{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:32:02Z","timestamp":1766442722982,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":67,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765152","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:42:02Z","timestamp":1763854922000},"page":"216-230","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["CROSS-X: Generalized and Stable Cross-Cache Attack on the Linux Kernel"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-5167-7425","authenticated-orcid":false,"given":"Dong-ok","family":"Kim","sequence":"first","affiliation":[{"name":"ENKI WhiteHat, Seoul, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-2056-1452","authenticated-orcid":false,"given":"Juhyun","family":"Song","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8931-2833","authenticated-orcid":false,"given":"Insu","family":"Yun","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2023. Escaping the Google kCTF Container with a Data-Only Exploit. https: \/\/h0mbre.github.io\/kCTF_Data_Only_Exploit\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_2_1","unstructured":"Android. 2025. Kernel control flow integrity. https:\/\/source.android.com\/docs\/security\/test\/kcfi. Online Accessed: 2025-07-26."},{"key":"e_1_3_2_1_3_1","unstructured":"Oriol Castej\u00f3n. 2024. Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu. https:\/\/blog.exodusintel.com\/2024\/03\/27\/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_4_1","first-page":"1093","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Chen Weiteng","year":"2020","unstructured":"Weiteng Chen, Xiaochen Zou, Guoren Li, and Zhiyun Qian. 2020b. KOOBE: Towards facilitating exploit generation of kernel Out-Of-Bounds write vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). 1093-1110."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423353"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363212"},{"key":"e_1_3_2_1_7_1","unstructured":"Kees Cook. 2017. mm: Add SLUB free list pointer obfuscation. https:\/\/patchwork.kernel.org\/project\/linux-hardening\/patch\/20170726041250.GA76741@beast\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_8_1","unstructured":"Kees Cook. 2024. slab: Introduce dedicated bucket allocator. https:\/\/lwn.net\/Articles\/980302\/. Online Accessed: 2025-07-26."},{"key":"e_1_3_2_1_9_1","unstructured":"Jonathan Corbet. 2012. Supervisor mode access prevention. https:\/\/lwn.net\/Articles\/517475\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_10_1","unstructured":"Jonathan Corbet. 2017. The current state of kernel page-table isolation. https:\/\/lwn.net\/Articles\/741878\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_11_1","unstructured":"Jonathan Corbet. 2023. Randomness for kmalloc(). https:\/\/lwn.net\/Articles\/938637\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_12_1","unstructured":"CROSS-X. 2025. CVE-2022-2585 Exploit. https:\/\/github.com\/crossx-1891\/CROSS-X\/blob\/main\/exploits\/cve-2022-2585\/exploit.c . Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_13_1","unstructured":"Vladimir Davydov. 2016. slab: add SLAB_ACCOUNT flag. https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=230e9fc2860450fbb1f33bdcf9093d92d7d91f5b. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_14_1","unstructured":"Thomas Garnier. 2016. mm: SLAB freelist randomization. https:\/\/lwn.net\/Articles\/685047\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.24"},{"key":"e_1_3_2_1_16_1","unstructured":"Google. 2015. Syzkaller. https:\/\/github.com\/google\/syzkaller."},{"key":"e_1_3_2_1_17_1","unstructured":"Google. 2020. kCTF VRP Setup. https:\/\/google.github.io\/kctf\/vrp.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_18_1","unstructured":"Google. 2022. Kernel Exploits Recipes Notebook. https:\/\/docs.google.com\/document\/d\/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA. Online Accessed: 2025-04-13."},{"volume-title":"Understanding the Linux virtual memory manager","author":"Gorman Mel","key":"e_1_3_2_1_19_1","unstructured":"Mel Gorman. 2004. Understanding the Linux virtual memory manager. Vol. 352. Prentice Hall Upper Saddle River."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978356"},{"key":"e_1_3_2_1_21_1","volume-title":"Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation. arXiv preprint arXiv:2406.02624","author":"Guo Ziyi","year":"2024","unstructured":"Ziyi Guo, Dang K Le, Zhenpeng Lin, Kyle Zeng, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, Adam Doup\u00e9, and Xinyu Xing. 2024. Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation. arXiv preprint arXiv:2406.02624 (2024)."},{"key":"e_1_3_2_1_22_1","unstructured":"Jann Horn. 2021. How a simple Linux kernel memory corruption bug can lead to complete system compromise. https:\/\/googleprojectzero.blogspot.com\/2021\/10\/how-simple-linux-kernel-memory.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_23_1","unstructured":"Huawei. 2020. Emui 11.0 security technical white paper. https:\/\/consumer.huawei.com\/content\/dam\/huawei-cbg-site\/common\/campaign\/privacy\/whitepaper\/emui_11.0_security_technical_white_paper_v1.0.pdf. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.23"},{"key":"e_1_3_2_1_25_1","unstructured":"Xingyu Jin and Clement Lecigene. 