{"id":"https://openalex.org/W2979333187","doi":"https://doi.org/10.1109/tdsc.2019.2946816","title":"CATTmew: Defeating Software-Only Physical Kernel Isolation","display_name":"CATTmew: Defeating Software-Only Physical Kernel Isolation","publication_year":2019,"publication_date":"2019-10-11","ids":{"openalex":"https://openalex.org/W2979333187","doi":"https://doi.org/10.1109/tdsc.2019.2946816","mag":"2979333187"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2019.2946816","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2019.2946816","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/1802.07060","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Yueqiang Cheng","orcid":"https://orcid.org/0000-0002-6277-340X"},"institutions":[{"id":"https://openalex.org/I98301712","display_name":"Baidu (China)","ror":"https://ror.org/03vs3wt56","country_code":"CN","type":"company","lineage":["https://openalex.org/I98301712"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Yueqiang Cheng","raw_affiliation_strings":["Baidu XLab, Haidian, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Baidu XLab, Haidian, Beijing, China","institution_ids":["https://openalex.org/I98301712"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Zhi Zhang","orcid":"https://orcid.org/0000-0003-3604-5369"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"government","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]},{"id":"https://openalex.org/I42894916","display_name":"Data61","ror":"https://ror.org/03q397159","country_code":"AU","type":"other","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I42894916","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Zhi Zhang","raw_affiliation_strings":["Data61, CSIRO, Clayton South, Vic, Australia"],"affiliations":[{"raw_affiliation_string":"Data61, CSIRO, Clayton South, Vic, Australia","institution_ids":["https://openalex.org/I42894916","https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Surya Nepal","orcid":"https://orcid.org/0000-0002-3289-6599"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Surya Nepal","raw_affiliation_strings":["University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"last","author":{"id":null,"display_name":"Zhi Wang","orcid":null},"institutions":[{"id":"https://openalex.org/I103163165","display_name":"Florida State University","ror":"https://ror.org/05g3dte14","country_code":"US","type":"education","lineage":["https://openalex.org/I103163165"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhi Wang","raw_affiliation_strings":["Department of Computer Science, Florida State University, Tallahassee, FL, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Florida State University, Tallahassee, FL, USA","institution_ids":["https://openalex.org/I103163165"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I98301712"],"apc_list":null,"apc_paid":null,"fwci":0.5788,"has_fulltext":false,"cited_by_count":6,"citation_normalized_percentile":{"value":0.76252538,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":95},"biblio":{"volume":"18","issue":"4","first_page":"1989","last_page":"2004"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9836000204086304,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9836000204086304,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11181","display_name":"Advanced Data Storage Technologies","score":0.005400000140070915,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10054","display_name":"Parallel Computing and Optimization Techniques","score":0.0020000000949949026,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.8565000295639038},{"id":"https://openalex.org/keywords/kernel","display_name":"Kernel (algebra)","score":0.6498000025749207},{"id":"https://openalex.org/keywords/cache","display_name":"Cache","score":0.5590000152587891},{"id":"https://openalex.org/keywords/partition","display_name":"Partition (number theory)","score":0.45339998602867126},{"id":"https://openalex.org/keywords/isolation","display_name":"Isolation (microbiology)","score":0.4503999948501587},{"id":"https://openalex.org/keywords/cpu-cache","display_name":"CPU cache","score":0.4309000074863434},{"id":"https://openalex.org/keywords/linux-kernel","display_name":"Linux kernel","score":0.40950000286102295},{"id":"https://openalex.org/keywords/domain","display_name":"Domain (mathematical analysis)","score":0.3889999985694885}],"concepts":[{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.8565000295639038},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8004000186920166},{"id":"https://openalex.org/C74193536","wikidata":"https://www.wikidata.org/wiki/Q574844","display_name":"Kernel (algebra)","level":2,"score":0.6498000025749207},{"id":"https://openalex.org/C115537543","wikidata":"https://www.wikidata.org/wiki/Q165596","display_name":"Cache","level":2,"score":0.5590000152587891},{"id":"https://openalex.org/C42812","wikidata":"https://www.wikidata.org/wiki/Q1082910","display_name":"Partition (number theory)","level":2,"score":0.45339998602867126},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.4503999948501587},{"id":"https://openalex.org/C189783530","wikidata":"https://www.wikidata.org/wiki/Q352090","display_name":"CPU cache","level":3,"score":0.4309000074863434},{"id":"https://openalex.org/C553261973","wikidata":"https://www.wikidata.org/wiki/Q14579","display_name":"Linux kernel","level":2,"score":0.40950000286102295},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.3889999985694885},{"id":"https://openalex.org/C173608175","wikidata":"https://www.wikidata.org/wiki/Q232661","display_name":"Parallel computing","level":1,"score":0.36419999599456787},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.3474999964237213},{"id":"https://openalex.org/C176649486","wikidata":"https://www.wikidata.org/wiki/Q2308807","display_name":"Memory management","level":3,"score":0.3384999930858612},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33059999346733093},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.3149999976158142},{"id":"https://openalex.org/C76399640","wikidata":"https://www.wikidata.org/wiki/Q189401","display_name":"Virtual memory","level":4,"score":0.3100000023841858},{"id":"https://openalex.org/C142355369","wikidata":"https://www.wikidata.org/wiki/Q7698919","display_name":"Temporal isolation among virtual machines","level":4,"score":0.3059000074863434},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2777000069618225},{"id":"https://openalex.org/C90307666","wikidata":"https://www.wikidata.org/wiki/Q1932562","display_name":"sysfs","level":3,"score":0.2770000100135803},{"id":"https://openalex.org/C140417398","wikidata":"https://www.wikidata.org/wiki/Q16933942","display_name":"Tree kernel","level":5,"score":0.2676999866962433},{"id":"https://openalex.org/C119024030","wikidata":"https://www.wikidata.org/wiki/Q759899","display_name":"Call stack","level":3,"score":0.26570001244544983},{"id":"https://openalex.org/C162262903","wikidata":"https://www.wikidata.org/wiki/Q343527","display_name":"Allocator","level":2,"score":0.26420000195503235},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.2524000108242035}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tdsc.2019.2946816","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2019.2946816","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},{"id":"pmh:oai:arXiv.org:1802.07060","is_oa":true,"landing_page_url":"http://arxiv.org/abs/1802.07060","pdf_url":"https://arxiv.org/pdf/1802.07060","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:1802.07060","is_oa":true,"landing_page_url":"http://arxiv.org/abs/1802.07060","pdf_url":"https://arxiv.org/pdf/1802.07060","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W2086795351","https://openalex.org/W2157116240","https://openalex.org/W2163563130","https://openalex.org/W2420049379","https://openalex.org/W2516668814","https://openalex.org/W2532499458","https://openalex.org/W2664885055","https://openalex.org/W2795222486","https://openalex.org/W2806638034","https://openalex.org/W2961531859","https://openalex.org/W2962726564","https://openalex.org/W3000664081","https