Heap vulnerabilities pose a significant risk to software, leading to stability issues such as slowdown and resource depletion. These vulnerabilities can potentially disrupt critical operations and compromise the overall system performance, especially in the case of automated control systems implemented in C/C++ language. While various artificial intelligence-based detection methods have been studied, there has been limited analysis of the detection process and the structural and semantic features, resulting in lower detection efficiency. This paper proposes a novel heap vulnerability detection (HVDet) method based on the Pointer Program Dependency Graph (P-PDG) representation and Bidirectional Gated Recurrent Unit (Bi-GRU) algorithm for software. Through inter-procedural analysis, the P-PDG serves as an innovative code representation model that places emphasis on pointer operations, which are closely associated with heap vulnerabilities. It leads to a reduction in code size while simultaneously capturing a broader range of structural and semantic features of the source code. Subsequently, a mixed feature matrix incorporating these features from code slices is generated as input for the Bi-GRU algorithm. When compared with 7 state-of-the-art (SOTA) vulnerability detection tools, HVDet demonstrates superior performance. It successfully identified three heap vulnerabilities in real-world software such as Linux Kernel, Espruino, and LibreDWG.

Wireless mesh networks (WMNs) are crucial for enabling communication without fixed infrastructure in various scenarios such as disaster response, rural connectivity, and educational experimentation. Although the Optimized Link State Routing (OLSR) protocol is widely studied in the research community, practical deployment reports remain limited and fragmented. This paper presents a clear and reproducible methodology for deploying OLSR (using OLSRd, a routing daemon that installs and updates routes in the Linux kernel) on embedded Linux systems, namely OpenWRT running on Raspberry Pi 3B+ devices. In addition, a Multi-Criteria Decision Analysis (MCDA) framework is applied to evaluate four distinct routing protocols (OLSRd, BATMAN, Babel, and HWMP) based on usability, configuration complexity, GUI support, documentation quality, and hardware compatibility. Experimental tests are conducted to measure network performance in terms of latency, throughput, and convergence time. Four case studies are also presented to show protocol suitability in different contexts, including community networks, IoT deployments, disaster simulations, and industrial environments. The results conclusively show that OLSRd is the most deployment-friendly protocol, combining procedural simplicity with reliable performance. This study provides practical guidance and valuable technical references for researchers, educators, and practitioners working on wireless mesh testbeds with embedded platforms, ultimately aiming to bridge the gap between academic theory and real-world application.

Today, the operating system Linux is widely used in diverse environments, as its kernel can be configured flexibly. In many configurable systems, managing such variability can be facilitated in all development phases with product-line analyses. These analyses often require knowledge about the system’s features and their dependencies, which are documented in a feature model. Despite their potential, product-line analyses are rarely applied to the Linux kernel in practice, as its feature model still challenges scalability and accuracy of analyses. Unfortunately, these challenges also severely limit our knowledge about two fundamental metrics of the kernel’s configurability, namely its number of features and configurations. We identify four key limitations in the literature related to the scalability, accuracy, and influence factors of these metrics, and, by extension, other product-line analyses: (1) Analysis results for the Linux kernel are not comparable, because relevant information is not reported; (2) there is no consensus on how to define features in Linux, which leads to flawed analysis results; (3) only few versions of the Linux kernel have ever been analyzed, none of which are recent; and (4) the kernel is perceived as complex, although we lack empirical evidence that supports this claim. In this article, we address these limitations with a comprehensive, empirical study of the Linux kernel’s configurability, which spans its feature model’s entire history from 2002 to 2024. We address the above limitations as follows: (1) We characterize parameters that are relevant when reporting analysis results; (2) we propose and evaluate a novel definition of features in Linux as a standardization effort; (3) we contribute torte , a tool that analyzes arbitrary versions of the Linux kernel’s feature model; and (4) we investigate the current and possible future configurability of the kernel on more than 3,000 feature-model versions. Based on our results, we highlight 11 major insights into the Linux kernel’s configurability and make 7 actionable recommendations for researchers and practitioners.

