Brussels / 1 & 2 February 2020


Kernel Runtime Security Instrumentation


KRSI (Kernel Runtime Security Instrumentation) is an ongoing effort at Google to upstream an LSM (Linux Security Module) instrumentable using eBPF (extended Berkeley Packet Filter) to the Linux kernel.

KRSI allows system owners to dynamically attach eBPF programs to security hooks and write MAC and audit policies without having to reboot or patch the kernel thereby enabling a new class of system security and auditing software.

This talk presents the main concepts behind KRSI: it introduces the technologies leveraged and presents the API exposed to users.


Photo of Florent Revest Florent Revest