Modern Linux systems face attacks that operate at the same privilege level as the kernel, rendering traditional prevention controls ineffective. Runtime integrity enforcement addresses this gap by continuously validating kernel code, data structures and task credentials while accommodating legitimate kernel self-modification. This approach assumes compromise is possible and focuses on detection, containment and system response rather than absolute prevention.

By combining lightweight integrity checks, credential validation and selective control-flow verification, runtime protection reduces attacker dwell time and raises the cost of successful exploitation. Adoption requires careful balance between coverage, performance and compatibility across kernel versions.

This session, led by Alexander Peslyak, founder of Openwall, will cover:

• Runtime integrity enforcement under same-privilege threat models;
• Detecting kernel code and data manipulation without static trust assumptions;
• Handling legitimate kernel self-modification and dynamic state changes.