linux-kernel-defence-map.dot

//
// Linux Kernel Defence Map showing the relationships between:
//  - Vulnerability classes
//  - Exploitation techniques
//  - Bug detection mechanisms
//  - Defence technologies
//
// SPDX-FileCopyrightText: Alexander Popov <alex.popov@linux.com>
// SPDX-License-Identifier: GPL-3.0-only
//
// The node connections don't mean "full mitigation."
// Rather, each connection represents some kind of relationship.
// So this map should help to navigate the documentation and Linux kernel sources.
// See the references in README.md.
//
// This map describes kernel security hardening.
// It doesn't cover cutting attack surface, userspace security features
// and policies enforced by various Linux Security Modules (LSM).
//
// It is written in DOT language.
// How to generate svg:
//    dot -Tsvg linux-kernel-defence-map.dot -o linux-kernel-defence-map.svg
//

digraph {
  labelloc=top;
  fontsize=30;
  fontname=monospace;
  label="Linux Kernel Defence Map";
  compound=true;
  nodesep=0.5;
  splines=line;
  remincross=true;

  rankdir=LR;
  node [style=filled, fontname=monospace, margin="0.22,0.055"];
  edge [penwidth=1.5];

  subgraph cluster_legend {
    fontsize=25;
    label="Legend:";
    style="solid";
    margin=35;

    "Mainline Defences" [shape=oval, color=palegreen3];
    "Out-of-tree Defences" [shape=oval, color=cornflowerblue];
    "Commercial Defences" [shape=oval, color=lightgrey];
    "HW Defences" [shape=oval, color=aquamarine];
    "Generic Defence Techniques" [shape=oval, color=black, style=solid];
    "Bug Detection" [shape=octagon, color=mediumpurple];
    "Vulnerabilities" [shape=box, color=pink];
    "Exploitation Techniques" [shape=box, color=gold];
  }

  // For pretty legend layout:
  edge [arrowhead=none, style=invis];
  "Mainline Defences":e -> "Out-of-tree Defences":w;
  "Out-of-tree Defences":e -> "Commercial Defences":w;
  "Commercial Defences":e -> "HW Defences":w;
  "Generic Defence Techniques":e -> "Bug Detection":w;
  "Bug Detection":e -> "Vulnerabilities":w;
  "Vulnerabilities":e -> "Exploitation Techniques":w;


  // Defences
  {
    rank=same;

    // Mainline Defences
    node [shape=oval, color=palegreen3, style=filled];
    "DEBUG_{LIST,SG,CREDENTIALS,NOTIFIERS,VIRTUAL}";
    "SLAB_FREELIST_RANDOM";
    "SHUFFLE_PAGE_ALLOCATOR";
    "STRICT_{KERNEL,MODULE}_RWX";
    "DEBUG_WX";
    "ARM64: RODATA_FULL_DEFAULT_ENABLED";
    "BUG_ON_DATA_CORRUPTION";
    "MODULE_SIG*";
    "bpf_jit_harden";
    "DEFAULT_MMAP_MIN_ADDR=65536";
    "SCHED_STACK_END_CHECK";
    "slab_nomerge"; // similar to disabled SLAB_MERGE_DEFAULT
    "LOCKDOWN_LSM";
    "LDISC_AUTOLOAD is not set";
    "STACKPROTECTOR";
    "ARM64: KASAN_HW_TAGS with ARM64_MTE" [fontsize=11];
    "Read-only swapper_pg_dir";
    "X86_64: pti=on (MITIGATION_PAGE_TABLE_ISOLATION)" [fontsize=11];
    "HW_RANDOM_TPM";
    "RANDOM_KMALLOC_CACHES";

    // Out-of-tree Defences
    node [shape=oval, color=cornflowerblue];
    "XPFO";
    "PROTECTABLE_MEMORY";
    "request_module_cap()";
    "Linux Kernel Runtime Guard"; // Disable MODULE_UNLOAD to make bypass harder

