LinkGuard: A Lightweight State-Aware Runtime Guard Against Link Following Attacks in Windows File System
Bocheng Xiang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
This talk presents **LinkGuard**, the first dedicated runtime protection framework against **link following attacks** on Windows. Link following vulnerabilities -- where privileged programs are tricked into following attacker-created symbolic links, directory junctions, or object manager symlinks to access protected files -- represent a massive and persistent attack surface with **over 1,000 CVEs** assigned as of August 2025. Despite this scale, no systematic defense existed for Windows specifically.
AI review
A thorough and practically impactful piece of work that addresses one of Windows' largest undefended attack surfaces -- over 1,000 CVEs worth of link following vulnerabilities. The empirical study of 152 CVEs is excellent groundwork, the cross-subject chain graph abstraction is the right design, and 68/70 real-world vulnerabilities mitigated at 3.4% overhead is a strong result. The finding that Microsoft can't even apply their own Redirection Guard universally makes this work immediately relevant.