Kernel attacks are still one of the most severe threats to modern operating systems (OS) due to the kernel's privileged control over hardware, memory, and process management. This study reviews some significant kernel-level security mechanisms regarding vulnerability detection, as well as the prevention and mitigation of exploitation in today's OSs. Using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) methodology, a total of 30 high-quality, peer-reviewed studies were examined and analyzed in detail using the Critical Appraisal Skills Programme (CASP) quality framework. Discussion about the leading research directions emanated from three central questions of this review: What are the predominant kernel attack vectors? How are the techniques for protection and detection that are currently available assessed? What are the emerging research directions? The study identifies the following as the principal sources of kernel compromise: memory corruption, privilege escalation, rootkits, and race condition exploits. It also identifies several techniques for kernel hardening, such as Mandatory Access Control (MAC), the use of SELinux and AppArmor, kernel integrity monitoring, secure and measured boot, fuzz testing, and hardware-assisted protection. Some of these emerged as having a great deal of promise for proactive defense against zero-day vulnerabilities, including machine learning-based detection and live kernel patching. Issues regarding scalability, detection accuracy, and securing containerized and virtualized environments need to be solved. This paper aims to provide relevant, structured, and up-to-date research on kernel security synthesis and offer valuable guidance on the development of robust, adaptive, and novel OS defense mechanisms.

Moving Target Defense (MTD) enhances traditional security by dynamically altering system attributes to prevent attacks. While widely studied, its application in resource-constrained Internet of Things (IoT) and Cyber Physical Systems (CPS) devices remains limited. This paper examines the effectiveness of Address Space Layout Randomization (ASLR), an MTD technique that randomizes memory layouts to prevent memory corruption on 32-bit Raspberry Pi OS and OpenWRT both on ARMv7 compared to Kali Linux on x86_64. Using address distribution analysis, byte-level variation, and Chao-Shen entropy estimation, the study assesses ASLR randomness and validates results through a Return-Oriented Programming (ROP) attack. Findings show that ARM-based ASLR offers lower entropy than x86_64 but achieves comparable protection to 32-bit x86 systems, demonstrating its practicality for IoT and CPS platforms. The results provide insights on achieving security amid resource constraints by integrating ASLR with other built-in security mechanisms and complementary MTD techniques operating at different layers.

How do we find new memory safety bugs effectively when navigating a symbolic execution tree that suffers from the well-known path explosion challenge? Existing solutions either adopt path search heuristics to maximize coverage rate or chopped symbolic execution to skip uninteresting code (i.e., manually labeled as vulnerability-unrelated) during path exploration. However, most existing search heuristics are not vulnerability-oriented, and manual labeling of irrelevant code-to-be-skipped relies heavily on prior expert knowledge, making it hard to detect vulnerabilities effectively in practice. This paper proposes Vital , a new vulnerability-oriented path exploration for symbolic execution with two innovations. First, a new indicator (i.e., type-unsafe pointers) is suggested to approximate vulnerable paths. A pointer that is type-unsafe cannot be statically proven to be safely dereferenced without memory corruption. Our key hypothesis is that a path with more type-unsafe pointers is more likely to be vulnerable. Second, a new type-unsafe pointer-guided Monte Carlo Tree Search algorithm is implemented to guide the path exploration towards the areas that contain more unsafe pointers, aiming to increase the likelihood of detecting vulnerabilities. We built Vital on top of KLEE and compared it with existing path searching strategies and chopped symbolic execution. In the former, the results demonstrate that Vital could cover up to 90.03% more unsafe pointers and detect up to 57.14% more unique memory errors. In the latter, the results show that Vital could achieve a speedup of up to 30x execution time and a reduction of up to 20x memory consumption to detect known vulnerabilities without prior expert knowledge automatically. In practice, Vital also detected one previously unknown vulnerability (a new CVE ID is assigned), which has been fixed by developers.

Real-time operating systems (RTOSs) are widely used in embedded systems to ensure deterministic task execution, predictable responses, and concurrent operations, which are crucial for time-sensitive applications. However, the growing complexity of embedded systems, increased network connectivity, and dynamic software updates significantly expand the attack surface, exposing RTOSs to a variety of security threats, including memory corruption, privilege escalation, and side-channel attacks. Traditional security mechanisms often impose additional overhead that can compromise real-time guarantees. In this work, we present a Risk-aware Permission Adjustment (RPA) framework, implemented on CHERIoT RTOS, which is a CHERI-based operating system. RPA aims to detect anomalous behavior in real time, quantify security risks, and dynamically adjust permissions to mitigate potential threats. RPA maintains system continuity, enforces fine-grained access control, and progressively contains the impact of violations without interrupting critical operations. The framework was evaluated through targeted fault injection experiments, including 20 real-world CVEs and 15 abstract vulnerability classes, demonstrating its ability to mitigate both known and generalized attacks. Performance measurements indicate minimal runtime overhead while significantly reducing system downtime compared to conventional CHERIoT and FreeRTOS implementations.