    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "GRKERNSEC_KSTACKOVERFLOW";
    "PAX_REFCOUNT";
    "PAX_SIZE_OVERFLOW";
    "PAX_USERCOPY";
    "PAX_KERNEXEC";
    "GRKERNSEC_JIT_HARDEN";
    "PAX_MEMORY_STACKLEAK";
    "GRKERNSEC_MODHARDEN";
    grsecurity_hardened_usermodehelper [label="by default in grsecurity"];
    "AUTOSLAB";
    "PAX_LATENT_ENTROPY";
  }

  subgraph cluster_cfi {
    label="Control Flow Integrity";
    fontsize=16;
    rank=same;
    style="dashed";
    margin=15;
    // Generic Defence Techniques
    node [shape=oval, color=black, style=solid];
    "Coarse-grained Forward-edge CFI" [fontsize=11];
    "Fine-grained Forward-edge CFI" [fontsize=11];
    "Backward-edge CFI";
  }

  subgraph cluster_cwe514_mitigations {
    label="";
    rank=same;
    style="dashed";
    margin=35;

    node [shape=oval, color=palegreen3]; // Mainline Defences
    "mitigations=auto,nosmt";
    "CPU_MITIGATIONS";
    "X86_64: MICROCODE";
    "X86_64: MITIGATION_*";
    "X86_64: SCHED_CORE";
    "ARM64: MITIGATE_SPECTRE_BRANCH_HISTORY" [fontsize=11];
    "ARM64: HARDEN_BRANCH_PREDICTOR";
    "ARM64: UNMAP_KERNEL_AT_EL0";
    "ARM64: ARM64_E0PD";

    "RESPECTRE" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_smap_pan_uderef {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "SMAP/PAN" [shape=oval, color=aquamarine]; // HW Defence
    "PAX_UDEREF" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_smep_pxn {
    label="";
    rank=same;
    style="invis";
    margin=15;
    "SMEP/PXN" [shape=oval, color=aquamarine]; // HW Defences
  }

  subgraph cluster_ro {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "__read_only";
    "PAX_CONSTIFY_PLUGIN";
  }

  subgraph cluster_layout_randomization {
    label="Layout Randomization";
    rank=same;
    fontsize=18;
    style="dashed";
    margin=15;
    "RANDOMIZE_{BASE,MEMORY}" [shape=oval, color=palegreen3]; // Mainline Defence
    "ARM64: RANDOMIZE_MODULE_REGION_FULL" [shape=oval, color=palegreen3]; // Mainline Defence
    "GRKERNSEC_RANDSTRUCT" [shape=oval, color=lightgrey]; // Commercial Defence
    "PAX_RANDKSTACK" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_info_exposure_mitigations {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "X86_64: X86_INTEL_UMIP" [shape=oval, color=palegreen3]; // Mainline Defence
    "kptr_restrict" [shape=oval, color=palegreen3]; // Mainline Defence
    "GRKERNSEC_HIDESYM" [shape=oval, color=lightgrey]; // Commercial Defence
    "GRKERNSEC_DMESG" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_freelist_hardening {
    label="";
    rank=same;
    style="invis";
    margin=15;
    "SLAB_FREELIST_HARDENED" [shape=oval, color=palegreen3]; // Mainline Defence
    grsecurity_hardened_freelist [label="by default in grsecurity", shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_stack_init {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "INIT_STACK_ALL_ZERO" [shape=oval, color=palegreen3]; // Mainline Defence
    "PAX_MEMORY_STRUCTLEAK" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_heap_erasing {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "Heap free() Poisoning" [shape=oval, color=black, style=solid]; // Generic Defence Technique
    "init_on_alloc" [shape=oval, color=palegreen3]; // Mainline Defence
  }

  subgraph cluster_oob_detection {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    node [shape=oval, color=palegreen3]; // Mainline Defence
    "FORTIFY_SOURCE";
    "UBSAN_BOUNDS";
  }

  // Defences: child nodes
  {
    rank=same;

