Pig in a Poke: Automatically Detecting and Exploiting Link Following Vulnerabilities in Windows File Operations

This is the artifact of the paper accepted at USENIX Security 2025 Cycle 2 -  Pig in a Poke: Automatically Detecting and Exploiting Link Following Vulnerabilities in Windows File Operations.

First, there are 2 files in total. 
LinkZard.zip contains the source code of our tool, usage instructions, experimental data, and a quick reproduction guide. Files starting with VM_ are split parts of the pre-configured virtual machine image.

Second, use cat VM_part_* > VM.7z to concatenate the split files and extract the artifact VM.7z with 7zip

You can verify the integrity of the reassembled file using the following SHA-256 checksum

sha256sum VM.7z
9e0aaaa2e4365bfac83d7dd877197c2dd8b2cb11087a1e34f010070df14c775f  VM.7z

If the output matches the value above, the file has been successfully and correctly reconstructed.

`VM.7z` contains a virtual machine with integrated components and data sets. After decompression, refer to `quick-reproduction-guide.pdf` in the `LinkZard` directory and open it using VMware Workstation.

LinkZard Directory Structure

• src: All source code of LinkZard, for each component's design, please see `README.md` in `./src`

• Experiment: Contains the log files of our use of LinkZard test datasets

  • see README.md in ./Experiment.

• Ablation Experiment: Contains the log data of the Jerry-Ext test in the dataset based on Jerry‘s design. Please see `README.md` in `./Ablation Experiment`

  It is worth noting that Jerry did not provide source code, so we can only roughly implement the functions based on its limited description

• quick-reproduction-guide.pdf: Contains how to quickly reproduce experiments in a given virtual machine image, and test and reproduce the installed dataset program according to the commands in it.

Access this Artifact

Our work complies with the requirements of open science of the USENIX Security conference. However, as our work is a vulnerability detection and exploitation framework, we have restricted the access permission of this artifact. If you need to access and download it, please contact the authors.