{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:11:05Z","timestamp":1772039465609,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":109,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T00:00:00Z","timestamp":1700524800000},"content-version":"vor","delay-in-days":6,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100005651","name":"Computing Research Association","doi-asserted-by":"publisher","award":["CIF2020-BU-04"],"award-info":[{"award-number":["CIF2020-BU-04"]}],"id":[{"id":"10.13039\/100005651","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2238467"],"award-info":[{"award-number":["CNS-2238467"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,15]]},"DOI":"10.1145\/3576915.3623137","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:35:13Z","timestamp":1700570113000},"page":"1964-1978","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["SysXCHG: Refining Privilege with Adaptive System Call Filters"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-6234-6514","authenticated-orcid":false,"given":"Alexander J.","family":"Gaidis","sequence":"first","affiliation":[{"name":"Brown University, Providence, RI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5490-9648","authenticated-orcid":false,"given":"Vaggelis","family":"Atlidakis","sequence":"additional","affiliation":[{"name":"Brown University, Providence, RI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6528-437X","authenticated-orcid":false,"given":"Vasileios P.","family":"Kemerlis","sequence":"additional","affiliation":[{"name":"Brown University, Providence, RI, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). 340--353","author":"Abadi Mart\u00edn","year":"2005","unstructured":"Mart\u00edn Abadi, Mihai Budiu, \u00dalfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). 340--353."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359823"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/290409.290410"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-021-00644-w"},{"key":"e_1_3_2_1_5_1","volume-title":"USENIX Symposium on Operating Systems Design and Implementation (OSDI). 335--348","author":"Belay Adam","year":"2012","unstructured":"Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazi\u00e8res, and Christos Kozyrakis. 2012. Dune: Safe User-level Access to Privileged CPU Features. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 335--348."},{"key":"e_1_3_2_1_6_1","volume-title":"ACM Conference on Computer and Communications Security (CCS). 174--183","author":"Bernaschi Massimo","unstructured":"Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. 2000. Operating System Enhancements to Prevent the Misuse of System Calls. In ACM Conference on Computer and Communications Security (CCS). 174--183."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3185768.3185771"},{"key":"e_1_3_2_1_8_1","volume-title":"Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In USENIX Security Symposium (SEC). 2881--2898","author":"Bulekov Alexander","year":"2021","unstructured":"Alexander Bulekov, Rasoul Jahanshahi, and Manuel Egele. 2021. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In USENIX Security Symposium (SEC). 2881--2898."},{"key":"e_1_3_2_1_9_1","volume-title":"USENIX Security Symposium (SEC). 249--266","author":"Canella Claudio","year":"2019","unstructured":"Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security Symposium (SEC). 249--266."},{"key":"e_1_3_2_1_10_1","volume-title":"Automating Seccomp Filter Generation for Linux Applications. In ACM Cloud Computing Security Workshop (CCSW). 139--151","author":"Canella Claudio","year":"2021","unstructured":"Claudio Canella, Mario Werner, Daniel Gruss, and Michael Schwarz. 2021. Automating Seccomp Filter Generation for Linux Applications. In ACM Cloud Computing Security Workshop (CCSW). 139--151."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/762476.762477"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"e_1_3_2_1_13_1","unstructured":"Microsoft Corporation. 2016. Seccomp security profiles for Docker. https:\/\/github.com\/microsoft\/docker\/blob\/master\/docs\/security\/seccomp.md"},{"key":"e_1_3_2_1_14_1","unstructured":"The MITRE Corporation. 2014. CVE-2014-0039. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0038"},{"key":"e_1_3_2_1_15_1","unstructured":"The MITRE Corporation. 2017. CVE-2017-8824. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-8824"},{"key":"e_1_3_2_1_16_1","unstructured":"The MITRE Corporation. 2021. CVE-2021--44229. