NDSS 2025 – VulShield: Protecting Vulnerable Code Before Deploying Patches

Vulnerabilities in software pose a significant security risk due to the time lag in applying patches. Researchers are exploring temporary protective measures to bridge this gap before patches are deployed. Existing solutions suffer from limited scope, code modification requirements, and reliance on new system features. VulShield is introduced as an automated system providing temporary protection against vulnerabilities. It generates security policies based on sanitizer reports, defining vulnerability triggering conditions. A Linux kernel module enforces these policies, preventing vulnerabilities at runtime in both kernel and user-space programs. VulShield requires no modification of the vulnerable code and avoids reliance on recent system features. Evaluation shows that VulShield effectively mitigates a wide range of vulnerabilities across different types of software. Performance overhead is minimal, with negligible latency in Nginx and low overhead in UnixBench. VulShield presents a practical and non-invasive approach to securing systems before patches are fully deployed.