Fuzz testing is an dynamic program analysis technique designed for discovering vulnerabilities in IoT systems. The core goal is to deliberately feed maliciously crafted inputs into an IoT device or service, triggering vulnerabilities such as system crashes, buffer overflow exploits, and memory corruption, etc. Efficiently generating malicious inputs remains challenging, with leading methods often relying on randomly mutating existing valid inputs. In this work, we propose to adopt fine-tuned large language models (FuzzCoder) to learn patterns in the input files from successful attacks to guide future fuzzing explorations. Specifically, we develop a framework that leverages code LLMs to guide the mutation process to perform meaningful input mutations. We formulate the mutation process as the sequenceto-sequence modeling, where LLM receives a sequence of bytes and outputs the mutated byte sequence. FuzzCoder is fine-tuned on our created instruction dataset (FuzzInstruct), where the successful fuzzing history is collected from the heuristic fuzzing tool. FuzzCoder can predict mutation positions and strategies for input files to trigger abnormal behaviors of the program. Most importantly, the experiment reveals results that FuzzCoder achieves better fuzzing performance compared to traditional and other AFL-based fuzzers, such as AFL, AFL++, AFLSmart, etc. On average, FuzzCoder achieves an improvement in code coverage of more than 20%, along with a significant increase in the number of crashes. 1

Abstract Nonprofessional efforts to depict the Holocaust, archived in Poland’s ethnographic collections, force audiences to confront a specific genre of “awkward objects.” Viewers may perceive these vernacular representations as brutal, explicit, and voyeuristic. In response to a set of postwar works that Lehrer, Sendyka, Wilczyk, and Zych identified through their research—which they presented at the exhibition Terribly Close: Polish Vernacular Artists Face the Holocaust—commentators and researchers have invoked the categories of “obscenity,” “perversion,” or “kitsch” to describe Holocaust folk art. By exploring how and why Holocaust-related folk (naive) art from Poland transgresses accepted norms of Holocaust representation, the author reveals how these critical concepts darkly mirror society’s perceived violation of shared standards; how “obscenity” transgresses moral norms, “perversion”—sexual conventions, and “kitsch”—aesthetic expectations. Consequently, viewers may easily interpret folk art’s departure from the mainstream visual language of the Holocaust as a distortion or corruption of memory. The author, however, argues that it is more productive and illuminating to understand this kind of art as a unique, vernacular commemorative format that challenges dominant epistemologies in Holocaust studies and Holocaust representation

Generative multi-agent systems are emerging as a powerful paradigm for simulating human-like behavior in real-time applications such as interactive storytelling, virtual reality environments, and autonomous decision-making. These agents, often powered by large language models and memory systems, act independently and adapt over time. However, a critical challenge in deploying such systems is ensuring their fault tolerance. The ability to maintain operation in the presence of faults such as communication failures, memory corruption, agent crashes, or behavioral inconsistencies. This paper presents a comprehensive review of fault tolerance techniques for generative agents, focusing on methods such as memory check pointing, agent replication, fusion-based resilience, and consistency protocols. We analyse these approaches, drawing parallels from distributed systems, and evaluate their effectiveness in maintaining operational integrity in large-scale, real-time environments. Our findings suggest that while no single technique offers a one-size-fits-all solution, a combination of methods can provide robust fault tolerance and support the scalability and reliability of generative agent systems in dynamic, fault-prone environments.

