{"id":"https://openalex.org/W4313191964","doi":"https://doi.org/10.1109/tifs.2022.3226906","title":"From Release to Rebirth: Exploiting Thanos Objects in Linux Kernel","display_name":"From Release to Rebirth: Exploiting Thanos Objects in Linux Kernel","publication_year":2022,"publication_date":"2022-12-05","ids":{"openalex":"https://openalex.org/W4313191964","doi":"https://doi.org/10.1109/tifs.2022.3226906"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2022.3226906","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2022.3226906","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5073803603","display_name":"Danjun Liu","orcid":"https://orcid.org/0000-0002-5375-7598"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Danjun Liu","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":"https://orcid.org/0000-0002-5375-7598","affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100399594","display_name":"Pengfei Wang","orcid":"https://orcid.org/0000-0003-3408-4153"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Pengfei Wang","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":"https://orcid.org/0000-0003-3408-4153","affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055476418","display_name":"Xu Zhou","orcid":"https://orcid.org/0000-0002-0075-5003"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xu Zhou","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":"https://orcid.org/0000-0002-0075-5003","affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100617974","display_name":"Wei Xie","orcid":"https://orcid.org/0009-0005-1667-4995"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Wei Xie","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100671334","display_name":"Gen Zhang","orcid":"https://orcid.org/0000-0001-7709-0751"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Gen Zhang","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077730693","display_name":"Zhenhao Luo","orcid":"https://orcid.org/0000-0001-7818-4987"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhenhao Luo","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":"https://orcid.org/0000-0001-7818-4987","affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5075919641","display_name":"Tai Yue","orcid":"https://orcid.org/0000-0002-7276-8735"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Tai Yue","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":"https://orcid.org/0000-0002-7276-8735","affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5032324905","display_name":"Baosheng Wang","orcid":"https://orcid.org/0009-0008-7039-5614"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Baosheng Wang","raw_affiliation_strings":["School of Computer Science, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I170215575"],"apc_list":null,"apc_paid":null,"fwci":1.3877,"has_fulltext":false,"cited_by_count":10,"citation_normalized_percentile":{"value":0.84677487,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":98},"biblio":{"volume":"18","issue":null,"first_page":"533","last_page":"548"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9933000206947327,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8158466815948486},{"id":"https://openalex.org/keywords/kernel","display_name":"Kernel (algebra)","score":0.6597411036491394},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.4094451665878296}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8158466815948486},{"id":"https://openalex.org/C74193536","wikidata":"https://www.wikidata.org/wiki/Q574844","display_name":"Kernel (algebra)","level":2,"score":0.6597411036491394},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.4094451665878296},{"id":"https://openalex.org/C114614502","wikidata":"https://www.wikidata.org/wiki/Q76592","display_name":"Combinatorics","level":1,"score":0.0},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2022.3226906","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2022.3226906","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.4399999976158142}],"awards":[{"id":"https://openalex.org/G3270930778","display_name":null,"funder_award_id":"ZK20-09","funder_id":"https://openalex.org/F4320324150","funder_display_name":"National University of Defense Technology"},{"id":"https://openalex.org/G3746587034","display_name":null,"funder_award_id":"62272472","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5268210912","display_name":null,"funder_award_id":"2021JJ40692","funder_id":"https://openalex.org/F4320322843","funder_display_name":"Natural Science Foundation of\u00a0Hunan