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44228"},{"key":"e_1_3_2_1_17_1","volume-title":"StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium (SEC)","volume":"98","author":"Cowan Crispan","year":"1998","unstructured":"Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium (SEC), Vol. 98. 63--78."},{"key":"e_1_3_2_1_18_1","volume-title":"International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 459--474","author":"DeMarinis Nicholas","unstructured":"Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 459--474."},{"key":"e_1_3_2_1_19_1","unstructured":"Solar Designer. 1997. Getting around non-executable stack (and fix). https:\/\/seclists.org\/bugtraq\/1997\/Aug\/63."},{"key":"e_1_3_2_1_20_1","volume-title":"SELF: A Transparent Security Extension for ELF Binaries. In ACM New Security Paradigms Workshop (NSPW). 29--38","author":"DuVarney Daniel C.","year":"2003","unstructured":"Daniel C. DuVarney, V. N. Venkatakrishnan, and Sandeep Bhatkar. 2003. SELF: A Transparent Security Extension for ELF Binaries. In ACM New Security Paradigms Workshop (NSPW). 29--38."},{"key":"e_1_3_2_1_21_1","volume-title":"Rapid Prototyping for Microarchitectural Attacks. In USENIX Security Symposium (SEC). 3861--3877","author":"Easdon Catherine","year":"2022","unstructured":"Catherine Easdon, Michael Schwarz, Martin Schwarzl, and Daniel Gruss. 2022. Rapid Prototyping for Microarchitectural Attacks. In USENIX Security Symposium (SEC). 3861--3877."},{"key":"e_1_3_2_1_22_1","volume-title":"Building Diverse Computer Systems. In Workshop on Hot Topics in Operating Systems (HotOS). 67--72","author":"Forrest Stephanie","unstructured":"Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building Diverse Computer Systems. In Workshop on Hot Topics in Operating Systems (HotOS). 67--72."},{"key":"e_1_3_2_1_23_1","volume-title":"Hardening COTS Software with Generic Software Wrappers. In IEEE DARPA Information Survivability Conference and Exposition (DISCEX)","volume":"2","author":"Fraser Timothy","year":"2000","unstructured":"Timothy Fraser, Lee Badger, and Mark Feldman. 2000. Hardening COTS Software with Generic Software Wrappers. In IEEE DARPA Information Survivability Conference and Exposition (DISCEX), Vol. 2. 323--337."},{"key":"e_1_3_2_1_24_1","volume-title":"FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID).","author":"Gaidis Alexander J.","unstructured":"Alexander J. Gaidis, Joao Moreira, Ke Sun, Alyssa Milburn, Vaggelis Atlidakis, and Vasileios P. Kemerlis. 2023. FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID)."},{"key":"e_1_3_2_1_25_1","volume-title":"Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Network and Distributed System Security Symposium (NDSS).","author":"Garfinkel Tal","year":"2003","unstructured":"Tal Garfinkel. 2003. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_26_1","volume-title":"Ostia: A Delegating Architecture for Secure System Call Interposition. In Network and Distributed System Security Symposium (NDSS).","author":"Garfinkel Tal","year":"2004","unstructured":"Tal Garfinkel, Ben Pfaff, and Mendel Rosenblum. 2004. Ostia: A Delegating Architecture for Secure System Call Interposition. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_27_1","volume-title":"Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 443--458","author":"Ghavamnia Seyedhamed","year":"2020","unstructured":"Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020a. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 443--458."},{"key":"e_1_3_2_1_28_1","volume-title":"Temporal System Call Specialization for Attack Surface Reduction. In USENIX Security Symposium (SEC). 1749--1766","author":"Ghavamnia Seyedhamed","year":"2020","unstructured":"Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020b. Temporal System Call Specialization for Attack Surface Reduction. In USENIX Security Symposium (SEC). 1749--1766."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559366"},{"key":"e_1_3_2_1_30_1","volume-title":"SLIC: An Extensibility System for Commodity Operating Systems. In USENIX Annual Technical Conference (ATC).","author":"Ghormley Douglas P.","unstructured":"Douglas P. Ghormley, David Petrou, Steven H. Rodrigues, and Thomas E. Anderson. 1998. SLIC: An Extensibility System for Commodity Operating Systems. In USENIX Annual Technical Conference (ATC)."},{"key":"e_1_3_2_1_31_1","volume-title":"Enclosure: Language-Based Restriction of Untrusted Libraries. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 255--267","author":"Ghosn Adrien","year":"2021","unstructured":"Adrien Ghosn, Marios Kogias, Mathias Payer, James R Larus, and Edouard Bugnion. 2021. Enclosure: Language-Based Restriction of Untrusted Libraries. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 255--267."},{"key":"e_1_3_2_1_32_1","unstructured":"Will Glozer. 2021. wrk - a HTTP benchmarking tool. https:\/\/github.com\/wg\/wrk."},{"key":"e_1_3_2_1_33_1","volume-title":"Out Of Control: Overcoming Control-Flow Integrity. In IEEE Symposium on Security and Privacy (S&P). 575--589","author":"G\u00f6ktas Enes","year":"2014","unstructured":"Enes G\u00f6ktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out Of Control: Overcoming Control-Flow Integrity. In IEEE Symposium on Security and Privacy (S&P). 575--589."},{"key":"e_1_3_2_1_34_1","volume-title":"USENIX Security Symposium (SEC).","author":"Goldberg Ian","unstructured":"Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker. In USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_35_1","volume-title":"Saluki: Finding Taint-style Vulnerabilities with Static Property Checking. In Workshop on Binary Analysis Research (BAR).","author":"Gotovchits Ivan","year":"2018","unstructured":"Ivan Gotovchits, Rijnard Van Tonder, and David Brumley. 2018. Saluki: Finding Taint-style Vulnerabilities with Static Property Checking. In Workshop on Binary Analysis Research (BAR)."},{"key":"e_1_3_2_1_36_1","volume-title":"Cache Template Attacks: Automating Attacks on Inclusive Last-level Caches. In USENIX Security Symposium (SEC). 897--912","author":"Gruss Daniel","year":"2015","unstructured":"Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. Cache Template Attacks: Automating Attacks on Inclusive Last-level Caches. In USENIX Security Symposium (SEC). 897--912."},{"key":"e_1_3_2_1_37_1","volume-title":"USENIX Annual Technical Conference (ATC).","author":"Philip","unstructured":"Philip J. Guo and Dawson Engler. 2011. CDE: Using System Call Interposition to Automatically Create Portable Software Packages. In USENIX Annual Technical Conference (ATC)."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/1298081.1298084"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"crossref","unstructured":"Gerard J. Holzmann. 2015. Code Inflation. https:\/\/spinroot.com\/gerard\/pdf\/Code_Inflation.pdf","DOI":"10.1109\/MS.2015.40"},{"key":"e_1_3_2_1_40_1","volume-title":"Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE Symposium on Security and Privacy (S&P). 969--986","author":"Hu Hong","year":"2016","unstructured":"Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE Symposium on Security and Privacy (S&P). 969--986."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243739"},{"key":"e_1_3_2_1_42_1","volume-title":"User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Network and Distributed System Security Symposium (NDSS).","author":"Jain Kapil","unstructured":"Kapil Jain and R. Sekar. 2000. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_43_1","unstructured":"Jake Edge. 2015. A seccomp overview. https:\/\/lwn.net\/Articles\/656307\/."},{"key":"e_1_3_2_1_44_1","unstructured":"Jonathan Corbet. 2005. Securely renting out your CPU with Linux. https:\/\/lwn.net\/Articles\/120647\/."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/173668.168626"},{"key":"e_1_3_2_1_46_1","volume-title":"Just-in-Time Shell Script Parallelization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 769--785","author":"Kallas Konstantinos","year":"2022","unstructured":"Konstantinos Kallas, Tammam Mustafa, Jan Bielak, Dimitris Karnikis, Thurston H.Y. Dang, Michael Greenberg, and Nikos Vasilakis. 2022. Practically Correct, Just-in-Time Shell Script Parallelization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 769--785."},{"key":"e_1_3_2_1_47_1","unstructured":"Dmitry Kasatkin David Safford and Mimi Zohar. 2010. An Overview of The Linux Integrity Subsystem."},{"key":"e_1_3_2_1_48_1","volume-title":"Annual Computer Security Applications Conference (ACSAC).","author":"Guarav","unstructured":"Guarav S. Kc and Angelos D. Keromytis. 2005. e-NeXSh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing. In Annual Computer Security Applications Conference (ACSAC)."},{"key":"e_1_3_2_1_49_1","volume-title":"Protecting Commodity Operating Systems through Strong Kernel Isolation. Ph.,D. Dissertation","author":"Kemerlis Vasileios P.","unstructured":"Vasileios P. Kemerlis. 2015. Protecting Commodity Operating Systems through Strong Kernel Isolation. Ph.,D. Dissertation. Columbia University."