{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:22:11Z","timestamp":1766442131793,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,11,22]],"date-time":"2026-11-22T00:00:00Z","timestamp":1795305600000},"content-version":"vor","delay-in-days":368,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000781","name":"European Research Council","doi-asserted-by":"publisher","award":["101045669"],"award-info":[{"award-number":["101045669"]}],"id":[{"id":"10.13039\/501100000781","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","award":["390781972"],"award-info":[{"award-number":["390781972"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2232915"],"award-info":[{"award-number":["2232915"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Advanced Research Projects Agency for Health","award":["SP4701-23-C-0074"],"award-info":[{"award-number":["SP4701-23-C-0074"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765027","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"2639-2652","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Empirical Security Analysis of Software-based Fault Isolation through Controlled Fault Injection"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-5179-4002","authenticated-orcid":false,"given":"Nils","family":"Bars","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbruecken, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-8564-1476","authenticated-orcid":false,"given":"Lukas","family":"Bernhard","sequence":"additional","affiliation":[{"name":"Independent, Dortmund, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1630-1687","authenticated-orcid":false,"given":"Moritz","family":"Schloegel","sequence":"additional","affiliation":[{"name":"Arizona State University, Tempe, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2783-1264","authenticated-orcid":false,"given":"Thorsten","family":"Holz","sequence":"additional","affiliation":[{"name":"Max Planck Institute for Security and Privacy, Bochum, Germany"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"https:\/\/developer.arm.com\/documentation\/102925\/latest\/","author":"Extension White Paper A Memory Tagging","year":"2019","unstructured":"Armv8.5-A Memory Tagging Extension White Paper. https:\/\/developer.arm.com\/documentation\/102925\/latest\/, 2019. Accessed: today."},{"key":"e_1_3_2_1_2_1","volume-title":"Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information and System Security (TISSEC), 13(1)","author":"Abadi Mart\u00edn","year":"2009","unstructured":"Mart\u00edn Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information and System Security (TISSEC), 13(1), 2009."},{"key":"e_1_3_2_1_3_1","volume-title":"Thorsten Holz. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Symposium on Network and Distributed System Security (NDSS)","author":"Aschermann Cornelius","year":"2019","unstructured":"Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Symposium on Network and Distributed System Security (NDSS), 2019."},{"key":"e_1_3_2_1_4_1","volume-title":"A Brief History of Just-In-Time. ACM Computing Surveys (CSUR), 35(2):97-113","author":"Aycock John","year":"2003","unstructured":"John Aycock. A Brief History of Just-In-Time. ACM Computing Surveys (CSUR), 35(2):97-113, 2003."},{"key":"e_1_3_2_1_5_1","volume-title":"USENIX Security Symposium","author":"Bars Nils","year":"2023","unstructured":"Nils Bars, Moritz Schloegel, Tobias Scharnowski, Nico Schiller, and Thorsten Holz. Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge. In USENIX Security Symposium, 2023."},{"key":"e_1_3_2_1_6_1","volume-title":"ACM Conference on Computer and Communications Security (CCS)","author":"Bars Nils","year":"2024","unstructured":"Nils Bars, Moritz Schloegel, Nico Schiller, Lukas Bernhard, and Thorsten Holz. No Peer, no Cry: Network Application Fuzzing via Fault Injection. In ACM Conference on Computer and Communications Security (CCS), 2024."