{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T06:11:23Z","timestamp":1770099083497,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100006374","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS- 2247652,CNS-2339848"],"award-info":[{"award-number":["CNS- 2247652,CNS-2339848"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690320","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"1315-1329","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-5470-3072","authenticated-orcid":false,"given":"Shuangpeng","family":"Bai","sequence":"first","affiliation":[{"name":"The Pennsylvania State University, State College, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7152-116X","authenticated-orcid":false,"given":"Zhechang","family":"Zhang","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University, State College, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6261-3190","authenticated-orcid":false,"given":"Hong","family":"Hu","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University, State College, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"1] AppArmor: Linux Kernel Security Module. https:\/\/apparmor.net\/."},{"key":"e_1_3_2_1_2_1","volume-title":"https:\/\/support.alertlogic.com\/hc\/en-us\/articles\/115003048363-Linux-Kernel-DCCP-Use-after-free-Privilege-Escalation","author":"Privilege Escalation Linux Kernel DCCP","year":"2017","unstructured":"Linux Kernel DCCP Use-after-free Privilege Escalation. https:\/\/support.alertlogic.com\/hc\/en-us\/articles\/115003048363-Linux-Kernel-DCCP-Use-after-free-Privilege-Escalation, 2017."},{"key":"e_1_3_2_1_3_1","volume-title":"May","year":"2021","unstructured":"net\/nfc: Fix use-after-free llcp_sock_bind\/connect. https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/netdev\/net.git\/commit\/?id=c61760e6940d, May 2021."},{"key":"e_1_3_2_1_4_1","volume-title":"Oct.","author":"Paper Healer Reproducing Evaluation","year":"2021","unstructured":"Reproducing Evaluation Part of Paper Healer. https:\/\/github.com\/SunHao-0\/healer\/issues\/37, Oct. 2021."},{"key":"e_1_3_2_1_5_1","volume-title":"May","author":"When Processing Batch Linux Kernel","year":"2023","unstructured":"Linux Kernel Use-after-free in Netfilter nf_tables When Processing Batch Requests can be Abused to Perform Arbitrary Reads and Writes in Kernel Memory. https:\/\/seclists.org\/oss-sec\/2023\/q2\/133, May 2023."},{"key":"e_1_3_2_1_6_1","volume-title":"https:\/\/docs.kernel.org\/dev-tools\/kmsa n.html","author":"Memory The Kernel","year":"2023","unstructured":"The Kernel Memory Sanitizer (KMSAN). https:\/\/docs.kernel.org\/dev-tools\/kmsa n.html, 2023."},{"key":"e_1_3_2_1_7_1","volume-title":"July","author":"New Linux Researchers Uncover","year":"2023","unstructured":"Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability. https:\/\/thehackernews.com\/2023\/07\/researchers-uncover-new-linuxkernel. html, July 2023."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24688"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00269"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/367487.367501"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134069"},{"key":"e_1_3_2_1_13_1","unstructured":"M. Fleischer. Actor 2023. https:\/\/github.com\/ucsb-seclab\/actor."},{"key":"e_1_3_2_1_14_1","first-page":"5003","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security)","author":"Fleischer M.","year":"2023","unstructured":"M. Fleischer, D. Das, P. Bose, W. Bai, K. Lu, M. Payer, C. Kruegel, and G. Vigna. ACTOR: Action-Guided Kernel Fuzzing. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), pages 5003--5020, Anaheim, CA, USA, Aug. 2023."},{"key":"e_1_3_2_1_15_1","unstructured":"Google. Honggfuzz. https:\/\/google.github.io\/honggfuzz\/."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179298"},{"key":"e_1_3_2_1_17_1","first-page":"2497","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security)","author":"He L.","year":"2022","unstructured":"L. He, H. Hu, P. Su, Y. Cai, and Z. Liang. FreeWill: Automatically Diagnosing Useafter-free Bugs via Reference Miscounting Detection on Binaries. In Proceedings of the 31st USENIX Security Symposium (USENIX Security), pages 2497--2512, Boston, MA, USA, Aug. 2022."