},{"key":"e_1_3_2_1_50_1","unstructured":"The Linux Kernel. 2023. Syscall User Dispatch. https:\/\/docs.kernel.org\/admin-guide\/syscall-user-dispatch.html."},{"key":"e_1_3_2_1_51_1","volume-title":"Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. In IEEE International Conference on Cloud Computing (CLOUD). 278--287","author":"Kim Sungjin","year":"2021","unstructured":"Sungjin Kim, Byung Joon Kim, and Dong Hoon Lee. 2021. Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. In IEEE International Conference on Cloud Computing (CLOUD). 278--287."},{"key":"e_1_3_2_1_52_1","volume-title":"Practical and Effective Sandboxing for Non-root Users. In USENIX Annual Technical Conference (ATC). 139--144","author":"Kim Taesoo","year":"2013","unstructured":"Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In USENIX Annual Technical Conference (ATC). 139--144."},{"key":"e_1_3_2_1_53_1","volume-title":"Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization. In IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). 431--442","author":"Koning Koen","year":"2016","unstructured":"Koen Koning, Herbert Bos, and Cristiano Giuffrida. 2016. Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization. In IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). 431--442."},{"key":"e_1_3_2_1_54_1","volume-title":"Compiler-assisted Code Randomization. In IEEE Symposium on Security and Privacy (S&P). 461--477","author":"Koo Hyungjoon","year":"2018","unstructured":"Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P Kemerlis, and Michalis Polychronakis. 2018. Compiler-assisted Code Randomization. In IEEE Symposium on Security and Privacy (S&P). 461--477."},{"key":"e_1_3_2_1_55_1","unstructured":"Alexey Kopytov. 2021. sysbench. https:\/\/github.com\/akopytov\/sysbench."},{"key":"e_1_3_2_1_56_1","volume-title":"COLA: Customized Overlaying. In USENIX Winter Technical Conference. 3--7.","author":"Krell Eduardo","year":"1992","unstructured":"Eduardo Krell and Balachander Krishnamurthy. 1992. COLA: Customized Overlaying. In USENIX Winter Technical Conference. 3--7."},{"key":"e_1_3_2_1_57_1","volume-title":"Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 147--163","author":"Kuznetsov Volodymyr","year":"2014","unstructured":"Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea nd R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 147--163."},{"key":"e_1_3_2_1_58_1","volume-title":"SoK: Automated Software Diversity. In IEEE Symposium on Security and Privacy (S&P). 276--291","author":"Larsen Per","year":"2014","unstructured":"Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated Software Diversity. In IEEE Symposium on Security and Privacy (S&P). 276--291."},{"key":"e_1_3_2_1_59_1","volume-title":"SPEAKER: Split-Phase Execution of Application Containers. In International Conference of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 230--251","author":"Lei Lingguang","year":"2017","unstructured":"Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, and Qi Li. 2017. SPEAKER: Split-Phase Execution of Application Containers. In International Conference of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 230--251."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS.2010.53"},{"key":"e_1_3_2_1_61_1","volume-title":"USENIX Annual Technical Conference (ATC). 1--13","author":"Li Yiwen","year":"2017","unstructured":"Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. 2017. Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In USENIX Annual Technical Conference (ATC). 1--13."},{"key":"e_1_3_2_1_62_1","volume-title":"Protecting Against Unexpected System Calls. In USENIX Security Symposium (SEC). 239--254","author":"Linn Cullen","unstructured":"Cullen Linn, Mohan Rajagopalan, Scott Baker, Christian S. Collberg, Saumya K. Debray, and John H. Hartman. 2005. Protecting Against Unexpected System Calls. In USENIX Security Symposium (SEC). 239--254."},{"key":"e_1_3_2_1_63_1","unstructured":"Linux Integrity Project. 2020. evmctl - IMA\/EVM signing utility. https:\/\/manpages.debian.org\/bullseye\/ima-evm-utils\/evmctl.1.en.html."},{"key":"e_1_3_2_1_64_1","volume-title":"proc - process information pseudo-filesystem. https:\/\/man7.org\/linux\/man-pages\/man5\/proc.5.html.","author":"Manual Linux Programmer's","year":"2021","unstructured":"Linux Programmer's Manual. 2021. proc - process information pseudo-filesystem. https:\/\/man7.org\/linux\/man-pages\/man5\/proc.5.html."},{"key":"e_1_3_2_1_65_1","unstructured":"LWN.net. 2004. x86 NX support. https:\/\/lwn.net\/Articles\/87814\/."