文章总结： 复旦白泽战队5篇论文被NDSS2026录用，涵盖Windows链接跟随防御LinkGuard、邮件别名身份混淆、App-in-App云资源管理缺陷、跨设备认证用户体验及C-Lua混合固件污点分析FirmCross，均给出工具与缓解方案，实验验证高检出低误报且开销低，呼吁标准化与透明化。 综合评分： 88 文章分类： 漏洞分析,安全工具,应用安全,AI安全,安全建设

复旦大学白泽战队实验室5篇论文被NDSS 2026接收！

信息网络安全杂志

2026年1月6日 17:01 上海

🎊 热烈祝贺实验室 5 篇论文被 NDSS 2026 会议接收！

📌 NDSS 作为网络安全领域 “四大顶会” 之一

是 CCF-A 类国际会议

去年的录取率仅有16%

今年会议将于2026年2月23日至27日

在美国圣迭戈举办☀️

那么圣迭戈见！

📝 下面为大家介绍这 5 篇论文的简要内容

Paper

LinkGuard: A Lightweight State-Aware Runtime Guard Against Link Following Attacks in Windows File System

作者：向柏澄 张源 黄昊 刘丰毓 施游堃

摘要：Link Following (LF) attacks in the Windows file system allow adversaries to stealthily redirect benign file operations to protected files by abusing crafted combinations of symbolic links (link chains), thereby enabling arbitrary manipulation of protected files. Such attacks typically manifest as either single-step attacks or multi-step attacks, depending on the sequencing of the constructed link chain. Existing countermeasures against LF attacks either rely on heavyweight modeling or suffer from poor compatibility and limited applicability, and none provide comprehensive protection across different types of LF attacks.

    In this paper, we present LinkGuard, a lightweight state-aware runtime guard against LF attacks targeting Windows systems. The novelty of LinkGuard lies in its two-stage design: The first stage aims to improve defense efficiency by performing dynamic subject filtering, which monitors only file operations and associated subjects involved in the creation and following of link chains; The second stage applies FSM-based rule matching to precisely defend LF attacks, ensuring effective and accurate defense. We evaluate LinkGuard’s prototype across five representative Windows systems to validate its compatibility. On a dataset of 70 real-world vulnerabilities, LinkGuard successfully mitigates all single-step attacks and 95.45% of multi-step attacks, with zero false positives on benign operations. On average, LinkGuard only incurs 1% overhead in microbenchmarks and 3.4% overhead in real-world application workloads, while adding a negligible 5 ms latency on benign file operations.

One Email, Many Faces: A Deep Dive into Identity Confusion in Email Aliases

作者：邬梦莹 洪赓 陈佳涛 刘保君 刘明烜 杨珉

摘要：Email addresses serve as a universal identifier for online account management, however, their aliasing mechanisms introduce significant identity confusion between email providers and external platforms. This paper presents the first systematic analysis of the inconsistencies arising from email aliasing, where providers view alias addresses (e.g.,  [email protected], [email protected]) as additional entrances of the base email ([email protected]), while platforms often treat them as distinct identities.

    Through empirical evaluations the alias mechanisms of 28 email providers and 18 online platforms, we reveal critical gaps: (1) Only Gmail fully documents its aliasing rules, while 11 providers silently support undocumented alias behaviors; (2) Due to lack of standardization documentation and de facto implementation, platforms either failed to distinguish alias addresses or over aggressive excluded all emails containing specific symbol. Real-world abuse cases demonstrate attackers exploiting aliases to create up to 139 accounts from a single base email in npm for spam campaigns. Our user study further highlights security risks, showing 31.65% of participants with alias knowledge mistake phishing emails as legitimate emails alias due to inconsistent provider implementations. Users who believe they understand email aliasing, especially those highly educated, male, and technical participants, are more susceptible to being phished. Our findings underscore the urgent need for standardization and transparency in email aliasing. We contribute the OriginMail tool to help platforms resolve alias confusion and disclose vulnerabilities to affected stakeholders.

Better Safe than Sorry: Uncovering the Insecure Resource Management in App-in-App Cloud Services

作者：史一哲 杨哲慜 刘定一 钟康维 戴嘉润 杨珉

摘要：In the app-in-app ecosystem, super-apps provide mini-app developers access to various sensitive cloud services, such as cloud database and cloud storage. These services enable mini-app developers to efficiently store and manage mini-app data in the super-app server. To protect these sensitive resources, super-apps implement an identity management mechanism, allowing mini-app developers to verify user identity and ensure that only authorized and trusted users can access specific resources. However, flaws exist in the implementation of resource management by mini-app developers, which can expose sensitive resources to attackers.