},{"key":"e_1_3_2_1_7_1","volume-title":"Thorsten Holz. JIT-Picking: Differential Fuzzing of JavaScript Engines. In ACM Conference on Computer and Communications Security (CCS)","author":"Bernhard Lukas","year":"2022","unstructured":"Lukas Bernhard, Tobias Scharnowski, Moritz Schloegel, Tim Blazytko, and Thorsten Holz. JIT-Picking: Differential Fuzzing of JavaScript Engines. In ACM Conference on Computer and Communications Security (CCS), 2022."},{"key":"e_1_3_2_1_8_1","volume-title":"Thorsten Holz. DarthShader: Fuzzing WebGPU Shader Translators & Compilers. In ACM Conference on Computer and Communications Security (CCS)","author":"Bernhard Lukas","year":"2024","unstructured":"Lukas Bernhard, Nico Schiller, Moritz Schloegel, Nils Bars, and Thorsten Holz. DarthShader: Fuzzing WebGPU Shader Translators & Compilers. In ACM Conference on Computer and Communications Security (CCS), 2024."},{"unstructured":"bughunters.google.com. Chrome Vulnerability Reward Program Rules. https:\/\/bughunters.google.com\/about\/rules\/chrome-friends\/5745167867576320\/chrome-vulnerability-reward-program-rules. Accessed: today.","key":"e_1_3_2_1_9_1"},{"unstructured":"bugzilla.mozilla.org. Bugzilla: Evaluate libexpat CVE-2022-43680 Fix. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=CVE-2022-43680. Accessed: today.","key":"e_1_3_2_1_10_1"},{"unstructured":"bugzilla.mozilla.org. Bugzilla: RLBox - Port libGraphite Usage Code to use the RLBox API. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1566288. Accessed: today.","key":"e_1_3_2_1_11_1"},{"unstructured":"bugzilla.mozilla.org. Bugzilla: RLBox - Port libOgg Usage Code in the OGGDemuxer to use the RLBox API. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1625876. Accessed: today.","key":"e_1_3_2_1_12_1"},{"unstructured":"bugzilla.mozilla.org. Bugzilla: Sandbox libexpat using RLBox. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1688452. Accessed: today.","key":"e_1_3_2_1_13_1"},{"key":"e_1_3_2_1_14_1","volume-title":"Control-Flow Integrity: Precision, Security, and Performance. ACM Computing Surveys (CSUR), 50(1)","author":"Burow Nathan","year":"2017","unstructured":"Nathan Burow, Scott A Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. Control-Flow Integrity: Precision, Security, and Performance. ACM Computing Surveys (CSUR), 50(1), 2017."},{"unstructured":"chromium.googlesource.com. V8 Sandbox Readme. https:\/\/chromium.googlesource.com\/v8\/v8.git\/\/refs\/heads\/main\/src\/sandbox\/README.md. Accessed: today.","key":"e_1_3_2_1_15_1"},{"unstructured":"chromium.org. V8 Bugtracker: Design Flaw in Synchronous Mojo Message Handling Introduces Unexpected Reentrancy and Allows for Multiple UAFs. https:\/\/issues.chromium.org\/issues\/40061398. Accessed: today.","key":"e_1_3_2_1_16_1"},{"unstructured":"chromium.org. V8 Bugtracker: Incorrect Type Information on Math.expm1. https:\/\/issues.chromium.org\/issues\/40092352. Accessed: today.","key":"e_1_3_2_1_17_1"},{"unstructured":"chromium.org. V8 Bugtracker: Mojo Message Validation Bypass due to Shared Memory. https:\/\/issues.chromium.org\/issues\/40063855. Accessed: today.","key":"e_1_3_2_1_18_1"},{"unstructured":"chromium.org. V8 Bugtracker: Off by One in TurboFan Range Optimization for String.indexOf. https:\/\/issues.chromium.org\/issues\/40088942. Accessed: today.","key":"e_1_3_2_1_19_1"},{"unstructured":"chromium.org. V8 Bugtracker: UaF in ImageCapture. https:\/\/issues.chromium.org\/issues\/40096129. Accessed: today.","key":"e_1_3_2_1_20_1"},{"unstructured":"chromium.org. V8 Bugtracker: UAF in OfflinePageAutoFetcher::CancelSchedule. https:\/\/issues.chromium.org\/issues\/40095468. Accessed: today.","key":"e_1_3_2_1_21_1"},{"key":"e_1_3_2_1_22_1","volume-title":"Programming the 80386 SYBEX","author":"Crawford John H","year":"1987","unstructured":"John H Crawford and Patrick P Gelsinger. Programming the 80386 SYBEX. Inc, San Francisco, 1987."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_23_1","DOI":"10.1145\/3192366.3192396"},{"key":"e_1_3_2_1_24_1","volume-title":"ACM Computing Surveys (CSUR), 2(3):153-189","author":"Denning Peter J","year":"1970","unstructured":"Peter J Denning. Virtual Memory. ACM Computing Surveys (CSUR), 2(3):153-189, 1970."