Shuangpeng Bai

Ph.D. Candidate
College of Information Sciences and Technology
The Pennsylvania State University

E-mail: sjb7183 at psu dot edu

Short Bio: I am a Ph.D. candidate at Penn State University, advised by Prof. Hong Hu. Before joining Penn State University, I obtained my Bachelor's degree from Beijing Jiaotong University and Master's degree from University of Chinese Academy of Sciences. My research interests include Operating System Security, especially vulnerability detection and exploitation.


Publications

  1. CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel Paper
    Shuangpeng Bai, Zhechang Zhang, Hong Hu
    In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS 2024). [Acc Rate: 16.9%]
  2. Kernel use-after-free (UAF) bugs are severe threats to system security due to their complex root causes and high exploitability. We find that 36.1% of recent kernel UAF bugs are caused by improper uses of reference counters, dubbed refcount-related UAF bugs. Current kernel fuzzing tools based on code coverage can detect common memory errors, but none of them is aware of the root cause. As a consequence, they only trigger refcount-related UAF bugs passively and coincidentally, and may miss many deep hidden vulnerabilities.
    To actively trigger refcount-related UAF bugs, in this paper, we propose CountDown, a novel refcount-guided kernel fuzzer. CountDown collects diverse refcount operations from kernel executions and reshapes syscall relations based on commonly accessed refcounts. When generating user-space programs, CountDown prefers to combine syscalls that ever access the same refcounts, aiming to trigger complex refcount behaviors. It also injects refcountdecreasing and refcount-accessing syscalls to intentionally free the refcounted object and trigger invalid accesses through dangling pointers. We test CountDown on mainstream Linux kernels and compare it with popular fuzzers. On average, our tool can detect 66.1% more UAF bugs and 32.9% more KASAN reports than stateof-the-art tools. CountDown has found nine new kernel memory bugs, where two are fixed and one is confirmed.

  3. DSS: Discrepancy-Aware Seed Selection Method for ICS Protocol Fuzzing Website Paper
    Shuangpeng Bai, Hui Wen, Dongliang Fang, Yue Sun, Puzhuo Liu, and Limin Sun
    In The 19th International Conference on Applied Cryptography and Network Security (ACNS 2021). [Acc Rate: 19.9%]
  4. Industrial Control System (ICS), as the core of the critical infrastructure, its vulnerabilities threaten physical world security. Mutation-based black-box fuzzing is a popular method for vulnerability discovery in ICS, and the diversification of seeds is crucial to its performance. However, the ICS devices are dedicated devices whose programs are challenging to get, protocols are unknown, and execution traces are hard to obtain in real-time. These restrictions impede seed selection, thereby reducing the efficiency of fuzzing. Therefore, it has become our primary goal to select a high-quality seed set containing as few seeds as possible with extensive triggered traces. In this paper, we present a novel automatic seed selection method called DSS, selecting high-quality seeds for improving fuzzing efficiency. The method is based on the observation that dissimilar response messages are generated by different device execution processes in most cases, which helps us build the connection of messages discrepancy and execution traces discrepancy to guide DSS. Expressly, we point out that dissimilar messages are effective indicators of different execution paths. Therefore, choosing ICS messages with high discrepancy as seeds can bring more initial execution traces and fewer seeds with the same semantic, which are essential to black-box fuzzing. Our experiments show that the quantity of seeds selected by DSS is significantly less than the traditional method when achieving the same trace coverage.


Experience