ABSTRACT A number of Linux kernel modules have been added to the TCP/IP stack since the buffer bloat phenomena was defined, although there aren’t many experimental research on their impacts. when used with WLAN technology, specifically IEEE 802.11n and IEEE 802.11ac. TCP Small Queues (TSQ) is a crucial method that limits how many packets a TCP socket can queue in the stack. It does this by waiting for the physical layer to transfer the packets before enqueuing additional data. TCP Pacing (TP), a second important TCP mechanism, controls the speed at which the socket enqueues packets in the stack, regulating the formation of bursts of data. These methods impair throughput and have an impact on WLAN networks' frame aggregation logic. trade-off between latency and all TCP variations. The performance of several TCP congestion control versions on wireless networks in the presence of various TSQ and TP policies is investigated experimentally in this research, which also models their interaction.

Accurately evaluating multi-core embedded systems remains a major challenge, as existing benchmarking methods and tools fail to reproduce realistic workloads with inter-core contentions. This study introduces a benchmark framework for Linux-based embedded systems that integrates a synthetic task-set generation model capable of reproducing both computational and contention characteristics observed in real-world applications. Applying this benchmark to three Linux kernel variants on a 16-core embedded platform, we have identified distinct scalability patterns and contention sensitivities among kernel configurations. The results mainly demonstrate the framework’s capability to reveal performance characteristics under Linux, but the proposed methodology itself has high portability and extendability by design to support various multi-core platforms including the RTOS-based ones.

ABSTRACT Locking plays a crucial role since it ensures synchronized access by concurrent threads to shared resources—like shared data structures to be managed in critical sections. Traditional sleep locks—based on blocking operating system services—adopt a reactive approach (e.g., upon lock release) to waking up waiting threads, which might introduce additional latency on the critical path. On the opposite side, non‐blocking locks, like spinlocks, allow threads to wait while still using CPU cycles for checking and updating the lock variable, which causes the waste of both cycles and energy. In this article, we present a new locking algorithm, called SSPA (Spin/Sleep Proactive‐Awakening)—and its implementation for Linux systems—which combines spin and sleep waiting phases via the introduction of an innovative proactive wake‐up mechanism that exploits the SoftIRQ daemon of the Linux kernel. Our solution allows threads to be awakened from their sleep phases on time to be already CPU dispatched when the lock is really released. This provides the opportunity to quickly access the critical section while at the same time enabling control over the actual amount of CPU cycles that are spent by spinning wait phases. As we show via experimental data, our solution allows exploring new trade‐offs between responsiveness and CPU/energy efficiency in concurrent applications, hence rising as an interesting alternative to literature solutions.

This article examines the implementation of persistent crash logging infrastructure for autonomous vehicles running embedded Linux systems. It explores how proper failure capture mechanisms can transform system crashes from dangerous incidents into valuable learning opportunities. The article investigates the challenges of crash capture in embedded automotive environments, detailing the implementation of the Linux kernel's persistent storage (pstore) subsystem with the ramoops driver, and the enhancement of diagnostic capabilities through kdump integration. Through analysis of multiple studies and empirical data, the article demonstrates how this dual-layer approach to crash resilience significantly improves engineering efficiency, system reliability, and safety assurance. The paper demonstrates that a robust crash logging infrastructure allows organizations to solve once-undiagnosable failures, speed development cycles, and establish more cogent evidence-based safety arguments for regulatory approval. The paper demonstrates that continuous crash logging not only improves diagnostics for sophisticated failure modes but also delivers measurable benefits in development speed, certification processes, and overall system dependability in safety-critical autonomous vehicle deployments.