},{"unstructured":"docs.google.com. V8 Sandbox - High-Level Design Doc. https:\/\/docs.google.com\/document\/d\/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8\/edit?usp=sharing. Accessed: today.","key":"e_1_3_2_1_25_1"},{"key":"e_1_3_2_1_26_1","volume-title":"George C Necula. XFI: Software Guards for System Address Spaces. In Symposium on Operating Systems Design and Implementation (OSDI)","author":"Erlingsson Ulfar","year":"2006","unstructured":"Ulfar Erlingsson, Mart\u00edn Abadi, Michael Vrable, Mihai Budiu, and George C Necula. XFI: Software Guards for System Address Spaces. In Symposium on Operating Systems Design and Implementation (OSDI), 2006."},{"key":"e_1_3_2_1_27_1","volume-title":"Marc Heuse. AFL: Combining Incremental Steps of Fuzzing Research. In USENIX Workshop on Offensive Technologies (WOOT)","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00dffeldt, and Marc Heuse. AFL: Combining Incremental Steps of Fuzzing Research. In USENIX Workshop on Offensive Technologies (WOOT), 2020."},{"key":"e_1_3_2_1_28_1","volume-title":"ACM Conference on Computer and Communications Security (CCS)","author":"Fioraldi Andrea","year":"2022","unstructured":"Andrea Fioraldi, Dominik Christian Maier, Dongjia Zhang, and Davide Balzarotti. LibAFL: A Framework to Build Modular and Reusable Fuzzers. In ACM Conference on Computer and Communications Security (CCS), 2022."},{"key":"e_1_3_2_1_29_1","volume-title":"Martin Johns. FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities. In Symposium on Network and Distributed System Security (NDSS)","author":"Gro\u00df Samuel","year":"2023","unstructured":"Samuel Gro\u00df, Simon Koch, Lukas Bernhard, Thorsten Holz, and Martin Johns. FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities. In Symposium on Network and Distributed System Security (NDSS), 2023."},{"key":"e_1_3_2_1_30_1","volume-title":"Huck and Jim Hays. Architectural Support For Translation Table Management In Large Address Space Machines. In Annual International Symposium on Computer Architecture","author":"Jerome","year":"1993","unstructured":"Jerome C. Huck and Jim Hays. Architectural Support For Translation Table Management In Large Address Space Machines. In Annual International Symposium on Computer Architecture, 1993."},{"key":"e_1_3_2_1_31_1","volume-title":"USENIX Security Symposium","author":"Jiang Zu-Ming","year":"2020","unstructured":"Zu-Ming Jiang, Jia-Ju Bai, Kangjie Lu, and Shi-Min Hu. Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection. In USENIX Security Symposium, 2020."},{"key":"e_1_3_2_1_32_1","volume-title":"Michael Hicks. Evaluating Fuzz Testing. In ACM Conference on Computer and Communications Security (CCS)","author":"Klees George","year":"2018","unstructured":"George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. Evaluating Fuzz Testing. In ACM Conference on Computer and Communications Security (CCS), 2018."},{"key":"e_1_3_2_1_33_1","volume-title":"A Note on the Confinement Problem. Communications of the ACM (CACM), 16(10)","author":"Lampson Butler W","year":"1973","unstructured":"Butler W Lampson. A Note on the Confinement Problem. Communications of the ACM (CACM), 16(10), 1973."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_34_1","DOI":"10.1109\/ASE51524.2021.9678785"},{"key":"e_1_3_2_1_35_1","volume-title":"Verifiable Binary Sandboxing for a CISC Architecture. Technical report","author":"McCamant Stephen","year":"2005","unstructured":"Stephen McCamant and Greg Morrisett. Efficient, Verifiable Binary Sandboxing for a CISC Architecture. Technical report, Massachusetts Institute of Technology, 2005."},{"key":"e_1_3_2_1_36_1","volume-title":"ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)","author":"Morrisett Greg","year":"2012","unstructured":"Greg Morrisett, Gang Tan, Joseph Tassarotti, Jean-Baptiste Tristan, and Edward Gan. RockSalt: Better, Faster, Stronger SFI for the x86. