{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T00:59:47Z","timestamp":1759798787817,"version":"build-2065373602"},"reference-count":48,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62472302"],"award-info":[{"award-number":["62472302"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2024YFF1401302"],"award-info":[{"award-number":["2024YFF1401302"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/tifs.2025.3611149","type":"journal-article","created":{"date-parts":[[2025,9,17]],"date-time":"2025-09-17T17:30:20Z","timestamp":1758130220000},"page":"10146-10160","source":"Crossref","is-referenced-by-count":0,"title":["PREXP: Uncovering and Exploiting Security-Sensitive Objects in the Linux Kernel"],"prefix":"10.1109","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8051-9705","authenticated-orcid":false,"given":"Zuxin","family":"Chen","sequence":"first","affiliation":[{"name":"Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8953-0782","authenticated-orcid":false,"given":"Yaowen","family":"Zheng","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1353-7838","authenticated-orcid":false,"given":"Hong","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-4096-1209","authenticated-orcid":false,"given":"Siyuan","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6445-1746","authenticated-orcid":false,"given":"Weijie","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-7484-1333","authenticated-orcid":false,"given":"Dongliang","family":"Fang","sequence":"additional","affiliation":[{"name":"Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6168-8003","authenticated-orcid":false,"given":"Zhiqiang","family":"Shi","sequence":"additional","affiliation":[{"name":"Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2745-7521","authenticated-orcid":false,"given":"Limin","family":"Sun","sequence":"additional","affiliation":[{"name":"Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3648610"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363212"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423353"},{"volume-title":"Kernel Address Space Layout Randomization","year":"2013","author":"Edge","key":"ref4"},{"key":"ref5","first-page":"4229","article-title":"Alphaexp: An expert system for identifying security sensitive kernel objects","volume-title":"Proc. USENIX Secur. Symp.","author":"Wang"},{"volume-title":"About System Integrity Protection on Your Mac","year":"2023","author":"Inc","key":"ref6"},{"volume-title":"Hardened Kernel","year":"2024","key":"ref7"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3226906"},{"article-title":"App attestation service: A runtime remote attestation for user-mode processes on windows","year":"2024","author":"Desai","key":"ref9"},{"key":"ref10","first-page":"7141","article-title":"SCAVY: Automated discovery of memory corruption targets in Linux kernel for privilege escalation","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Secur.)","author":"Avllazagaj"},{"volume-title":"Collection of Structures Usable in Kernel Exploits\u2014Let\u2019s Do CTF","key":"ref11"},{"volume-title":"The Quantum State of Linux Kernel Garbage Collection CVE-2021-0920 (Part I)","year":"2022","author":"Jin","key":"ref12"},{"key":"ref13","first-page":"1187","article-title":"KEPLER: Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities","volume-title":"Proc. 28th USENIX Secur. Symp. (USENIX Secur.)","author":"Wu"},{"key":"ref14","first-page":"6825","article-title":"Pspray: Timing side-channel based Linux kernel heap exploitation technique","volume-title":"Proc. 32nd USENIX Secur. Symp. (USENIX Secur.)","author":"Lee"},{"key":"ref15","first-page":"781","article-title":"FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities","volume-title":"Proc. 27th USENIX Secur. Symp. (USENIX Secur.)","author":"Wu"},{"article-title":"One shot, triple kill: Pwning all three Google kernelctf instances with a single 1-day Linux vulnerability","year":"2023","author":"Kim","key":"ref16"},{"volume-title":"Syzbot: Kernel Testing and Bug Tracking","year":"2024","author":"Authors","key":"ref17"},{"volume-title":"KVM","year":"2024","key":"ref18"},{"volume-title":"Xen Project","year":"2024","key":"ref19"},{"volume-title":"What is RCU?\u2014Read, Copy, Update","year":"2024","key":"ref20"},{"volume-title":"A Journey to the Dawn: CVE-2022\u20131786","year":"2024","key":"ref21"},{"volume-title":"Codeql","year":"2024","key":"ref22"},{"volume-title":"Syzkaller: Syzkaller is an Unsupervised Coverage-Guided Kernel Fuzzer","year":"2024","key":"ref23"},{"volume-title":"Kernel-Exploit-Factory: Linux Kernel CVE Exploit Analysis Report and Relative Debug Environment","year":"2024","key":"ref24"},{"volume-title":"MSF Linux Kernel EOP\u2014Search","year":"2024","key":"ref25"},{"volume-title":"Exploit Database Search Results for \u2019Linux Kernel\u2019","year":"2024","key":"ref26"},{"volume-title":"CVE-2022-34918\/Poc_FS_Context_Cred_Common at Master","year":"2024","key":"ref27"},{"volume-title":"CVE-2022-32250-Exploit","year":"2024","key":"ref28"},{"volume-title":"CVE-2022-0847","year":"2024","key":"ref29"},{"volume-title":"CVE-2024-1086: Universal Local Privilege Escalation Proof-of-Concept Exploit","key":"ref30"},{"volume-title":"CVE-2023-4244_LTS","year":"2024","key":"ref31"},{"volume-title":"CVE-2022-1015: Local Privilege Escalation Poc for Linux Kernel CVE-2022-1015","year":"2024","key":"ref32"},{"volume-title":"CVE-2021-4204: Linux Kernel Ebpf Local Privilege Escalation","year":"2024","key":"ref33"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560585"},{"volume-title":"CVE-2021-22600 Exploit","key":"ref35"},{"volume-title":"CVE-2023-31436 Mitigation Documentation","year":"2023","author":"Research","key":"ref36"},{"volume-title":"CVE-2022-2602: DirtyCred File Exploitation Applied on an Io_uring UAF","year":"2022","key":"ref37"},{"volume-title":"CVE-2021\u201320226: A Reference Counting Bug which Leads to Local Privilege Escalation in Io_Uring","year":"2021","key":"ref38"},{"key":"ref39","first-page":"1093","article-title":"KOOBE: Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities","volume-title":"Proc. 29th USENIX Secur. Symp. (USENIX Secur.)","author":"Chen"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24935"},{"key":"ref41","article-title":"Beyond control: Exploring novel file system objects for data-only attacks on Linux systems","author":"Zhou","year":"2024","journal-title":"arXiv:2401.17618"},{"key":"ref42","first-page":"39","article-title":"KGuard: Lightweight kernel protection against return-to-user attacks","volume-title":"Proc. 21st USENIX Secur. Symp.","author":"Kemerlis"},{"article-title":"RET2DIR: Rethinking kernel isolation","year":"2014","author":"Kemerlis","key":"ref43"},{"key":"ref44","first-page":"71","article-title":"Playing for k(h)eaps: Understanding and improving Linux kernel exploit reliability","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Zeng"},{"volume-title":"The Dirty Pipe Vulnerability","year":"2022","author":"Kellermann","key":"ref45"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623220"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-64701-2_17"},{"article-title":"An analysis of speculative type confusion vulnerabilities in the wild","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Kirzner","key":"ref48"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/10206\/10810755\/11168893.pdf?arnumber=11168893","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T17:35:52Z","timestamp":1759772152000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11168893\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":48,"URL":"https:\/\/doi.org\/10.1109\/tifs.2025.3611149","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"type":"print","value":"1556-6013"},{"type":"electronic","value":"1556-6021"}],"subject":[],"published":{"date-parts":[[2025]]}}}