My name is Yuhang Wu, a first-year PhD student advised by Dr. Xinyu Xing in Northwestern University. I major in network/system security. I used to research on Web security and I had participated in many security competitions (CTFs) in which I solve Web challenges with my teammates of Nu1L(Straw Hat) and Tea Deliverers. I have provided some challenges for well-known worldwide CTF competitions(Realworld CTF, N1CTF, etc.). Before joining Northwestern University, I interned at Penn State University for one year.
news
No news so far...
selected publications
Usenix
Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness
Wu, Yuhang, Lin, Zhenpeng, Chen, Yueqi, Le, Dang K, Mu, Dongliang, and Xing, Xinyu
In 32nd USENIX Security Symposium (USENIX Security 23) 2023
The kernel vulnerability DirtyPipe was reported to be present in nearly all versions of Linux since 5.8. Using this vulnerability, a bad actor could fulfill privilege escalation without triggering existing kernel protection and exploit mitigation, making this vulnerability particularly disconcerting. However, the success of DirtyPipe exploitation heavily relies on this vulnerability’s capability (i.e., injecting data into the arbitrary file through Linux’s pipes). Such an ability is rarely seen for other kernel vulnerabilities, making the defense relatively easy. As long as Linux users eliminate the vulnerability, the system could be relatively secure.This work proposes a new exploitation method – DirtyCred – pushing other Linux kernel vulnerabilities to the level of DirtyPipe. Technically speaking, given a Linux kernel vulnerability, our exploitation method swaps unprivileged and privileged kernel credentials and thus provides the vulnerability with the DirtyPipe-like exploitability. With this exploitability, a bad actor could obtain the ability to escalate privilege and even escape the container. We evaluated this exploitation approach on 24 real-world kernel vulnerabilities in a fully-protected Linux system. We discovered that DirtyCred could demonstrate exploitability on 16 vulnerabilities, implying DirtyCred’s security severity. Following the exploitability assessment, this work further proposes a new kernel defense mechanism. Unlike existing Linux kernel defenses, our new defense isolates kernel credential objects on non-overlapping memory regions based on their own privilege. Our experiment result shows that the new defense introduces primarily negligible overhead.