Yinhao Hu (Huazhong University of Science and Technology & Zhongguancun Laboratory), Pengyu Ding (Huazhong University of Science and Technology & Zhongguancun Laboratory), Zhenpeng Lin (Independent Researcher), Dongliang Mu (Huazhong University of Science and Technology), Yuan Li (Zhongguancun Laboratory)
Despite extensive efforts to harden the Linux kernel—the foundation powering numerous widely-used distributions (e.g., Ubuntu, Debian, Fedora)—it continues to face persistent and sophisticated memory safety vulnerabilities. In this study, we introduce a novel systematic framework that decomposes kernel exploitation into three distinct phases from an attacker’s perspective. Through comprehensive analysis of 121 publicly documented exploits since 2015, we identify and categorize 64 recurrent attack vectors. Leveraging this structured approach, we perform an in-depth evaluation of 51 existing kernel defense mechanisms, clearly mapping their coverage, limitations, redundancies, and interdependencies. Our results reveal significant protection gaps: 23 attack vectors remain entirely unprotected, and 31 existing defenses are bypassable or obsolete. Additionally, we uncover notable discrepancies between theoretical effectiveness and practical deployment across popular downstream distributions, highlighting 4 underutilized hardening measures and misconfigurations in four major distributions. By illuminating these critical gaps and offering actionable insights, our work guides both kernel developers and security practitioners in enhancing defensive strategies and refining future security designs.