Linux kernel security is a very complex area. It would be nice to have some graphical representation of its current state. So I've created a Linux Kernel Defence Map.

This map shows the relations between:

  • vulnerability classes / exploitation techniques,
  • kernel defences,
  • bug detection means.

N.B. The node connections don't mean "full mitigation". These connections represent some kind of relation. So ideally, this map should help to navigate in documentation and Linux kernel sources.

I wrote it in DOT language and generated the picture using GraphViz:

dot -Tpng linux-kernel-defence-map.dot -o linux-kernel-defence-map.png

So it is very pleasant to maintain this map with git.

If you see any mistakes, feel free to create an Issue or ping me via alex.popov@linux.com

The Map for the recent Linux Kernel

Linux Kernel Defence Map

Grsecurity features

The State of Kernel Self Protection by Kees Cook

Linux kernel security documentation

Linux kernel mitigation checklist by Shawn C