ASIRDetector: Scheduling-driven, asynchronous execution to discover asynchronous improper releases bug in linux kernel

Abstract The ability to efficiently resolve conflicts in interactive constraint-based applications is critical for user experience and system reliability. Conflict resolution can be regarded as a specific type of explanation, often denoted as diagnosis. Existing work on integrating machine learning with diagnostic reasoning emphasizes on the combination of hitting set approaches with probabilistic reasoning and memory-based machine learning. An alternative to such two-phase diagnosis approaches is direct diagnosis, which focuses on determining diagnoses without predetermining conflicts. In this article, we utilize diagnosis knowledge from the past to improve diagnosis efficiency while also maintaining user-defined preference criteria. Our approach integrates model-based collaborative filtering (feed-forward neural networks) and other machine learning approaches (e.g., logistic regression and random forest) with direct model-based diagnosis (FastDiag). The re-ordering of constraints as input to the diagnosis algorithm increases the efficiency of diagnostic reasoning for determining preference-preserving diagnoses. Through experiments on real-world configuration knowledge bases (B2C, BusyBox, EA and Linux kernel), we demonstrate significant runtime improvements and high accuracy in diagnosis prediction. With this, we also contribute to the growing body of literature on combining machine learning and constraint-based reasoning.

Fuzz testing plays a key role in improving Linux kernel security, but large-scale fuzzing often generates a high number of crash reports, many of which are redundant. These duplicated reports burden triage efforts and delay the identification of truly impactful bugs. Syzkaller, a widely used kernel fuzzer, clusters crashes using instruction pointers and sanitizer metadata. However, this heuristic may misgroup distinct issues or split similar ones caused by the same root cause. To address this, we present ECHO, a lightweight call stack-based deduplication tool that analyzes structural similarity among kernel stack traces. By computing the longest common subsequence (LCS) between normalized call stacks, ECHO groups semantically related crashes and improves post-fuzzing analysis. We integrate ECHO into the Syzkaller fuzzing workflow and use it to prioritize inputs that trigger deeper, previously untested kernel paths. Evaluated across multiple Linux kernel versions, ECHO improves average code coverage by 15.2% and discovers 20 previously unknown bugs, all reported to the Linux kernel community. Our results highlight that stack-aware crash grouping not only streamlines triage, but also enhances fuzzing efficiency by guiding seed selection toward unexplored execution paths.

Optimal memory management is a critical aspect in maintaining the performance of Linux operating systems, especially when facing the challenges of modern computing architectures. This study applies the PRISMA approach to conduct a systematic literature review evaluating efficiency strategies in Linux kernel memory management. Through a rigorous selection of recent literature, four main relevant approaches were identified: distributed memory expansion (COMEX), NUMA-based allocation control, heterogeneous CPU-GPU memory management (HMM), and performance testing using the XSBench benchmark. These four techniques demonstrate effectiveness in reducing latency, improving resource utilization, and simplifying memory handling in large-scale systems. The findings make a significant contribution to the development of future adaptive memory policies and highlight the importance of collaboration between hardware design, the kernel, and applications.

Stable patch classification plays a crucial role in vulnerability management for the Linux kernel, significantly contributing to the stability and security of Long-term support(LTS) versions. Although existing tools have effectively assisted in assessing whether patches should be merged into stable versions, they cannot determine which stable patches should be merged into which LTS versions. This process still requires the maintainers of the distribution community to manually screen based on the requirements of their respective versions.To address this issue, we propose PatchScope, which is designed to predict the specific merge status of patches.Patchscope consists of two components: patch analysis and patch classification.Patch analysis leverages Large Language Models(LLMs) to generate detailed patch descriptions from the commit message and code changes, thereby deepening the model's semantic understanding of patches. Patch classification utilizes a pre-trained language model to extract semantic features of the patches and employs a two-stage classifier to predict the merge status of the patches.The model is optimized using the dynamic weighted loss function to handle data imbalance and improve overall performance.Given that the primary focus is maintaining Linux kernel versions 5.10 and 6.6, we have conducted comparative experiments based on these two versions. Experimental results demonstrate that Patchscope can effectively predict the merge status of patches.

