The Linux kernel architecture faces inherent limitations in its security design, primarily due to constraints imposed by the underlying hardware. The Linux kernel must not only isolate user-space processes but also protect itself from unauthorized access—a task made increasingly challenging by the presence of vulnerabilities. Since modern security mechanisms rely on the Linux kernel's integrity, their effectiveness collapses as soon as the kernel is compromised. Therefore, the kernel's resilience is crucial to the security of the entire system, raising the fundamental question: how can we maintain robust security despite the presence of kernel vulnerabilities?

In this presentation, we introduce a virtualization-assisted security architecture for the Linux kernel to address these challenges. Our solution provides a lightweight virtualization layer comprising a thin, formally-verifiable virtual machine monitor on top of the open-source NOVA microhypervisor. Acting as a security support layer, this architecture enables the Linux kernel to effectively leverage the system's virtualization extensions to fortify its defenses. In-line with virtualization-based state-of-the-art security mechanisms, our solution enforces Linux kernel code integrity and protects selected data structures from being abused by malicious actors. Beyond these capabilities, it enables advanced security features, such as isolating selected security-critical subsystems within the Linux kernel itself and providing a versatile event monitoring facility targeting the activity of applications and containers in user space. Overall, by bridging the traditional separation between the OS and system virtualization technologies, our open source implementation integrates both to create a more robust and resilient security foundation. We present our implementation as a promising approach to mitigating the risks posed by kernel vulnerabilities while significantly enhancing the security posture of modern systems.