},{"key":"e_1_3_2_1_66_1","unstructured":"System Calls Manual. 2022. pledge - restrict system operations. https:\/\/man.openbsd.org\/pledge.2"},{"key":"e_1_3_2_1_67_1","unstructured":"MariaDB. 2011. MariaDB Tools. https:\/\/github.com\/MariaDB\/mariadb.org-tools\/blob\/master\/sysbench\/run-sysbench.sh."},{"key":"e_1_3_2_1_68_1","unstructured":"MariaDB. 2023. MariaDB. https:\/\/mariadb.com."},{"key":"e_1_3_2_1_69_1","volume-title":"The BSD Packet Filter: A New Architecture for User-level Packet Capture. In USENIX Winter Conference.","author":"McCanne Steven","year":"1993","unstructured":"Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In USENIX Winter Conference."},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.1997.646188"},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542504"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806651.1806657"},{"key":"e_1_3_2_1_73_1","unstructured":"Nginx. 2023. Nginx. https:\/\/nginx.org."},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/1363686.1364196"},{"key":"e_1_3_2_1_75_1","volume-title":"Automated Policy Synthesis for System Call Sandboxing. In ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA).","author":"Pailoor Shankara","year":"2020","unstructured":"Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated Policy Synthesis for System Call Sandboxing. In ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA)."},{"key":"e_1_3_2_1_76_1","volume-title":"IEEE Symposium on Security and Privacy (S&P). 2956--2973","author":"Peng Dinglan","year":"2023","unstructured":"Dinglan Peng, Congyu Liu, Tapti Palit, Pedro Fonseca, Anjo Vahldiek-Oberwagner, and Mona Vij. 2023. uSWITCH: Fast Kernel Context Isolation with Implicit Context Switches. In IEEE Symposium on Security and Privacy (S&P). 2956--2973."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1984.tb00055.x"},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00041"},{"key":"e_1_3_2_1_79_1","volume-title":"Improving Host Security with System Call Policies. In USENIX Security Symposium (SEC). 257--272","author":"Provos Niels","year":"2003","unstructured":"Niels Provos. 2003. Improving Host Security with System Call Policies. In USENIX Security Symposium (SEC). 257--272."},{"key":"e_1_3_2_1_80_1","volume-title":"RAZOR: A Framework for Post-deployment Software Debloating. In USENIX Security Symposium (SEC). 1733--1750","author":"Qian Chenxiong","year":"2019","unstructured":"Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In USENIX Security Symposium (SEC). 1733--1750."},{"key":"e_1_3_2_1_81_1","volume-title":"Kernel and Managed Execution Environments. In ACM Workshop on Forming an Ecosystem Around Software Transformation (FEAST). 65--70","author":"Quach Anh","year":"2017","unstructured":"Anh Quach, Rukayat Erinfolami, David Demicco, and Aravind Prakash. 2017. A Multi-OS Cross-Layer Study of Bloating in User Programs, Kernel and Managed Execution Environments. In ACM Workshop on Forming an Ecosystem Around Software Transformation (FEAST). 65--70."},{"key":"e_1_3_2_1_82_1","volume-title":"USENIX Security Symposium (SEC). 869--886","author":"Quach Anh","year":"2018","unstructured":"Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In USENIX Security Symposium (SEC). 869--886."},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2006.41"},{"key":"e_1_3_2_1_84_1","unstructured":"Redis. 2023 a. memtier_benchmark. https:\/\/github.com\/RedisLabs\/memtier_benchmark."},{"key":"e_1_3_2_1_85_1","unstructured":"Redis. 2023 b. Redis. https:\/\/redis.io."},{"key":"e_1_3_2_1_86_1","volume-title":"USENIX Security Symposium (SEC). 223--238","author":"Sailer Reiner","year":"2004","unstructured":"Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert Van Doorn. 2004. Design and Implementation of a TCG-based Integrity Measurement Architecture. In USENIX Security Symposium (SEC). 223--238."},{"key":"e_1_3_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/1085130.1085139"},{"key":"e_1_3_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_2_1_89_1","volume-title":"Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium (SEC). 936--952","author":"Schrammel David","year":"2022","unstructured":"David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium (SEC). 936--952."},{"key":"e_1_3_2_1_90_1","volume-title":"Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Applications. In IEEE Symposium on Security and Privacy (S&P). 