Pig in a Poke: Automatically Detecting and Exploiting Link Following Vulnerabilities in Windows File Operations
Bocheng Xiang
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · Software Security 4: Fuzzing and Other Software Analysis
This talk, "Pig in a Poke," presented by Bocheng Xiang (Bin) from FA University, delves into the critical and pervasive issue of **link following (LF) vulnerabilities** in Windows file operations. These vulnerabilities arise when privileged applications interact with symbolic links without proper validation, inadvertently redirecting sensitive operations to protected files or system resources under elevated privileges. The research introduces **Linkard**, an innovative automated system designed to detect and exploit these elusive flaws, which have historically been challenging to identify due to complex file state dependencies and the precise timing required for exploitation.
AI review
Solid systems security research with a clear empirical foundation, a novel automated toolchain, and real-world validation via 55 zero-days across 49 programs. The two-phase detection/exploitation architecture (file state fuzzing + FOPG subgraph matching) is a genuine contribution to automated vulnerability discovery, not a repackaged survey.