SyzPrime: Enhancing Linux Kernel Security for Edge Intelligence Applications via Automatic Discovery of Heap Layout Manipulation Primitives

Authors

  • Xingwei Li Information Engineering University, Zhengzhou, 450001, China
  • Yunchao Wang Information Engineering University, Zhengzhou, 450001, China
  • Jianzhou Zhao Information Engineering University, Zhengzhou, 450001, China
  • Yunchao Guan Tsinghua University, Beijing, 650001, China
  • Danjun Liu National University of Defense Technology, Changsha, 336017, China
  • Zhe Yang Beijing University of Aeronautics and Astronautics, Beijing, 650001, China
  • Wenbin Zhang Information Engineering University, Zhengzhou, 450001, China
  • Zehui Wu Information Engineering University, Zhengzhou, 450001, China
  • Rongkuan Ma Information Engineering University, Zhengzhou, 450001, China
  • Xixing Li Information Engineering University, Zhengzhou, 450001, China
  • Qiang Wei Information Engineering University, Zhengzhou, 450001, China

Keywords:

Edge intelligence, Linux kernel, security, exploitation primitives

Abstract

Exploitation of the Linux kernel continues to pose significant security risks from sensitive information leakage to severe privilege escalation. While developers prioritize reducing primitives to limit exploitability, kernel heap exploitation remains a persistent threat that significantly threatens kernel integrity. Discovering such primitives is commonly considered an art; existing approaches rely on unsound static analysis and ad-hoc expertise, depending on expertise and limiting practicality in the real-world Linux kernel. In this paper, we present SyzPrime, a systematic approach to automatically discover heap layout manipulation (HLM) primitives in the recent kernel heap vulnerabilities, with a design that can scale to edge environments for autonomous, real-time security. The key innovation of SyzPrime lies in combining dynamic analysis via fuzzing with static instrumentation, enabling a direct correlation between primitives and fuzzing seeds. We utilize object-driven instrumentation with a restricted mutation-based fuzzer targeting specific object or cache interactions, such as allocation, deallocation and usage. By enhancing ftrace for precise tracking, we lay a foundation that enables the identification and generation of exploitation paths without side effects, ensuring that the discovered primitives are both reliable and practical. To demonstrate effectiveness, we evaluated SyzPrime on 40 real-world CVEs and 240 objects in the stable Linux kernel tree. Our results show that SyzPrime discovers 1.6× more primitives and identifies 4.1× more sensitive objects compared to state-of-the-art approaches.

Downloads

Download data is not yet available.

Published

2026-06-30

How to Cite

Li, X., Wang, Y., Zhao, J., Guan, Y., Liu, D., Yang, Z., … Wei, Q. (2026). SyzPrime: Enhancing Linux Kernel Security for Edge Intelligence Applications via Automatic Discovery of Heap Layout Manipulation Primitives. Computing and Informatics, 45(3). Retrieved from http://147.213.75.17/ojs/index.php/cai/article/view/7569

Issue

Section

Special Section Articles