This project presents an on-the-fly kernel compartmentalization framework for mitigating 0-day kernel vulnerabilities without requiring system reboot or recompilation.
The framework dynamically deploys software fault isolation (SFI) using eBPF and introduces a two-phase execution model to safely compartmentalize vulnerable kernel components while the system remains online.
Existing kernel compartmentalization techniques typically assume that all kernel objects are created after the isolation framework is installed. This assumption prevents them from supporting true on-the-fly deployment.
This project addresses this limitation by handling kernel objects that already exist before compartmentalization.
The framework consists of two execution phases.
During deployment, pre-existing kernel objects have incomplete runtime metadata and therefore cannot be directly validated.
To bridge this gap, the framework employs an ML-assisted heuristic that infers object semantics from runtime memory contents and performs conservative security auditing.
After all pre-existing objects are naturally reclaimed, newly allocated objects are fully tracked by the framework.
The system then switches to lightweight runtime checking without requiring machine learning inference.
- On-the-fly kernel compartmentalization
- eBPF-based software fault isolation
- Runtime memory access validation
- ML-assisted object inference during initialization
- Conservative access policy for legacy kernel objects
- No hardware extensions required
ebpf-project/— eBPF programs for runtime monitoring and data collectionanalysis/— Static and dynamic analysis componentsml/— Machine learning models and training scriptsdocs/— Design documents and evaluation
If you use this project in your research, please cite the corresponding publication.
Apache License 2.0.