Error handling is critical for software reliability. In software systems, error handling may be delayed to other functions. Such propagated error handling (PEH) could easily be missed and lead to bugs. Our research reveals that PEH bugs are prevalent in software systems and, on average, take 44.1 days to fully address. Existing approaches have primarily focused on the error-handling bug within individual functions, which makes it difficult to fully address PEH bugs. In this paper, we conducted the first in-depth study on PEH bugs in 11 mature software systems, examining how errors propagate and how they should be handled. We introduce EH-Fixer, an LLM-based tool for automated program repair specifically designed to address PEH bugs. For each PEH bug, EH-Fixer constructs its propagation path, and repairs them through retrieval-augmented generation. To assess the performance of our approach, we collected 89 historical PEH bugs from the Linux Kernel as well as 9 widely used applications. The experimental results show that EH-Fixer can fix 83.1% (74/89) of PEH bugs.

Open Source Software (OSS) projects are no longer only developed by volunteers. Instead, many organizations, from early-stage startups to large global enterprises, actively participate in many well-known projects. The survival and success of OSS projects rely on long-term contributors, who have extensive experience and knowledge. While prior literature has explored volunteer turnover in OSS, there is a paucity of research on company turnover in OSS ecosystems. Given the intensive involvement of companies in OSS and the different nature of corporate contributors vis-a-vis volunteers, it is important to investigate company turnover in OSS projects. This study first explores the prevalence and characteristics of companies that discontinue contributing to OSS projects, and then develops models to predict companies’ turnover. Based on a study of the Linux kernel, we analyze the early-stage behavior of 1,322 companies that have contributed to the project. We find that approximately 12% of companies discontinue contributing each year; one-sixth of those used to be core contributing companies (those that ranked in the top 20% by commit volume). Furthermore, withdrawing companies tend to have a lower intensity and scope of contributions, make primarily perfective changes, collaborate less, and operate on a smaller scale. We propose a Temporal Convolutional Network (TCN) deep learning model based on these indicators to predict whether companies will discontinue. The evaluation results show that the model achieves an AUC metric of .76 and an accuracy of .71. We evaluated the model in two other OSS projects, Rust and OpenStack, and the performance remains stable.

Contributors to open source software must deeply understand a project’s history to make coherent decisions which do not conflict with past reasoning. However, inspecting all related changes to a proposed contribution requires intensive manual effort, and previous research has not yet produced an automated mechanism to expose and analyze these conflicts. In this article, we propose such an automated approach for rationale analyses, based on an instantiation of Kantara, an existing high-level rationale extraction and management architecture. Our implementation leverages pre-trained models and Large Language Models, and includes structure-based mechanisms to detect reasoning conflicts and problems which could cause design erosion in a project over time. We show the feasibility of our extraction and analysis approach using the OOM-Killer module of the Linux Kernel project, and investigate the approach’s generalization to five other highly active open source projects. The results confirm that our automated approach can support rationale analyses with reasonable performance, by finding interesting relationships and to detect potential conflicts and reasoning problems. We also show the effectiveness of the automated extraction of decision and rationale sentences and the prospects for generalizing this to other open source projects. This automated approach could therefore be used by open source software developers to proactively address hidden issues and to ensure that new changes do not conflict with past decisions.

The efficacy of address space layout randomization has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing layout randomization in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls. In this work, we relax Abadi et al.’s language assumptions while demonstrating that layout randomization offers a comparable safety guarantee in a system with memory separation. However, in practice, speculative execution and side-channels are recognized threats to layout randomization. We show that kernel safety cannot be restored for attackers capable of using side-channels and speculative execution, and introduce enforcement mechanisms that can guarantee speculative kernel safety for safe system calls in the Spectre era. We implement three suitable mechanisms and we evaluate their performance overhead on the Linux kernel.

