Compartmentalizing Vulnerable Kernel Components Without Stopping the Machine

Explore a groundbreaking approach to enhancing kernel security in this 28-minute conference talk from the Linux Foundation. Delve into the challenges of compartmentalizing vulnerable device drivers, which constitute 70% of the kernel codebase, without interrupting system services. Learn about the limitations of existing methods that require system reboots, and discover the potential of on-the-fly enforcement. Witness a demonstration of transition hazard attacks using CVE-2022-0995, and understand how the innovative O2C solution addresses these challenges. Gain insights into O2C's key technical innovations, including software-based compartmentalization using eBPF and the integration of an ML model into the kernel. Examine the negligible overhead and excellent scalability of O2C through detailed measurement results, and access the open-source code for further exploration.