SyzPrime: Enhancing Linux Kernel Security for Edge Intelligence Applications via Automatic Discovery of Heap Layout Manipulation Primitives
Keywords:
Edge intelligence, Linux kernel, security, exploitation primitivesAbstract
Exploitation of the Linux kernel continues to pose significant security risks from sensitive information leakage to severe privilege escalation. While developers prioritize reducing primitives to limit exploitability, kernel heap exploitation remains a persistent threat that significantly threatens kernel integrity. Discovering such primitives is commonly considered an art; existing approaches rely on unsound static analysis and ad-hoc expertise, depending on expertise and limiting practicality in the real-world Linux kernel. In this paper, we present SyzPrime, a systematic approach to automatically discover heap layout manipulation (HLM) primitives in the recent kernel heap vulnerabilities, with a design that can scale to edge environments for autonomous, real-time security. The key innovation of SyzPrime lies in combining dynamic analysis via fuzzing with static instrumentation, enabling a direct correlation between primitives and fuzzing seeds. We utilize object-driven instrumentation with a restricted mutation-based fuzzer targeting specific object or cache interactions, such as allocation, deallocation and usage. By enhancing ftrace for precise tracking, we lay a foundation that enables the identification and generation of exploitation paths without side effects, ensuring that the discovered primitives are both reliable and practical. To demonstrate effectiveness, we evaluated SyzPrime on 40 real-world CVEs and 240 objects in the stable Linux kernel tree. Our results show that SyzPrime discovers 1.6× more primitives and identifies 4.1× more sensitive objects compared to state-of-the-art approaches.