Province"},{"id":"https://openalex.org/G7595799902","display_name":null,"funder_award_id":"ZK20-17","funder_id":"https://openalex.org/F4320324150","funder_display_name":"National University of Defense Technology"},{"id":"https://openalex.org/G8346263138","display_name":null,"funder_award_id":"61902412","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320322843","display_name":"Natural Science Foundation of\u00a0Hunan Province","ror":null},{"id":"https://openalex.org/F4320324150","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W1447175589","https://openalex.org/W1535810264","https://openalex.org/W2094619820","https://openalex.org/W2529582363","https://openalex.org/W2532499458","https://openalex.org/W2613274303","https://openalex.org/W2766898821","https://openalex.org/W2889280832","https://openalex.org/W2964358525","https://openalex.org/W2964938167","https://openalex.org/W2985831349","https://openalex.org/W2987375469","https://openalex.org/W3048059227","https://openalex.org/W3049058030","https://openalex.org/W3108020564","https://openalex.org/W3157604780","https://openalex.org/W3211835121","https://openalex.org/W4288057707","https://openalex.org/W6628569256","https://openalex.org/W6632249059","https://openalex.org/W6754597693","https://openalex.org/W6766193004","https://openalex.org/W6766922533","https://openalex.org/W6781362174","https://openalex.org/W6781997156","https://openalex.org/W6794723050","https://openalex.org/W6803490195"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"Vulnerability":[0],"fixing":[1,20],"is":[2],"time-consuming,":[3],"hence,":[4],"not":[5,110],"all":[6],"of":[7,26,141,172,180,218,226],"the":[8,45,49,58,65,96,130,139,142,165,170,173,178,181,210,216,234,250,258],"discovered":[9],"vulnerabilities":[10,27,186],"can":[11,81,103,247],"be":[12],"fixed":[13],"timely.":[14],"In":[15,60],"reality,":[16],"developers":[17],"prioritize":[18],"vulnerability":[19,107,119,269],"based":[21],"on":[22,91,138],"exploitability.":[23],"Large":[24],"numbers":[25],"are":[28,37],"delayed":[29],"to":[30,44,63,72,157,231,241],"patch":[31],"or":[32,41],"even":[33,265],"ignored":[34],"as":[35,39],"they":[36],"regarded":[38],"\u201cunexploitable\u201d":[40],"underestimated":[42],"owing":[43],"difficulty":[46],"in":[47,57,95,239],"exploiting":[48,242],"weak":[50,66,83,243],"primitives.":[51,89],"However,":[52],"exploits":[53],"may":[54],"have":[55,111,192],"been":[56],"wild.":[59],"this":[61],"paper,":[62],"exploit":[64,84,88,104],"primitives":[67,85],"that":[68,80,108,120,132,238],"traditional":[69,133,228],"approaches":[70],"fail":[71],"exploit,":[73],"we":[74,149,214,236],"propose":[75],"a":[76,92,105,151],"versatile":[77],"exploitation":[78,134],"strategy":[79],"transform":[82],"into":[86],"strong":[87],"Based":[90],"special":[93],"object":[94],"kernel":[97,251],"named":[98,153],"Thanos":[99,147,162,175,189,205,212],"object,":[100],"our":[101,194,219,245],"approach":[102,128,195,220,246],"UAF":[106],"does":[109],"function":[112],"pointer":[113,261],"dereference":[114],"and":[115,125,264],"an":[116],"OOB":[117],"write":[118,123],"has":[121],"limited":[122],"length":[124],"value.":[126],"Our":[127],"overcomes":[129],"shortage":[131],"strategies":[135],"heavily":[136],"rely":[137],"capability":[140],"vulnerability.":[143],"To":[144],"facilitate":[145],"using":[146],"objects,":[148,213],"devise":[150],"tool":[152],"<monospace":[154,199],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[155,200],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">TAODE</monospace>":[156,201],"automatically":[158],"search":[159],"for":[160],"eligible":[161,188],"objects":[163,176,206],"from":[164,207],"kernel.":[166],"Then,":[167],"it":[168,184],"evaluates":[169],"usability":[171],"identified":[174,203,211],"by":[177],"complexity":[179],"constraints.":[182],"Finally,":[183],"pairs":[185],"with":[187,196,221],"objects.":[190],"We":[191],"evaluated":[193],"real-world":[197,223],"kernels.":[198],"successfully":[202],"numerous":[204],"Linux.":[208],"Using":[209],"proved":[215],"feasibility":[217],"20":[222],"vulnerabilities,":[224],"most":[225],"which":[227],"techniques":[229],"failed":[230],"exploit.":[232],"Through":[233],"experiments,":[235],"find":[237],"addition":[240],"primitives,":[244],"sometimes":[248],"bypass":[249],"SMAP":[252],"mechanism":[253],"(CVE-2016-10150,":[254],"CVE-2016-0728),":[255],"better":[256],"utilize":[257],"leaked":[259],"heap":[260],"address":[262],"(CVE-2022-25636),":[263],"theoretically":[266],"break":[267],"certain":[268],"patches":[270],"(e.g.,":[271],"double-free).":[272]},"counts_by_year":[{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":2}],"updated_date":"2026-06-26T08:34:08.712188","created_date":"2025-10-10T00:00:00"}
