SoK: Take a Deep Step into Linux Kernel Hardening Effectiveness from the Offensive-Defensive Perspective

Despite extensive efforts to harden the Linux kernel—the foundation powering numerous widely-used distributions (e.g., Ubuntu, Debian, Fedora)—it continues to face persistent and sophisticated memory safety vulnerabilities. In this study, we introduce a novel systematic framework that decomposes kernel exploitation into three distinct phases from an attacker’s perspective. Through comprehensive analysis of 121 publicly documented exploits since 2015, we identify and categorize 64 recurrent attack vectors. Leveraging this structured approach, we perform an in-depth evaluation of 51 existing kernel defense mechanisms, clearly mapping their coverage, limitations, redundancies, and interdependencies. Our results reveal significant protection gaps: 23 attack vectors remain entirely unprotected, and 31 existing defenses are bypassable or obsolete. Additionally, we uncover notable discrepancies between theoretical effectiveness and practical deployment across popular downstream distributions, highlighting 4 underutilized hardening measures and misconfigurations in four major distributions. By illuminating these critical gaps and offering actionable insights, our work guides both kernel developers and security practitioners in enhancing defensive strategies and refining future security designs.