    // Mainline Defences
    node [shape=oval, color=palegreen3];
    "REFCOUNT_FULL";
    "HARDENED_USERCOPY";
    "VMAP_STACK";
    "THREAD_INFO_IN_TASK";
    "RANDSTRUCT";
    "STRUCTLEAK_BYREF_ALL";
    "LATENT_ENTROPY";
    "__ro_after_init";
    "SECURITY_DMESG_RESTRICT";
    "ARM64: CPU_SW_DOMAIN_PAN";
    "ARM64: ARM64_SW_TTBR0_PAN";
    "STATIC_USERMODEHELPER";
    "slub_debug=P"; // object and padding poisoning
    "init_on_free";
    "PAGE_POISONING*";
    "STACKLEAK";
    "RANDOMIZE_KSTACK_OFFSET_DEFAULT";
    "CFI_CLANG (KCFI)";
    "ARM64: SHADOW_CALL_STACK" [fontsize=11];

    // Out-of-tree Defences
    node [shape=oval, color=cornflowerblue];

    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "PAX_RAP";
    "PAX_MEMORY_SANITIZE";

    // HW Defences
    node [shape=oval, color=aquamarine];
    "ARM64: ARM64_PTR_AUTH_KERNEL" [fontsize=12];
    "ARM64: ARM64_BTI_KERNEL";
  }

  subgraph cluster_cet {
    label="";
    rank=same;
    style="invis";
    margin=10;
    "X86_64: Intel CET" [shape=oval, color=aquamarine]; // HW Defence
    "X86_64: X86_KERNEL_IBT" [shape=oval, color=palegreen3]; // Mainline Defence
    "X86_64: X86_SHADOW_STACK" [shape=oval, color=cornflowerblue]; // Out-of-tree Defence
  }

  subgraph cluster_cwe514_mitigations_2 {
    // Parts of "mitigations=auto,nosmt"
    label="";
    rank=same;
    style="dashed";
    margin=35;
    node [shape=oval, color=palegreen3]; // Mainline Defence
    "X86_64: spectre_v2";
    "X86_64: spectre_v2_user";
    "X86_64: spectre_bhi";
    "X86_64: spec_store_bypass_disable" [fontsize=11];
    "X86_64: l1tf";
    "X86_64: mds";
    "X86_64: tsx_async_abort";
    "X86_64: srbds";
    "X86_64: mmio_stale_data";
    "X86_64: retbleed";
    "X86_64: spec_rstack_overflow";
    "X86_64: gather_data_sampling";
    "X86_64: reg_file_data_sampling";
    "ARM64: kpti";
    "ARM64: ssbd";
  }

  // Defences relations
  edge [style=dashed, arrowhead=none, dir=none, headport=_, tailport=_];
  "CFI_CLANG (KCFI)":e -> "Fine-grained Forward-edge CFI":w;
  "ARM64: ARM64_BTI_KERNEL":e -> "Coarse-grained Forward-edge CFI":w;
  "X86_64: Intel CET":e -> "Coarse-grained Forward-edge CFI":w [style=invis];
  "X86_64: Intel CET":e -> "Backward-edge CFI":w [style=invis];
  "X86_64: X86_KERNEL_IBT":e -> "Coarse-grained Forward-edge CFI":w;
  "X86_64: X86_KERNEL_IBT" -> "X86_64: Intel CET" [constraint=false, style=dotted, penwidth=3];
  "X86_64: X86_SHADOW_STACK":e -> "Backward-edge CFI":w;
  "X86_64: X86_SHADOW_STACK" -> "X86_64: Intel CET" [constraint=false, style=dotted, penwidth=3];
  "PAX_RAP":e -> "Fine-grained Forward-edge CFI":w;
  "PAX_RAP":e -> "Backward-edge CFI":w;
  "ARM64: ARM64_PTR_AUTH_KERNEL":e -> "Backward-edge CFI":w;
  "ARM64: SHADOW_CALL_STACK":e -> "Backward-edge CFI":w;
  "PAX_MEMORY_SANITIZE":e -> "Heap free() Poisoning":w;
  "slub_debug=P":e -> "Heap free() Poisoning":w;
  "init_on_free":e -> "Heap free() Poisoning":w;
  "PAGE_POISONING*":e -> "Heap free() Poisoning":w;

