AlphaEXP: An Expert System for Identifying Security-Sensitive Kernel Objects


Ruipeng Wang, National University of Defense Technology; Kaixiang Chen and Chao Zhang, Tsinghua University; Zulie Pan and Qianyu Li, National University of Defense Technology; Siliang Qin, University of Chinese Academy of Sciences; Shenglin Xu, Min Zhang, and Yang Li, National University of Defense Technology


Memory corruption vulnerabilities are often exploited to corrupt sensitive objects and launch attacks. An efficient way to mitigate such threats is identifying and protecting such sensitive objects against corruption. However, it is still an open question that what objects are security sensitive and how sensitive they are. In this paper, we present the first expert system based solution AlphaEXP to identify security sensitive objects, in a specific and important target—the Linux kernel. It works by simulating an adversary to assess whether an object could be abused to get unintended capabilities and contribute to exploitation, and marks it as sensitive if so. Specifically, AlphaEXP first constructs a knowledge graph to represent the facts of the kernel, including objects, functions, and their relationships etc. Then, it explores the knowledge graph to infer potential attack paths for given vulnerabilities, and marks objects used in the attack paths as sensitive. Lastly, it evaluates the feasibility of the attack paths in a customized emulating system, and classifies the sensitivity of objects accordingly. We have built a prototype of AlphaEXP and evaluated it on 84 synthesized representative vulnerabilities and 19 real world vulnerabilities to identify sensitive kernel objects. AlphaEXP successfully generates attack paths for most of these vulnerabilities, and finds 50 objects that could be abused to get writing capability, 81 objects with reading capability, and 112 objects with execution capability. AlphaEXP classifies them into 12 levels of sensitivity.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {291104,
author = {Ruipeng Wang and Kaixiang Chen and Chao Zhang and Zulie Pan and Qianyu Li and Siliang Qin and Shenglin Xu and Min Zhang and Yang Li},
title = {{AlphaEXP}: An Expert System for Identifying {Security-Sensitive} Kernel Objects},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {4229--4246},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video