The Intel® Trust Domain Extensions (TDX) encrypt guest memory and minimize host interactions to provide hardware-enforced isolation for sensitive virtual machines (VMs). Software vulnerabilities in the guest OS continue to pose a serious risk even as the TDX improves security against a malicious hypervisor. We suggest a comprehensive TDX Guest Fuzzing Framework that systematically explores the guest’s code paths handling untrusted inputs. Our method uses a customized coverage-guided fuzzer to target those pathways with random input mutations following integrating static analysis to identify possible attack surfaces, where the guest reads data from the host. To achieve high throughput, we also use snapshot-based virtual machine execution, which returns the guest to its pre-interaction state at the end of each fuzz iteration. We show how our framework reveals undiscovered vulnerabilities in device initialization procedures, hypercall error-handling, and random number seeding logic using a QEMU/KVM-based TDX emulator and a TDX-enabled Linux kernel. We demonstrate that a large number of vulnerabilities occur when developers implicitly rely on values supplied by a hypervisor rather than thoroughly verifying them. This study highlights the urgent need for ongoing, automated testing in private computing environments by connecting theoretical completeness arguments for coverage-guided fuzzing with real-world results on TDX-specific code. We discovered several memory corruption and concurrency weaknesses in the TDX guest OS through our coverage-guided fuzzing campaigns. These flaws ranged from nested #VE handler deadlocks to buffer overflows in paravirtual device initialization to faulty randomness-seeding logic. By exploiting these vulnerabilities, the TDX’s hardware-based memory isolation may be compromised or denial-of-service attacks may be made possible. Thus, our results demonstrate that, although the TDX offers a robust hardware barrier, comprehensive input validation and equally stringent software defenses are essential to preserving overall security.

Memory corruption vulnerabilities pose a significant threat to system security. The traditional paging-based approach cannot protect fine-grained runtime data (e.g., function pointers), which are often mixed with other data in memory. To protect the runtime data, data space randomization is proposed to encrypt the in-memory data so that the attacker cannot control the decrypted result. Unfortunately, current hardware does not provide dedicated support for fine-grained data encryption. This article presents RegVault II, a cross-architectural hardware-assisted lightweight data randomization scheme for OS kernels. To achieve robust, fine-grained, and lightweight data protection, we first identify five required capabilities for efficient and secure data randomization. Guided by these requirements, we design and implement novel hardware primitives that provide cryptographically strong encryption and decryption, thus ensuring both confidentiality and integrity for register-grained data. At the software level, we propose identification- and annotation-based approaches to automatically mark sensitive data and instrument the corresponding load and store operations. We also introduce new techniques to protect the interrupt context and safeguard the sensitive data spilling. We implement RegVault II on an actual FPGA hardware board for RISC-V and on QEMU for Arm, applying it to protect six types of sensitive data in the Linux kernel. Our thorough security and performance evaluations show that RegVault II effectively defends against a broad range of kernel data attacks while incurring minimal performance overhead.

Abstract In virtual private network (VPN) tunnel mode, the entire original packet, including the header’s five-tuple information, is encrypted, which prevents traditional scheduling algorithms from evenly distributing packets to central processing unit (CPU) cores based on packet header information. To address the need for data security and encrypted packet scheduling, we propose a novel framework, named REFS (receive encrypted flow steering), for accelerated receive encrypted flow steering. This work creatively adopts a new method that allows encrypted packets to be distributed across CPU cores without decrypting them, overcoming limitations of traditional scheduling approaches. It efficiently distributes encrypted packets across CPU cores, enabling dynamic allocation of CPU resources. A key feature of REFS is its ability to perform this distribution without decrypting the packets, which enhances dynamic load balancing and improves system responsiveness. When integrated into the Linux kernel’s VPN functionality, REFS can potentially increase throughput by up to 50% compared to WireGuard, which is a benchmark for kernel-based VPN performance. Upon integration of REFS into userspace, network performance shows significant improvements: throughput doubles, while latency is reduced by 80%.

An empirical study of test case prioritization on the Linux Kernel