WebAssembly enables fast execution of performance-critical in web applications utilizing native code. However, recent research has demonstrated the potential for memory corruption errors within WebAssembly modules to exploit web applications. In this work, we present the first systematic analysis of memory corruption in WebAssembly, unveiling the prevalence of a novel threat model where memory corruption enables code injection on a victim’s browser. Our large-scale analysis across 37797 domains reveals that an alarming 29411 (77.81%) of those fully trust data coming from potentially attacker-controlled sources. As a result, an attacker can exploit memory errors to manipulate the WebAssembly memory, where the data is implicitly trusted and frequently passed into security-sensitive functions such as eval or directly into the DOM via innerHTML. Thus, an attacker can abuse this trust to gain JavaScript code execution, i.e., Cross-Site Scripting (XSS). To tackle this issue, we present Wemby, the first viable approach to efficiently analyze WebAssembly-powered websites holistically. We demonstrate that Wemby is proficient at detecting remotely exposed memory corruption errors in web applications through fuzzing. For this purpose, we implement binary-only WebAssembly instrumentation that provides fine-grained memory corruption oracles. We applied Wemby to different websites, uncovering several memory corruption bugs, including one on the Zoom platform. In terms of performance, our ablation study demonstrates that Wemby outperforms current WebAssembly fuzzers. Specifically, Wemby achieves an average speed improvement of 232 times and delivers 46% greater code coverage compared to the state-of-the-art.

Embedded software, predominantly written in C, is prone to memory corruption vulnerabilities due to spatial memory issues. Although various memory safety techniques exist, they are often unsuitable for embedded systems due to resource constraints and a lack of standardized OS support. Checked C, a backward-compatible, memory-safe C dialect, offers a potential solution by using pointer annotations for runtime checks to enhance spatial memory safety with minimal overhead. This paper provides the first experience report of porting EDK2 (an open-source UEFI implementation), an exemplary embedded codebase to Checked C, highlighting challenges and providing insights into applying Checked C to similar embedded systems. We also provide an enhanced automated annotation tool e3c, which improves the conversion rate by 25%, enabling easier conversion to Checked C.

The Intel® Trust Domain Extensions (TDX) encrypt guest memory and minimize host interactions to provide hardware-enforced isolation for sensitive virtual machines (VMs). Software vulnerabilities in the guest OS continue to pose a serious risk even as the TDX improves security against a malicious hypervisor. We suggest a comprehensive TDX Guest Fuzzing Framework that systematically explores the guest’s code paths handling untrusted inputs. Our method uses a customized coverage-guided fuzzer to target those pathways with random input mutations following integrating static analysis to identify possible attack surfaces, where the guest reads data from the host. To achieve high throughput, we also use snapshot-based virtual machine execution, which returns the guest to its pre-interaction state at the end of each fuzz iteration. We show how our framework reveals undiscovered vulnerabilities in device initialization procedures, hypercall error-handling, and random number seeding logic using a QEMU/KVM-based TDX emulator and a TDX-enabled Linux kernel. We demonstrate that a large number of vulnerabilities occur when developers implicitly rely on values supplied by a hypervisor rather than thoroughly verifying them. This study highlights the urgent need for ongoing, automated testing in private computing environments by connecting theoretical completeness arguments for coverage-guided fuzzing with real-world results on TDX-specific code. We discovered several memory corruption and concurrency weaknesses in the TDX guest OS through our coverage-guided fuzzing campaigns. These flaws ranged from nested #VE handler deadlocks to buffer overflows in paravirtual device initialization to faulty randomness-seeding logic. By exploiting these vulnerabilities, the TDX’s hardware-based memory isolation may be compromised or denial-of-service attacks may be made possible. Thus, our results demonstrate that, although the TDX offers a robust hardware barrier, comprehensive input validation and equally stringent software defenses are essential to preserving overall security.

Memory corruption vulnerabilities pose a significant threat to system security. The traditional paging-based approach cannot protect fine-grained runtime data (e.g., function pointers), which are often mixed with other data in memory. To protect the runtime data, data space randomization is proposed to encrypt the in-memory data so that the attacker cannot control the decrypted result. Unfortunately, current hardware does not provide dedicated support for fine-grained data encryption. This article presents RegVault II, a cross-architectural hardware-assisted lightweight data randomization scheme for OS kernels. To achieve robust, fine-grained, and lightweight data protection, we first identify five required capabilities for efficient and secure data randomization. Guided by these requirements, we design and implement novel hardware primitives that provide cryptographically strong encryption and decryption, thus ensuring both confidentiality and integrity for register-grained data. At the software level, we propose identification- and annotation-based approaches to automatically mark sensitive data and instrument the corresponding load and store operations. We also introduce new techniques to protect the interrupt context and safeguard the sensitive data spilling. We implement RegVault II on an actual FPGA hardware board for RISC-V and on QEMU for Arm, applying it to protect six types of sensitive data in the Linux kernel. Our thorough security and performance evaluations show that RegVault II effectively defends against a broad range of kernel data attacks while incurring minimal performance overhead.

