BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS
Yinggang Guo
Network and Distributed System Security (NDSS) Symposium 2025 · Day 1 · System-Level Security
The talk "BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS" by Yinggang Guo at the NDSS Symposium addresses the persistent and growing security vulnerabilities within monolithic operating system kernels, particularly the Linux kernel. The presentation introduces BULKHEAD, a novel solution designed to enhance kernel security through robust compartmentalization. This system leverages Intel's recent hardware feature, **Protection Keys for Supervisor Mode (PKS)**, to isolate kernel modules into mutually untrusted compartments, thereby significantly confining the impact of potential exploits.
AI review
Solid systems security research that delivers on all three adjectives in its title: secure, scalable, and efficient. The two-level compartmentalization scheme — combining PKS for intra-address-space isolation with locality-aware ASID-based address space switching — is a genuinely clever engineering response to PKS's 16-domain ceiling, and the 2.44% average overhead number is respectable enough to make the 'practical for production' claim defensible rather than aspirational.