://openalex.org/W4233459511","https://openalex.org/W6630265792","https://openalex.org/W6712237015","https://openalex.org/W6720892955","https://openalex.org/W6723169266","https://openalex.org/W6723175060","https://openalex.org/W6725368715","https://openalex.org/W6730075365","https://openalex.org/W6732938580","https://openalex.org/W6734785344","https://openalex.org/W6744009158","https://openalex.org/W6751554292","https://openalex.org/W6753951102"],"related_works":[],"abstract_inverted_index":{"All":[0],"the":[1,7,12,40,61,79,95,107,122,126,132,135,148,165,176,184,194,199,204,222,230,258,289],"state-of-the-art":[2],"rowhammer":[3,191,260],"attacks":[4,192],"can":[5,118],"break":[6],"MMU-enforced":[8],"inter-domain":[9],"isolation":[10,59,110],"because":[11],"physical":[13,28,41,57,108,177],"memory":[14,42,253,310],"owned":[15,162],"by":[16,32,38,51,143,164,180],"each":[17,22,36,48],"domain":[18,29,37],"is":[19,76,111,141,218,248,311],"adjacent":[20,228],"to":[21,68,220,229,267],"other.":[23],"To":[24],"mitigate":[25],"these":[26],"attacks,":[27],"isolation,":[30],"introduced":[31],"CATT,":[33],"physically":[34,227],"separates":[35],"dividing":[39],"into":[43],"multiple":[44],"partitions":[45],"and":[46,64,98,102,158,167,182,250],"keeping":[47],"partition":[49],"occupied":[50,309],"only":[52,237],"one":[53,77],"domain.":[54],"CATT":[55,96,181],"implemented":[56],"kernel":[58,70,75,103,109,153,166,225,291],"as":[60,74,312,314],"first":[62],"generic":[63],"practical":[65],"software-only":[66],"defense":[67],"protect":[69],"from":[71],"being":[72],"rowhammered":[73],"of":[78,134,172,241],"most":[80],"appealing":[81],"targets.":[82],"In":[83],"this":[84],"paper,":[85],"we":[86,209],"develop":[87],"a":[88,211,238,244,299],"novel":[89],"exploit":[90,117,140,247,287],"that":[91,106,147,262,298],"could":[92,302],"effectively":[93],"defeat":[94],"implementation":[97],"gain":[99],"both":[100],"root":[101],"privileges,":[104],"indicating":[105],"not":[112],"secure":[113],"in":[114],"practice.":[115],"Our":[116,273,294],"work":[119],"without":[120],"exhausting":[121],"page":[123,200,234],"cache":[124,201],"or":[125,129,202],"system":[127,206],"memory,":[128],"relying":[130],"on":[131,279,288],"information":[133],"virtual-to-physical":[136],"address":[137],"mapping.":[138],"The":[139,170,308],"motivated":[142],"our":[144,246,286],"key":[145],"observation":[146],"modern":[149],"OSes":[150],"have":[151],"double-owned":[152,224],"buffers":[154,157,174,226],"(e.g.,":[155,233],"video":[156],"SCSI":[159],"Generic":[160],"buffers)":[161],"concurrently":[163],"user":[168],"domains.":[169],"existence":[171],"such":[173],"invalidates":[175],"separation":[178],"enforced":[179],"makes":[183],"rowhammer-based":[185],"attack":[186,301],"possible":[187],"again.":[188],"Existing":[189],"conspicuous":[190],"achieving":[193],"root/kernel":[195],"privilege":[196],"escalation":[197],"exhaust":[198],"even":[203],"whole":[205],"memory.":[207,242],"Instead,":[208],"propose":[210],"new":[212],"technique,":[213],"named":[214],"Memory":[215],"Ambush.":[216],"It":[217],"able":[219],"place":[221],"hammerable":[223],"target":[231],"objects":[232],"tables)":[235],"with":[236,269],"small":[239],"amount":[240],"As":[243],"result,":[245],"stealthier":[249],"has":[251],"fewer":[252],"footprints.":[254],"We":[255,284],"also":[256],"replace":[257],"inefficient":[259],"algorithm":[261,274],"blindly":[263],"picks":[264],"up":[265],"addresses":[266,277],"hammer":[268],"an":[270,280],"efficient":[271],"one.":[272],"selects":[275],"suitable":[276],"based":[278],"existing":[281],"timing":[282],"channel.":[283],"implement":[285],"Linux":[290],"version":[292],"4.10.0.":[293],"experiment":[295],"results":[296],"indicate":[297],"successful":[300],"be":[303],"done":[304],"within":[305],"1":[306],"minute.":[307],"low":[313],"88":[315],"MB.":[316]},"counts_by_year":[{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":2},{"year":2020,"cited_by_count":1},{"year":2018,"cited_by_count":1}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2019-10-18T00:00:00"}