Memory corruption vulnerabilities still allow compromising computers through software written in a memory-unsafe language such as C/C++. This highlights that mitigation techniques to prevent such exploitations are not all widely deployed. In this article, we introduce SeeCFI , a tool to detect the presence of a memory corruption mitigation technique called Control Flow Integrity (CFI). We leverage SeeCFI to investigate to what extent the mitigation has been deployed in complex software systems such as Android and specific Linux distributions (Ubuntu and Debian). Our results indicate that the overall adoption of CFI (forward- and backward-edge) is increasing across Android versions (~30% in Android 13) but remains the same low ( \( \lt \) 1%) throughout different Linux versions. Our tool, SeeCFI , offers the possibility to identify which binaries in a system were compiled using the CFI option. This can be deployed by external security researchers to efficiently decide which binaries to prioritize when fixing vulnerabilities and how to fix them. Therefore, SeeCFI can help to make software systems more secure.

The rapid growth of Internet of Things (IoTs) applications in various sectors has led to a significant increase in the number of IoT devices. This has led to the deployment of numerous IoT protocols to provide greater connectivity. However, this extensive adoption has also left them vulnerable to attack. In particular, attacks targeting wireless communication capabilities represent a significant threat. Such attacks exploit various vulnerabilities in the wireless connectivity unit, compromising its security. To counter this threat, this paper proposes a Host Intrusion Detection System (HIDS) for detecting wireless attacks. Its components are customized to support IoT end-devices using low-GHz and sub-GHz data rate protocols. The HIDS deploys a hardware tracer to monitor microarchitecture and network metrics using hardware performance counters (HPCs). It performs monitoring of network and microarchitecture metrics for a 32-bit RISC-V based wireless connectivity unit. The HIDS uses analysis and classification of monitored data for detecting memory corruption and jamming attacks. We evaluate the effectiveness of the HIDS in detecting packet injection and jamming attacks. Our FPGA implementation of HIDS has a logic overhead of about \(14.30\% \) and \(22.89\% \) of flip flops (FFs) and lookup tables (LUTs), respectively, compared to the CV32E40P baseline on an Arty A7 100T board. The design frequency and code size penalties are less than \(1\% \) for a RISC-V processor with a LoRaWAN protocol stack.

As IoT devices with microcontroller (MCU)-based firmware become more common in our lives, memory corruption vulnerabilities in their firmware are increasingly targeted by adversaries. Fuzzing is a powerful method for detecting these vulnerabilities, but it poses unique challenges when applied to IoT devices. Direct fuzzing on these devices is inefficient, and recent efforts have shifted towards creating emulation environments for dynamic firmware testing. However, unlike traditional software, firmware interactions with peripherals that are significantly more diverse presents new challenges for achieving scalable full-system emulation and effective fuzzing. This paper reviews 27 state-of-the-art works in MCU-based firmware emulation and its applications in fuzzing. Instead of classifying existing techniques based on their capabilities and features, we first identify the fundamental challenges faced by firmware emulation and fuzzing. We then revisit recent studies, organizing them according to the specific challenges they address, and discussing how each specific challenge is addressed. We compare the emulation fidelity and bug detection capabilities of various techniques to clearly demonstrate their strengths and weaknesses, aiding users in selecting or combining tools to meet their needs. Finally, we highlight the remaining technical gaps and point out important future research directions in firmware emulation and fuzzing.

Privilege escalation attacks through memory corruption via kernel vulnerabilities pose a significant threat to operating systems. Although the extended Berkeley packet filter has been used to trace kernel code execution, it does not trace operations before and after kernel data writes. This prevents effective monitoring of privileged information. In this paper, we introduce a kernel data monitor (kdMonitor), which is a novel security mechanism designed to detect unauthorized changes to the monitored privileged information of a dedicated kernel page. kdMonitor contains two different methods. The first is periodic monitoring, which periodically outputs the monitored privileged information of the dedicated kernel pages. The second is dynamic monitoring, which restricts write access to a dedicated kernel page, and supplements any writes with page faults. To keep the kernel stability, kdMonitor allows the write access after page faults then outputs the monitored privileged information of dedicated kernel pages. kdMonitor enables real-time tracking of privileged information of the dedicated kernel page residing in the kernel memory from the separated machine. Using kdMonitor, we demonstrated its capability to detect privilege escalation attacks on the running kernel. Through an empirical evaluation, we validated the effectiveness of kdMonitor in detecting privilege escalation attacks by user processes on the Linux kernel. Performance evaluations showed that kdMonitor achieved an attack detection time of 0.834 seconds with a kernel overhead of 0.726% and web application overhead was 0.28%.

