VulShield: Protecting Vulnerable Code Before Deploying Patches
Yuan Li
Network and Distributed System Security (NDSS) Symposium 2025 · Day 1 · System-Level Security
In the dynamic landscape of modern software, the constant emergence of vulnerabilities, particularly within foundational systems like the Linux kernel, presents a formidable challenge to security and stability. This talk introduces VulShield, a novel and proactive mitigation system designed to address the critical "patch gap" – the dangerous window of time between a vulnerability's disclosure and the deployment of an official patch. Yuan Li's presentation at the NDSS Symposium highlights a system that can rapidly and automatically generate protective measures, safeguarding systems even before formal fixes are available.
AI review
VulShield is legitimate systems security research tackling a real problem — the patch gap — with a coherent architectural approach: constraint-expression extraction, policy lowering to binary level, and kernel-resident enforcement via Kprobes/Uprobes. The contribution is genuine but incremental; the core ideas (probe-based runtime enforcement, quarantine for UAF, jumping to error-handling blocks) are each individually established, and the novelty lives in the integration and automation rather than any single breakthrough primitive.