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00017"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179398"},{"key":"e_1_3_2_1_20_1","volume-title":"Kernel Refcount API. https:\/\/github.com\/torvalds\/linux\/bl ob\/master\/include\/linux\/refcount.h. (visited","author":"Code Kernal Source","year":"2023","unstructured":"Kernal Source Code. Kernel Refcount API. https:\/\/github.com\/torvalds\/linux\/bl ob\/master\/include\/linux\/refcount.h. (visited in May 2023)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24018"},{"key":"e_1_3_2_1_22_1","volume-title":"LinuxCon North America","author":"Konovalov A.","year":"2015","unstructured":"A. Konovalov and D. Vyukov. Kernel Address Sanitizer (KASAN): A Fast Memory Error Detector for the Linux Kernel. LinuxCon North America, 2015."},{"key":"e_1_3_2_1_23_1","first-page":"295","volume-title":"Linux Symposium","author":"Kroah-Hartman G.","year":"2004","unstructured":"G. Kroah-Hartman. kobjects and krefs. In Linux Symposium, page 295, 2004."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44202-9_4"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833683"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560585"},{"key":"e_1_3_2_1_27_1","first-page":"125","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security)","author":"Liu J.","year":"2022","unstructured":"J. Liu, L. Yi, W. Chen, C. Song, Z. Qian, and Q. Yi. LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution. In Proceedings of the 31st USENIX Security Symposium (USENIX Security), pages 125--142, Boston, MA, USA, Aug. 2022."},{"key":"e_1_3_2_1_28_1","unstructured":"LLVM. LibFuzzer - A Library for Coverage-guided Fuzz Testing. http:\/\/llvm.org \/docs\/LibFuzzer.html."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872362.2872389"},{"key":"e_1_3_2_1_30_1","volume-title":"Aug.","year":"2020","unstructured":"Microsoft. Rules for Managing Reference Counts. https:\/\/docs.microsoft.com\/e n\/windows\/desktop\/com\/rules-for-managing-reference-counts, Aug. 2020."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security)","author":"Pailoor S.","year":"2018","unstructured":"S. Pailoor, A. Aday, and S. Jana. MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. In Proceedings of the 27th USENIX Security Symposium (USENIX Security), Baltimore, MD, Aug. 2018."},{"key":"e_1_3_2_1_33_1","unstructured":"PaX Team. PaX Address Space Layout Randomization (ASLR). http:\/\/pax.grsecu rity.net\/docs\/aslr.txt 2003."},{"key":"e_1_3_2_1_34_1","first-page":"2559","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security)","author":"Peng H.","year":"2020","unstructured":"H. Peng and M. Payer. USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation. In Proceedings of the 29th USENIX Security Symposium (USENIX Security), pages 2559--2575, Virtually, Aug. 2020."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00137"},{"key":"e_1_3_2_1_36_1","first-page":"1275","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security)","author":"Shen Z.","year":"2022","unstructured":"Z. Shen, R. Roongta, and B. Dolan-Gavitt. Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds. In Proceedings of the 31st USENIX Security Symposium (USENIX Security), pages 1275--1290, Boston, MA, USA, Aug. 2022."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3477132.3483547"},{"key":"e_1_3_2_1_38_1","first-page":"351","volume-title":"Proceedings of 2022 USENIX Annual Technical Conference (USENIX ATC)","author":"Sun H.","year":"2022","unstructured":"H. Sun, Y. Shen, J. Liu, Y. Xu, and Y. Jiang. KSG: Augmenting Kernel Fuzzing with System Call Specification Generation. In Proceedings of 2022 USENIX Annual Technical Conference (USENIX ATC), pages 351--366, 2022."},{"key":"e_1_3_2_1_39_1","unstructured":"Syzkaller developers. Syscall Description Language. https:\/\/github.com\/google\/syzkaller\/blob\/master\/docs\/syscall_descriptions_syntax.md."