Linux Security Summit North America 2026

Hornet LSM addresses a longstanding trust gap in the eBPF ecosystem by enabling strong integrity guarantees for eBPF programs and maps in locked-down production environments. While eBPF has become a powerful foundation for observability, networking, and security, safely deploying it in hardened systems remains a challenge.
In this talk, we present the architecture, implementation, and practical usage of Hornet LSM, an in-kernel, composable Linux Security Module designed to complement existing upstream mechanisms. We will explore how Hornet enables verification and auditing of eBPF programs and maps, allowing operators to confidently leverage eBPF while maintaining a strong security posture.
The session will also examine the current upstream eBPF security model, discuss its strengths and limitations, and show how Hornet builds upon and extends these foundations without imposing policy. Attendees will leave with a clear understanding of how Hornet LSM can be integrated into hardened production systems to safely unlock the full potential of eBPF.

AppArmor has traditionally used a more static type enforcement style policy, where all object accesses must be explicitly allowed within the a subjects profile. However this can result in policy that has overly broad access rights to cover all the potential accesses the application may do.

Object capabilities allow passing objects to a subject such that the object carries the opening tasks access rights. This allows extending a subject access permissions dynamically. Allowing for smaller more dynamic policy, but while loosing some of the advantages of the more static type enforcement policy.

This presentation will discuss how AppArmor is bringing bounded object delegation to its policy, and the the affects it has on how this can change how policy is authored.

This presentation will look at the recent CrackArmor vulnerability and provide a retrospective, and lessons learned.

BPF LSM has become a cornerstone for fine-grained security enforcement, yet it often operates in isolation from the kernel's primary reporting mechanism: the Linux Audit Subsystem. This disconnection creates a visibility gap where programmable security policies cannot easily communicate events through standard, compliance-ready audit channels.

This session explores the value of exposing the Linux Audit Subsystem to BPF LSM programs via kfuncs. By allowing BPF-based security modules to emit formal audit records, we can bridge the gap between flexible, high-performance enforcement and the standardized logging required for incident response and regulatory compliance. We will discuss the operational implications of this integration, highlighting how it enables BPF to function as a first-class citizen within the existing enterprise security stack, providing both the power of programmable enforcement and the transparency of traditional auditing.

eBPF has become one of the most powerful security building blocks in Linux, yet that same power makes it a high-value target. This session is a technical deep dive into emerging eBPF threat patterns we’re seeing across modern fleets: privilege escalation paths that hinge on BPF/JIT behavior, abuse of tracing hooks for stealthy data access, and ways attackers hide activity by tampering with observability pipelines. Then we flip to defense: concrete kernel and distro hardening moves that actually change the risk profile (unprivileged BPF controls, JIT hardening settings, capability boundaries, LSM integration, and runtime guardrails). I’ll include short, readable kernel-level snippets and user-space examples using standard BPF tooling so you can reproduce the behaviors in a lab and validate mitigations. The goal is practical: leave with a checklist you can apply to production Linux systems and a mental model for what "safe eBPF" looks like going forward.

In recent years, the number of documented Linux kernel CVEs has increased substantially, following the kernel’s designation as an official CVE Numbering Authority in 2024. This transition improves access to ground-truth kernel CVEs and their corresponding patches, creating new opportunities for empirical studies of kernel vulnerabilities at scale.

To better understand the characteristics of kernel vulnerabilities, we collect vulnerability-fixing commits (VFCs) and vulnerability-inducing commits (VICs) associated with kernel CVEs over the past 10 years. We then perform a metrics-based analysis that examines function-level code metrics and developer attributes between VFCs and VICs.

This session presents features associated with VICs. In particular, we find that authors of VICs are generally less active and have lower code familiarity at the file, subdirectory, and kernel levels. In addition, we observe a higher representation of maintainers among VICs. The session also discusses vulnerability distributions across our CVE dataset. Finally, we outline how our research can inform bug discovery practices and support the development of vulnerability detection tools in the kernel.