Linux Security Summit North America 2025

The Linux Kernel Self-Protection Project was announced in 2015 as a way to gather folks doing security hardening work under a single umbrella and gain upstream traction for killing bug classes and eliminating exploitation methods. Linux security has made significant advances over the last decade as a result of the project's contributors.

We'll review the bug classes that have been completely eliminated (e.g. VLAs, setfs(), switch fall-through, stack variable zeroing), as well as bug classes that have gained wide mitigation coverage (e.g. refcount overflow, FORTIFY_SOURCE, allocation overflow, array overflow). We'll take a look at exploit blocking methods now in place (e.g. vmap stack, W^X, KASLR, slab hardening, %p hashing, IBT/BTI, SCS, KCFI), and newly available attack surface reduction (e.g. seccomp, __ro_after_init, lockdown).

What has the impact been after all this work? We'll review bug class frequency and severity to examine the trends. With so much of the low hanging fruit getting handled, we're now faced with trickier problems such as Use After Free flaws. We'll take a look at what's on the horizon to solve this and other kernel self-protection concerns.