Linux Security Summit North America 2026

BPF LSM has become a cornerstone for fine-grained security enforcement, yet it often operates in isolation from the kernel's primary reporting mechanism: the Linux Audit Subsystem. This disconnection creates a visibility gap where programmable security policies cannot easily communicate events through standard, compliance-ready audit channels.

This session explores the value of exposing the Linux Audit Subsystem to BPF LSM programs via kfuncs. By allowing BPF-based security modules to emit formal audit records, we can bridge the gap between flexible, high-performance enforcement and the standardized logging required for incident response and regulatory compliance. We will discuss the operational implications of this integration, highlighting how it enables BPF to function as a first-class citizen within the existing enterprise security stack, providing both the power of programmable enforcement and the transparency of traditional auditing.

In recent years, the number of documented Linux kernel CVEs has increased substantially, following the kernel’s designation as an official CVE Numbering Authority in 2024. This transition improves access to ground-truth kernel CVEs and their corresponding patches, creating new opportunities for empirical studies of kernel vulnerabilities at scale.

To better understand the characteristics of kernel vulnerabilities, we collect vulnerability-fixing commits (VFCs) and vulnerability-inducing commits (VICs) associated with kernel CVEs over the past 10 years. We then perform a metrics-based analysis that examines function-level code metrics and developer attributes between VFCs and VICs.

This session presents features associated with VICs. In particular, we find that authors of VICs are generally less active and have lower code familiarity at the file, subdirectory, and kernel levels. In addition, we observe a higher representation of maintainers among VICs. The session also discusses vulnerability distributions across our CVE dataset. Finally, we outline how our research can inform bug discovery practices and support the development of vulnerability detection tools in the kernel.