NDSS 2025 – BULKHEAD: Secure, Scalable, And Efficient Kernel Compartmentalization With PKS

The paper introduces BULKHEAD, a novel kernel compartmentalization technique designed to mitigate the impact of vulnerabilities in operating systems. It addresses the challenge of securing monolithic kernels like Linux, where a single vulnerability can compromise the entire system. BULKHEAD utilizes Intel's PKS hardware feature to create isolated compartments for kernel components, ensuring mutual untrustworthiness. A lightweight in-kernel monitor enforces security invariants such as data integrity and compartment interface integrity. The design incorporates a locality-aware two-level scheme to ensure scalability to a large number of compartments. A prototype implemented on Linux v6.1 compartmentalizes loadable kernel modules. Evaluation demonstrates the effectiveness of BULKHEAD, showing a low performance overhead for real-world applications. Specifically, it incurs about 2.44% average overhead with 160 compartmentalized LKMs. Furthermore, ApacheBench tests show less than 2% overhead while focusing on a specific compartment. The performance is largely unaffected by the number of compartments, highlighting its scalability.