2024. CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android. https:\/\/googleprojectzero.github.io\/0days-in-the-wild\/0day-RCAs\/2024\/CVE-2024-44068.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_26_1","volume-title":"SMEP: What is it, and how to beat it on Windows. https:\/\/j00ru.vexillium.org\/2011\/06\/smep-what-is-it-and-how-to-beat-it-on-windows\/. Online, Accessed: 2025-04-13.","author":"Jurczyk Mateusz","year":"2011","unstructured":"Mateusz Jurczyk and Gynvael Coldwind. 2011. SMEP: What is it, and how to beat it on Windows. https:\/\/j00ru.vexillium.org\/2011\/06\/smep-what-is-it-and-how-to-beat-it-on-windows\/. Online, Accessed: 2025-04-13."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/365628.365655"},{"key":"e_1_3_2_1_28_1","unstructured":"Tam\u00e1s Koczka. 2023. Learnings from kCTF VRP's 42 Linux kernel exploits submissions. https:\/\/security.googleblog.com\/2023\/06\/learnings-from-kctf-vrps-42-linux.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_29_1","volume-title":"SLUB: The unqueued slab allocator V6. https:\/\/lwn.net\/Articles\/229096\/. Online, Accessed: 2025-04-13.","author":"Lameter Christoph","year":"2007","unstructured":"Christoph Lameter. 2007. SLUB: The unqueued slab allocator V6. https:\/\/lwn.net\/Articles\/229096\/. Online, Accessed: 2025-04-13."},{"key":"e_1_3_2_1_30_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium (Security)","author":"Lee Yoochan","year":"2023","unstructured":"Yoochan Lee, Jinhan Kwak, Junesoo Kang, Yuseok Jeon, and Byoungyoung Lee. 2023. Pspray: Timing Side-Channel based Linux Kernel Heap Exploitation Technique. In Proceedings of the 32nd USENIX Security Symposium (Security). Anaheim, CA."},{"key":"e_1_3_2_1_31_1","first-page":"2363","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Lee Yoochan","year":"2021","unstructured":"Yoochan Lee, Changwoo Min, and Byoungyoung Lee. 2021. ExpRace: Exploiting kernel races through raising interrupts. In 30th USENIX Security Symposium (USENIX Security 21). 2363-2380."},{"key":"e_1_3_2_1_32_1","unstructured":"Zhenpeng Lin. 2023. CVE-2022-2588. https:\/\/github.com\/Markakd\/CVE-2022-2588. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560585"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3226906"},{"key":"e_1_3_2_1_35_1","unstructured":"William Liu. 2021. corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel. https:\/\/www.willsroot.io\/2021\/08\/corctf-2021-fire-of-salvation-writeup.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_36_1","unstructured":"William Liu. 2022. Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage. https:\/\/www.willsroot.io\/2022\/08\/reviving-exploits-against-cred-struct.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3623652.3623669"},{"key":"e_1_3_2_1_38_1","unstructured":"LKML.org. 2023. Re: [RFC PATCH 00\/14] Prevent cross-cache attacks in the SLUB allocator. https:\/\/lkml.org\/lkml\/2023\/9\/18\/1047. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_39_1","unstructured":"Lam Jun Long. 2022. io_uring - new code new bugs and a new exploit technique. https:\/\/starlabs.sg\/blog\/2022\/06-io_uring-new-code-new-bugs-and-a-new-exploit-technique\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_40_1","unstructured":"Waiman Long. 2021. mm: memcg\/slab: create a new set of kmalloc-cg-caches. https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=494c1dfe855ec1f70f89552fce5eadf4a1717552. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_41_1","first-page":"4051","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Maar Lukas","year":"2024","unstructured":"Lukas Maar, Stefan Gast, Martin Unterguggenberger, Mathias Oberhuber, and Stefan Mangard. 2024a. SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel. In 33rd USENIX Security Symposium (USENIX Security 24). 4051-4068."},{"key":"e_1_3_2_1_42_1","unstructured":"Lukas Maar Stefan Gast Martin Unterguggenberger Mathias Oberhuber and Stefan Mangard. 2024b. SLUBStick Artifacts. https:\/\/github.com\/isec-tugraz\/SLUBStick\/blob\/main\/exploits\/userspace\/exploit_key.c. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_43_1","volume-title":"34rd USENIX Security Symposium: USENIX Security","author":"Maar Lukas","year":"2025","unstructured":"Lukas Maar, Lukas Giner, Daniel Gruss, and Stefan Mangard. 2025. WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks. In 34rd USENIX Security Symposium: USENIX Security 2024. USENIX Association."},{"key":"e_1_3_2_1_44_1","volume-title":"Linux kernel heap feng shui","author":"Vitaly Nikolenko","year":"2022","unstructured":"Vitaly Nikolenko Michael S. 2022. Linux kernel heap feng shui in 2022. https:\/\/duasynt.com\/blog\/linux-kernel-heap-feng-shui-2022. Online, Accessed: 2025-04-13."},{"key":"e_1_3_2_1_45_1","unstructured":"MITRE. 2021. CVE-2021-22555. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-22555. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_46_1","unstructured":"MITRE. 2022a. CVE-2022-0185. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-0185. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_47_1","unstructured":"MITRE. 2022b. CVE-2022-2585. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-2585. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_48_1","unstructured":"MITRE. 2022c. CVE-2022-2602. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-2602. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_49_1","unstructured":"MITRE. 2022 d. CVE-2022-32250. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-32250. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_50_1","unstructured":"MITRE. 2023. CVE-2023-5345. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-5345. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_51_1","unstructured":"Matteo Rizzo. 2023. Prevent cross-cache attacks in the SLUB allocator. https:\/\/lore.kernel.org\/linux-mm\/202309151425.2BE59091@keescook\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_52_1","unstructured":"Javier P Rufo. 2024. CVE-2022-22265. https:\/\/soez.github.io\/posts\/CVE-2022-22265-Samsung-npu-driver\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_53_1","unstructured":"Samsung. 2024. Real-time Kernel Protection (RKP). https:\/\/docs.samsungknox.com\/admin\/fundamentals\/whitepaper\/samsung-knox-for-android\/core-platform-security\/real-time-kernel-protection\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_54_1","unstructured":"Looker Studio. [n.d.]. Interesting Kernel Objects. https:\/\/lookerstudio.google.com\/u\/0\/reporting\/68b02863-4f5c-4d85-b3c1-992af89c855c\/page\/n92nD. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_55_1","unstructured":"SSD Secure Disclosure technical team. 2022. SSD Advisory \u2013 Linux CLOCK_THREAD_CPUTIME_ID LPE. https:\/\/ssd-disclosure.com\/ssd-advisory-linux-clock_thread_cputime_id-lpe\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_56_1","first-page":"4229","volume-title":"AlphaEXP: An Expert System for Identifying Security-Sensitive Kernel Objects. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Wang Ruipeng","year":"2023","unstructured":"Ruipeng Wang, Kaixiang Chen, Chao Zhang, Zulie Pan, Qianyu Li, Siliang Qin, Shenglin Xu, Min Zhang, and Yang Li. 2023. AlphaEXP: An Expert System for Identifying Security-Sensitive Kernel Objects. In 32nd USENIX Security Symposium (USENIX Security 23). 4229-4246."},{"key":"e_1_3_2_1_57_1","unstructured":"Le Wu. 2024. Game of Cross Cache: Let's win it in a more effective way!. In Blackhat USA."},{"key":"e_1_3_2_1_58_1","unstructured":"Nicolas Wu. 2023. Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel. https:\/\/web.archive.org\/web\/20241017044748\/https:\/\/yanglingxi1993.github.io\/dirty_pagetable\/dirty_pagetable.html. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_59_1","first-page":"781","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Wu Wei","year":"2018","unstructured":"Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, and Wei Zou. 2018. FUZE: Towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18). 781-797."},{"key":"e_1_3_2_1_60_1","unstructured":"Zhiyun Qian Xiaochen Zou. 2022. CVE-2022-27666: Exploit esp6 modules in Linux kernel. https:\/\/etenal.me\/archives\/1825. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813637"},{"key":"e_1_3_2_1_62_1","unstructured":"Jun Yao. 2018. arm64\/mm: move idmap_pg_dir tramp_pg_dir swapper_pg_dir to. rodata section. https:\/\/patchwork.kernel.org\/project\/linux-hardening\/patch\/20180620085755.20045-2-yaojun8558363@gmail.com\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_63_1","first-page":"71","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Zeng Kyle","year":"2022","unstructured":"Kyle Zeng, Yueqi Chen, Haehyun Cho, Xinyu Xing, Adam Doup\u00e9, Yan Shoshitaishvili, and Tiffany Bao. 2022. Playing for K (H) eaps: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22). 71-88."},{"key":"e_1_3_2_1_64_1","unstructured":"Jiayi Hu Zhiyun Qian Jinmeng Zhou Qi Tang and Wenbo Shen. 2024. PageJack: A Powerful Exploit Technique With Page-Level UAF. In Blackhat USA."},{"key":"e_1_3_2_1_65_1","volume-title":"Beyond control: Exploring novel file system objects for data-only attacks on linux systems. arXiv preprint arXiv:2401.17618","author":"Zhou Jinmeng","year":"2024","unstructured":"Jinmeng Zhou, Jiayi Hu, Ziyue Pan, Jiaxun Zhu, Wenbo Shen, Guoren Li, and Zhiyun Qian. 2024. Beyond control: Exploring novel file system objects for data-only attacks on linux systems. arXiv preprint arXiv:2401.17618 (2024)."},{"key":"e_1_3_2_1_66_1","unstructured":"Gulshan Singh Zi Fan Tan and Eugene Rodionov. 2024. Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938. https:\/\/androidoffsec.withgoogle.com\/posts\/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938\/. Online Accessed: 2025-04-13."},{"key":"e_1_3_2_1_67_1","first-page":"3201","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Zou Xiaochen","year":"2022","unstructured":"Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, and Zhiyun Qian. 2022. Syzscope: Revealing high-risk security impacts of fuzzer-exposed bugs in linux kernel. In 31st USENIX Security Symposium (USENIX Security 22). 3201-3217."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765152","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:28:00Z","timestamp":1766442480000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765152"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":67,"alternative-id":["10.1145\/3719027.3765152","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765152","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}