Recently, a novel method known as Page Spray emerges, focusing on page-level exploitation for kernel vulnerabilities. Despite the advantages it offers in terms of exploitability, stability, and compatibility, comprehensive research on Page Spray remains scarce. Questions regarding its root causes, exploitation model, comparative benefits over other exploitation techniques, and possible mitigation strategies have largely remained unanswered. In this paper, we conduct a systematic investigation into Page Spray, providing an in-depth understanding of this exploitation technique. We introduce a comprehensive exploit model termed the \sys model, elucidating its fundamental principles. Additionally, we conduct a thorough analysis of the root causes underlying Page Spray occurrences within the Linux Kernel. We design an analyzer based on the Page Spray analysis model to identify Page Spray callsites. Subsequently, we evaluate the stability, exploitability, and compatibility of Page Spray through meticulously designed experiments. Finally, we propose mitigation principles for addressing Page Spray and introduce our own lightweight mitigation approach. This research aims to assist security researchers and developers in gaining insights into Page Spray, ultimately enhancing our collective understanding of this emerging exploitation technique and making improvements to the community.

翻译：近期，一种名为Page Spray的新型方法出现，专注于内核漏洞的页级利用。尽管Page Spray在可利用性、稳定性和兼容性方面具有优势，但对其全面的研究仍然匮乏。关于其根本原因、利用模型、相比其他利用技术的优势以及可能的缓解策略等问题大多尚未解答。本文对Page Spray进行了系统研究，深入理解这一利用技术。我们引入了一个名为\sys模型的综合利用模型，阐述了其基本原理。此外，我们对Linux内核中Page Spray产生的根本原因进行了彻底分析。基于Page Spray分析模型，我们设计了一个分析器以识别Page Spray调用点。随后，通过精心设计的实验评估了Page Spray的稳定性、可利用性和兼容性。最后，我们提出了应对Page Spray的缓解原则，并引入了自己的轻量级缓解方法。本研究旨在帮助安全研究人员和开发者深入了解Page Spray，最终增进对这一新兴利用技术的集体认识，并为社区做出改进。