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2012."},{"unstructured":"mozilla.org. JavaScript: Using Web Workers. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Web_Workers_API\/Using_web_workers. Accessed: today.","key":"e_1_3_2_1_37_1"},{"key":"e_1_3_2_1_38_1","volume-title":"Deian Stefan. Retrofitting Fine Grain Isolation in the Firefox Renderer. In USENIX Security Symposium","author":"Narayan Shravan","year":"2020","unstructured":"Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. Retrofitting Fine Grain Isolation in the Firefox Renderer. In USENIX Security Symposium, 2020."},{"key":"e_1_3_2_1_39_1","volume-title":"USENIX Annual Technical Conference (ATC)","author":"Park Soyeon","year":"2019","unstructured":"Soyeon Park, Sangho Lee, Wen Xu, HyunGon Moon, and Taesoo Kim. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In USENIX Annual Technical Conference (ATC), 2019."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_40_1","DOI":"10.1145\/3658644.3690278"},{"unstructured":"Andreas Rossberg. WebAssembly Core Specification.","key":"e_1_3_2_1_41_1"},{"key":"e_1_3_2_1_42_1","volume-title":"Ali Abbasi. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In USENIX Security Symposium","author":"Scharnowski Tobias","year":"2022","unstructured":"Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In USENIX Security Symposium, 2022."},{"key":"e_1_3_2_1_43_1","volume-title":"Thorsten Holz. SoK: Prudent Evaluation Practices for Fuzzing. In IEEE Symposium on Security and Privacy (S&P)","author":"Schloegel Moritz","year":"2024","unstructured":"Moritz Schloegel, Nils Bars, Nico Schiller, Lukas Bernhard, Tobias Scharnowski, Addison Crump, Arash Ale-Ebrahim, Nicolai Bissantz, Marius Muench, and Thorsten Holz. SoK: Prudent Evaluation Practices for Fuzzing. In IEEE Symposium on Security and Privacy (S&P), 2024."},{"key":"e_1_3_2_1_44_1","volume-title":"USENIX Security Symposium","author":"Schrammel David","year":"2020","unstructured":"David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86. In USENIX Security Symposium, 2020."},{"key":"e_1_3_2_1_45_1","volume-title":"Memory Tagging and How it Improves C\/C Memory Safety","author":"Serebryany Kostya","year":"2018","unstructured":"Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, and Dmitry Vyukov. Memory Tagging and How it Improves C\/C Memory Safety, 2018."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_46_1","DOI":"10.1145\/3634737.3637650"},{"unstructured":"v8.dev. The V8 Sandbox. https:\/\/v8.dev\/blog\/sandbox. Accessed: today.","key":"e_1_3_2_1_47_1"},{"key":"e_1_3_2_1_48_1","volume-title":"Susan L Graham. Efficient Software-based Fault Isolation. In Symposium on Operating Systems Principles (SOSP)","author":"Wahbe Robert","year":"1993","unstructured":"Robert Wahbe, Steven Lucco, Thomas E Anderson, and Susan L Graham. Efficient Software-based Fault Isolation. In Symposium on Operating Systems Principles (SOSP), 1993."},{"key":"e_1_3_2_1_49_1","volume-title":"Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy (S&P)","author":"Watson Robert N.M.","year":"2015","unstructured":"Robert N.M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy (S&P), 2015."},{"key":"e_1_3_2_1_50_1","volume-title":"IEEE Symposium on Security and Privacy (S&P)","author":"Yee Bennet","year":"2009","unstructured":"Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In IEEE Symposium on Security and Privacy (S&P), 2009."}],"event":{"sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"acronym":"CCS '25","name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765027","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765027","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:18:44Z","timestamp":1766441924000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765027"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":50,"alternative-id":["10.1145\/3719027.3765027","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765027","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}