    In this paper, we conduct the first systematic study of the insecure cloud resource management in the app-in-app ecosystem. We design and implement a tool, ICREMiner, that combines static analysis and dynamic probing to assess the security implications on 22,695 real-world mini-apps that access app-in-app cloud services in four super-app platforms. The results of our study reveal that 2,815 mini-apps (12.40%) are affected by the insecure resource management, involving 8,062 insecure cloud operations. Additionally, we conduct an in-depth analysis of the significant security hazards that can be caused by the vulnerability, such as allowing attackers to steal sensitive user information and pay for free. In response, we have engaged in responsible vulnerability disclosure. We also provide several mitigation strategies to help mini-app developers resolve the vulnerabilities.

Anchors of Trust: A Usability Study on User Awareness, Consent, and Control in Cross-Device Authentication

作者：张歆 张晓寒 周烩君 赵波

摘要：Cross-device authentication (XDAuth) has become an essential mechanism for seamless account access across multiple devices. In this paradigm, a user can sign in on one device (the target device) by completing authentication on another trusted device (the authentication device) that holds an active session or stored credentials, improving user experience. However, the decoupling of the authentication device and target device introduces new risks: the physical and contextual separation disrupts the usual authentication flow, creates information asymmetry, and makes it hard for users to assess the legitimacy of an authentication request. Consequently, users may inadvertently approve malicious logins and face account compromise, especially when key contextual details, explicit confirmation, or revocation mechanisms are missing.

    To address these risks, we start from a user-centric perspective grounded in three fundamental user rights: the right to know, the right to consent, and the right to control, to safeguard the security and usability of XDAuth systems. We investigate how these rights are supported in practice by examining 27 major services spanning three typical XDAuth schemes. Our findings are concerning: over half of the services do not provide any information about the target device during authentication, not all services enforce explicit user confirmation, and six lack a way to revoke suspicious authorizations. We responsibly disclosed these issues to the affected vendors, several of whom acknowledged the problems and responded positively. We further conduct a user study with 100 participants, uncovering that the vast majority consider these rights essential and expect them to be upheld in XDAuth. Our study reveals a clear gap between current implementations and user expectations, underscoring the need for stronger user rights support to develop more secure, user-centered XDAuth.

FirmCross: Detecting Taint-Style Vulnerabilities in Modern C-Lua Hybrid Web Services of Linux-based Firmware

作者：刘润昊 戴嘉润 肖浩宇 张源 牟叶琦 徐路凯 喻波 王宝生 杨珉

摘要：Static taint analysis has become a fundamental technique to detect vulnerabilities implied in web services of Linux-based firmware. However, existing works commonly oversimplify the composition of firmware web services. Specifically, only C binaries (i.e., those extracted from the target firmware) are considered within the scope of vulnerability detection. In this work, we observe that modern firmware extensively combines Lua scripts/bytecode and C binaries to implement hybrid web services, and obviously, those C-binary-oriented vulnerability detection techniques can hardly achieve satisfactory performance. In light of this, we propose FirmCross, an automated taint-style vulnerability detector dedicated for C-Lua hybrid web services. Compared to existing detectors, FirmCross can automatically de-obfuscate the Lua bytecode in target firmware, additionally identify distinctive taint sources in Lua codespace, and systematically capture the C-Lua cross-language taint flow. In the evaluation, FirmCross detects 6.82X ~ 14.5X more vulnerabilities than SoTA approaches (i.e., MangoDFA and LuaTaint) in a dataset containing 73 firmware images from 11 vendors. Notably, FirmCross helps identify 610 0-day vulnerabilities among target firmware images. After reporting these vulnerabilities to vendors, till now, 31 vulnerability IDs have been assigned.

来源：复旦白泽

往期精彩回顾

从竞赛“练兵场”到人才“孵化器”: 湖南大学、复旦大学、四川大学、西安邮电大学引领塑造网络安全新生力 “五色石”计划下，东南大学网络安全人才培养模式创新“密码”揭秘

“网安+法学”双学位  |  看南开大学、东南大学、重庆邮电大学在新赛道上加速跑

“实战派”网安人才培养新范式，看上海交大、暨南大学、湖南大学如何转变模式锻造网安实战人才

守护语音安全: 华中科技大学CPSS团队如何打造Anti-Deepfake系统斩获创意作品赛冠军？

信息网络安全

《信息网络安全》创刊于2001年，是由公安部主管，公安部第三研究所、中国计算机学会主办，面向国内外公开发行的国内首批信息安全类期刊之一，于2015年成为中国科技核心期刊，2017年成为中国科学引文数据库来源期刊，2018年成为中文核心期刊，2022年入选CCF计算领域高质量科技期刊分级目录。

中文核心期刊

中国科技核心期刊

中国科学引文数据库来源期刊

CCF计算领域高质量科技期刊

我们在不断努力和完善中，期待您的关注和支持！

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：信息网络安全杂志 《复旦大学白泽战队实验室5篇论文被NDSS 2026接收！》