Control-Flow–Aware Kernel Compartmentalization for Preventing Intra-Subsystem Escalation

Authors

  • Ivan Petrov Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University, Moscow 119991, Russia Author
  • Elena Smirnova Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University, Moscow 119991, Russia Author
  • Dmitry Volkov Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University, Moscow 119991, Russia Author
  • Anna Kuznetsova Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University, Moscow 119991, Russia Author
  • Sergey Morozov Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University, Moscow 119991, Russia Author

DOI:

https://doi.org/10.71465/fias707

Keywords:

control-flow integrity, compartmentalization, PKS isolation, ROP mitigation, kernel security

Abstract

We propose a control-flow–aware partitioning model that clusters kernel functions based on CFG similarity and call-chain trust levels. Coupled with PKS-based domain enforcement, this model prevents compromised subsystems (e.g., netfilter or VFS) from escalating privileges through legitimate control-flow edges. On Linux 5.15, our approach blocks 83% of cross-subsystem attack chains** and reduces gadget availability for ROP-style attacks by 45%. The system introduces only 2.8% runtime overhead under standard kernel workloads. This demonstrates that integrating control-flow semantics into compartment design yields better blast-radius reduction.

Downloads

Published

2026-02-15

Issue

Vol. 3 No. 1 (2026): Frontiers in Interdisciplinary Applied Science

Section

Articles

License

Copyright (c) 2026 Frontiers in Interdisciplinary Applied Science

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.