745--762","author":"Schuster Felix","year":"2015","unstructured":"Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Applications. In IEEE Symposium on Security and Privacy (S&P). 745--762."},{"key":"e_1_3_2_1_91_1","volume-title":"DITools: Application-level Support for Dynamic Extension and Flexible Composition. In USENIX Annual Technical Conference (ATC). 225--238","author":"Serra Albert","year":"2000","unstructured":"Albert Serra, Nacho Navarro, and Toni Cortes. 2000. DITools: Application-level Support for Dynamic Extension and Flexible Composition. In USENIX Annual Technical Conference (ATC). 225--238."},{"key":"e_1_3_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_1_93_1","volume-title":"Draco: Architectural and Operating System Support for System Call Security. In IEEE\/ACM International Symposium on Microarchitecture (MICRO). 42--57","author":"Skarlatos Dimitrios","year":"2020","unstructured":"Dimitrios Skarlatos, Qingrong Chen, Jianyan Chen, Tianyin Xu, and Josep Torrellas. 2020. Draco: Architectural and Operating System Support for System Call Security. In IEEE\/ACM International Symposium on Microarchitecture (MICRO). 42--57."},{"key":"e_1_3_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1145\/2048066.2048146"},{"key":"e_1_3_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09914-8"},{"key":"e_1_3_2_1_96_1","unstructured":"SQLite. 2023 a. Database Speed Comparison. https:\/\/www.sqlite.com\/speed.html."},{"key":"e_1_3_2_1_97_1","unstructured":"SQLite. 2023 b. SQLite. https:\/\/www.sqlite.org."},{"key":"e_1_3_2_1_98_1","volume-title":"Sok: Eternal War in Memory. In IEEE Symposium on Security and Privacy (IEEE S&P). 48--62","author":"Szekeres Laszlo","year":"2013","unstructured":"Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal War in Memory. In IEEE Symposium on Security and Privacy (IEEE S&P). 48--62."},{"key":"e_1_3_2_1_99_1","unstructured":"The Linux Kernel. 2023. Seccomp BPF (SECure COMPuting with filters). https:\/\/www.kernel.org\/doc\/html\/latest\/userspace-api\/seccomp_filter.html."},{"key":"e_1_3_2_1_100_1","volume-title":"Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security Symposium (SEC). 941--955","author":"Tice Caroline","year":"2014","unstructured":"Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, \u00dalfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security Symposium (SEC). 941--955."},{"key":"e_1_3_2_1_101_1","volume-title":"Shuffler: Fast and Deployable Continuous Code Re-Randomization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 367--382","author":"Williams-King David","year":"2016","unstructured":"David Williams-King, Graham Gobieski, Kent Williams-King, James P Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 367--382."},{"key":"e_1_3_2_1_102_1","volume-title":"Egalito: Layout-Agnostic Binary Recompilation. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 133--147","author":"Williams-King David","unstructured":"David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P. Kemerlis. 2020. Egalito: Layout-Agnostic Binary Recompilation. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 133--147."},{"key":"e_1_3_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2022.04.016"},{"key":"e_1_3_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3268124"},{"key":"e_1_3_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516665"},{"key":"e_1_3_2_1_106_1","unstructured":"YiFei Zhu. 2020. seccomp: Add bitmap cache of constant allow filter results. https:\/\/lwn.net\/Articles\/834056\/."},{"key":"e_1_3_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1145\/2187671.2187679"},{"key":"e_1_3_2_1_108_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2022.3222074"},{"key":"e_1_3_2_1_109_1","volume-title":"Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (S&P). 559--573","author":"Zhang Chao","year":"2013","unstructured":"Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (S&P). 559--573."}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623137","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3623137","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3623137","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T01:45:54Z","timestamp":1755740754000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623137"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":109,"alternative-id":["10.1145\/3576915.3623137","10.1145\/3576915"],"URL":"https:\/\/doi.org\/10.1145\/3576915.3623137","relation":{},"subject":[],"published":{"date-parts":[[2023,11,15]]},"assertion":[{"value":"2023-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}