H-KPP: Hypervisor-Assisted Kernel Patch Protection

Michael Kiperberg, Nezer Jacob Zaidenberg

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain object fields from malicious modifications. H-KPP can protect modern kernels equipped with BPF facilities and loadable kernel modules. H-KPP does not require modifying or recompiling the kernel. Unlike many other systems, H-KPP is based on a thin hypervisor and includes a novel SLAT switching mechanism, which allows H-KPP to achieve very low (≈ 6%) performance overhead compared to baseline Linux.

Original languageEnglish
Article number5076
JournalApplied Sciences (Switzerland)
Issue number10
StatePublished - 1 May 2022
Externally publishedYes


  • DKOM
  • Kernel Integrity
  • virtualization


Dive into the research topics of 'H-KPP: Hypervisor-Assisted Kernel Patch Protection'. Together they form a unique fingerprint.

Cite this