},{"key":"e_1_3_2_1_40_1","first-page":"2471","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security)","author":"Tan X.","year":"2021","unstructured":"X. Tan, Y. Zhang, X. Yang, K. Lu, and M. Yang. Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking. In Proceedings of the 30th USENIX Security Symposium (USENIX Security), pages 2471--2488, Virtually, Aug. 2021."},{"key":"e_1_3_2_1_41_1","volume-title":"https:\/\/github.com\/google\/syzkaller\/blob\/3af7dd651dc78ce0784bef793d14dd2f72d07138\/tools\/demo_setup.sh#L38","author":"D. Vyukov. Syzbot Corp","year":"2023","unstructured":"D. Vyukov. Syzbot Corpus. https:\/\/github.com\/google\/syzkaller\/blob\/3af7dd651dc78ce0784bef793d14dd2f72d07138\/tools\/demo_setup.sh#L38, 2023. corpus."},{"key":"e_1_3_2_1_42_1","volume-title":"Syzbot and the Tale of Thousand Kernel Bugs","author":"Vyukov D.","year":"2018","unstructured":"D. Vyukov and A. Konovalov. Syzbot and the Tale of Thousand Kernel Bugs, 2018. Linux Security Summit."},{"key":"e_1_3_2_1_43_1","volume-title":"Coverage-guided Kernel Fuzzer. https:\/\/github.com\/google\/syzkaller","author":"Vyukov D.","year":"2019","unstructured":"D. Vyukov and A. Konovalov. Syzkaller: An Unsupervised, Coverage-guided Kernel Fuzzer. https:\/\/github.com\/google\/syzkaller, 2019."},{"key":"e_1_3_2_1_44_1","volume-title":"Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID)","author":"Wang J.","year":"2019","unstructured":"J. Wang, Y. Duan, W. Song, H. Yin, and C. Song. Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics In Greybox Fuzzing. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Sept. 2019."},{"key":"e_1_3_2_1_45_1","first-page":"781","volume-title":"Zou. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security)","author":"Wu W.","year":"2018","unstructured":"W.Wu, Y. Chen, J. Xu, X. Xing, X. Gong, andW. Zou. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security), pages 781--797, Baltimore, MD, Aug. 2018."},{"key":"e_1_3_2_1_46_1","first-page":"4247","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security)","author":"Wu Y.","year":"2023","unstructured":"Y. Wu, Z. Lin, Y. Chen, D. K. Le, D. Mu, and X. Xing. Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), pages 4247--4264, Anaheim, CA, USA, Aug. 2023."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813637"},{"key":"e_1_3_2_1_48_1","first-page":"2849","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security)","author":"Yuan M.","year":"2023","unstructured":"M. Yuan, B. Zhao, P. Li, J. Liang, X. Han, X. Luo, and C. Zhang. DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security), pages 2849--2866, Anaheim, CA, USA, Aug. 2023."},{"key":"e_1_3_2_1_49_1","unstructured":"M. Zalewski. American Fuzzy Lop (2.52b). http:\/\/lcamtuf.coredump.cx\/afl."},{"key":"e_1_3_2_1_50_1","first-page":"71","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security)","author":"Zeng K.","year":"2022","unstructured":"K. Zeng, Y. Chen, H. Cho, X. Xing, A. Doup\u00e9, Y. Shoshitaishvili, and T. Bao. Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability. In Proceedings of the 31st USENIX Security Symposium (USENIX Security), pages 71--88, Boston, MA, USA, Aug. 2022."},{"key":"e_1_3_2_1_51_1","first-page":"3201","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security)","author":"Zou X.","year":"2022","unstructured":"X. Zou, G. Li, W. Chen, H. Zhang, and Z. Qian. SyzScope: Revealing High-Risk security impacts of Fuzzer-Exposed bugs in linux kernel. In Proceedings of the 31st USENIX Security Symposium (USENIX Security), pages 3201--3217, Boston, MA, USA, Aug. 2022."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690320","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690320","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:06:52Z","timestamp":1755842812000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690320"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":51,"alternative-id":["10.1145\/3658644.3690320","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690320","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}