This study explained the development of Server Message Block (SMB) and its composition and role as a communication protocol, and delved into the SMBGhost vulnerability (CVE-2020-0796) in Windows network environments. Through strictly controlled experimental variables, it systematically quantifies the exploit success rate under different configurations and evaluates the protective effectiveness of Microsoft’s KB4551762 patch. The experimental results indicate that the exploit success rate for unpatched systems reaches 90%, while applying the patch results in a 37% decline in file transfer performance. To balance security and performance, this paper proposes a lightweight Convolutional Neural Network-Long Short-Term Memory (CNN-LSTM) hybrid detection model, which reduces the false positive rate by 63% compared to traditional Snort rules, achieves a detection accuracy of 96%, and has an inference latency of only 1.8 ms. Key findings include precise delineation of the memory corruption boundaries in the srv2.sys driver, as well as empirical validation of a worm propagation rate of 3.2 devices per second, providing an optimized solution for enterprise network defense that considers both security and performance.

The prevalence of memory-unsafe software prompts significant efforts by the research community to mitigate memory corruption bugs. This endeavor is crucial for safeguarding critical systems against security threats. Specifically, there is a focus to protect against code-reuse attacks through enforcing control-flow integrity (CFI). This paper introduces call rewinding, a novel microarchitecture-level mechanism for protection of return addresses. It is based on a property of the calling convention that is common to major architectures such as x86, ARM and RISC-V, which states that all return instructions transfer control to a valid call site. Call rewinding consists of jumping to the instruction preceding the return target for each return instruction and checking if the instruction at this address is a call or not. On systems equipped with return address prediction, a commonly employed optimization, the security check is performed only on mispredicted return addresses. The proposed protection mechanism demonstrates negligible impact on both area and performance. We implement call rewinding on the CV64A6, a RISC-V CPU with consequent branch prediction support. Our evaluation validates the effectiveness of call rewinding, both in bare-metal and in a Linux operating system (OS) environment. It triggers no false positives in bare-metal and is functional with the OS extended with a custom exception handler. Furthermore, our findings indicate that call rewinding successfully detects unauthorized return addresses, highlighting its potential as a reliable and efficient security mechanism.

Remote Direct Memory Access (RDMA) has become a critical technology in high-performance computing (HPC), cloud environments, and distributed systems due to its ability to provide low-latency, high-throughput data transfer by bypassing the operating system. However, ensuring fault tolerance in RDMA systems remains a significant challenge, particularly in scenarios involving network failures, node crashes, or memory corruption. This paper proposes a novel approach to enhancing fault tolerance in RDMA systems using hybrid protocol models. By combining the efficiency of RDMA protocols with the reliability mechanisms of traditional transport protocols (e.g., TCP/IP), the proposed hybrid model aims to minimize the performance impact of fault recovery while maintaining system resilience. We explore the design principles behind the hybrid protocol, outline its integration into existing RDMA systems, and present evaluation results comparing its performance and fault tolerance capabilities to existing methods. Our results demonstrate that hybrid protocols can significantly improve fault tolerance in RDMA networks with minimal degradation in performance, making them a promising solution for mission-critical applications requiring both high throughput and high reliability.

Kernel memory corruption, which leads to a privilege escalation attack, has been reported as a security threat to operating systems. To mitigate privilege escalation attacks, several security mechanisms are proposed. Kernel address space layout randomization randomizes kernel code and data virtual address layout on the kernel memory. Privileged information protection methods monitor and restore illegal privilege modifications. Therefore, if an adversary identifies the kernel data containing privileged information, an adversary can achieve the privilege escalation in a running kernel. This paper proposes a kernel data relocation mechanism (KDRM) that dynamically relocates privileged information in the running kernel to mitigate privilege escalation attacks. The KDRM introduces the relocation-only page into the kernel. The relocation-only page allows the virtual address of the privileged information to change by dynamically relocating for the user process. One of the relocation-only pages is randomly selected to store the privileged information at the system call invocations. The evaluation results indicate the possibility of mitigating privilege escalation attacks through direct memory overwriting by user processes on Linux with KDRM. The KDRM showed an acceptable performance cost. The overhead of a system call was up to 11.52%, and the kernel performance score was 0.11%.

Trusted execution environments provide strong security guarantees, like isolation and confidentiality, but are not immune from memory-safety violations. Our investigation of public trusted execution environment code based on symbolic execution and fuzzing reveals subtle memory safety issues.