhost_dev_cleanup","year":"2018"},{"key":"ref79","article-title":"KASAN: global-out-of-bounds read in fbcon_resize","year":"2020"},{"key":"ref34","article-title":"WARNING: ODEBUG bug in io_sqe_files_unregister","year":"2020"},{"key":"ref78","article-title":"Behavior representing exploitability","author":"authors","year":"2021"},{"key":"ref37","article-title":"general protection fault in strlen","year":"2018"},{"key":"ref36","article-title":"general protection fault in vb2_mmap","year":"2019"},{"key":"ref31","article-title":"WARNING in get_pi_state","year":"2017"},{"key":"ref75","article-title":"FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities","author":"wu","year":"2018","journal-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security)"},{"key":"ref30","article-title":"general protection fault in qrtr_endpoint_post","year":"2020"},{"key":"ref74","article-title":"KEPLER: Facilitating control-flow hijacking primitive evaluation for linux kernel vulnerabilities","author":"wu","year":"2019","journal-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security)"},{"key":"ref33","article-title":"KASAN: general protection fault in crypto_chacha20_crypt","year":"2018"},{"key":"ref77","article-title":"DC29 final scoreboard","year":"2021"},{"key":"ref32","article-title":"BUG: corrupted list in kobject_add_internal","year":"2020"},{"key":"ref76","article-title":"KOOBE: Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities","author":"chen","year":"2020","journal-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security)"},{"key":"ref2","article-title":"Bugid - automated bug analysis","author":"wever","year":"2017"},{"key":"ref1","article-title":"!exploitable crash analyzer version 1.6","year":"2013"},{"key":"ref39","article-title":"BUG: unable to handle kernel paging request in ethnl_update_bitset32","year":"2020"},{"key":"ref38","article-title":"WARNING in dma_buf_vunmap","year":"2019"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23387"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363212"},{"key":"ref73","article-title":"ret2dir: Rethinking kernel isolation","author":"kemerlis","year":"2014","journal-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security)"},{"key":"ref72","article-title":"Exploiting uses of uninitialized stack variables in linux kernels to leak kernel pointers","author":"cho","year":"2020","journal-title":"USENIX Workshop on Offensive Technologies (WOOT)"},{"key":"ref24","article-title":"WARNING: refcount bug in nr_insert_socket","year":"2019"},{"key":"ref68","article-title":"Automatic techniques to systematically discover new heap exploitation primitives","author":"yun","year":"2020","journal-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security)"},{"key":"ref23","article-title":"WARNING: refcount bug in crypto_mod_get","year":"2020"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243847"},{"key":"ref26","article-title":"Full performance results of syzkaller, syzkaller variant, grebe without mutation optimization and grebe","year":"2021"},{"key":"ref25","article-title":"general protection fault in delayed_uprobe_remove","year":"2019"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813637"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134069"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00017"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354224"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00078"},{"key":"ref65","article-title":"Automatic heap layout manipulation for exploitation","author":"heelan","year":"2018","journal-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security)"},{"key":"ref28","article-title":"BUG: corrupted list&#x2014;in neigh create","year":"2019"},{"key":"ref27","article-title":"BUG: unable to handle kernel paging request in skb_release_data","year":"2017"},{"key":"ref29","article-title":"Warning: refcount bug","year":"2020"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.17"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23294"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.67"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833683.pdf?arnumber=9833683","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:16:25Z","timestamp":1699485385000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833683\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":85,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833683","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}