H-KPP: Hypervisor-Assisted Kernel Patch Protection

Michael Kiperberg, Nezer Jacob Zaidenberg

Research output: Contribution to journalArticlepeer-review


We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain object fields from malicious modifications. H-KPP can protect modern kernels equipped with BPF facilities and loadable kernel modules. H-KPP does not require modifying or recompiling the kernel. Unlike many other systems, H-KPP is based on a thin hypervisor and includes a novel SLAT switching mechanism, which allows H-KPP to achieve very low (≈ 6%) performance overhead compared to baseline Linux.

Original languageEnglish
Article number5076
JournalApplied Sciences (Switzerland)
Issue number10
StatePublished - 1 May 2022
Externally publishedYes


  • DKOM
  • Kernel Integrity
  • virtualization

All Science Journal Classification (ASJC) codes

  • General Engineering
  • Instrumentation
  • Fluid Flow and Transfer Processes
  • Process Chemistry and Technology
  • General Materials Science
  • Computer Science Applications


Dive into the research topics of 'H-KPP: Hypervisor-Assisted Kernel Patch Protection'. Together they form a unique fingerprint.

Cite this