  edge [style=dotted, arrowhead=none, dir=none, headport=_, tailport=_, penwidth=3];
  "REFCOUNT_FULL":e -> "PAX_REFCOUNT":w;
  "HARDENED_USERCOPY":e -> "PAX_USERCOPY":w;
  "VMAP_STACK":e -> "GRKERNSEC_KSTACKOVERFLOW":w;
  "THREAD_INFO_IN_TASK":e -> "GRKERNSEC_KSTACKOVERFLOW":w;
  "RANDSTRUCT":e -> "GRKERNSEC_RANDSTRUCT":w;
  "STRUCTLEAK_BYREF_ALL":e -> "PAX_MEMORY_STRUCTLEAK":w;
  "LATENT_ENTROPY":e -> "PAX_LATENT_ENTROPY":w;
  "__ro_after_init":e -> "__read_only":w;
  "SECURITY_DMESG_RESTRICT":e -> "GRKERNSEC_DMESG":w;
  "STACKLEAK":e -> "PAX_MEMORY_STACKLEAK":w;
  "ARM64: CPU_SW_DOMAIN_PAN":e -> "SMAP/PAN":w;
  "ARM64: ARM64_SW_TTBR0_PAN":e -> "SMAP/PAN":w;
  "STATIC_USERMODEHELPER":e -> grsecurity_hardened_usermodehelper:w;
  "SLAB_FREELIST_HARDENED" -> grsecurity_hardened_freelist [constraint=false];
  "RANDOMIZE_KSTACK_OFFSET_DEFAULT":e -> "PAX_RANDKSTACK":w;
  "X86_64: pti=on (MITIGATION_PAGE_TABLE_ISOLATION)" -> "mitigations=auto,nosmt" [constraint=false];
  "X86_64: spectre_v2":s -> "mitigations=auto,nosmt":w [ltail=cluster_cwe514_mitigations_2];


  // Vulnerabilities and Exploitation Techniques
  {
    rank=same;

    // Vulnerabilities
    node [shape=box, color=pink];
    "Stack Depth Overflow (CWE-674,?)" [URL="https://cwe.mitre.org/data/definitions/674.html"];
    "Int Overflow/Underflow (CWE-190/191)" [URL="https://cwe.mitre.org/data/definitions/190.html"];
    "Use-After-Free (CWE-416)" [URL="https://cwe.mitre.org/data/definitions/416.html"];
    "Double Free (CWE-415)" [URL="https://cwe.mitre.org/data/definitions/415.html"];
    "Race Condition (CWE-362)" [URL="https://cwe.mitre.org/data/definitions/362.html"];
    "Undefined Behaviour (CWE-758)" [URL="https://cwe.mitre.org/data/definitions/758.html"];
    "Type Confusion (CWE-843)" [URL="https://cwe.mitre.org/data/definitions/843.html"];
    "Double Fetch (CWE-367)" [URL="https://cwe.mitre.org/data/definitions/367.html"];
    "Memory Leak (CWE-401)" [URL="https://cwe.mitre.org/data/definitions/401.html"];
    "Transient Execution Vulnerabilities (CWE-514)" [URL="https://cwe.mitre.org/data/definitions/514.html"];
    "Insufficient Entropy (CWE-331)" [URL="https://cwe.mitre.org/data/definitions/331.html"];

    // Exploitation Techniques
    node [shape=box, color=gold];
    "Metadata Corruption";
    "Allocator Data Corruption";
    "Heap Layout Control";
    "Finding Kernel Objects";
    "JIT Abuse";
    "WX Area Abuse";
    "Changing Kernel Image";
    "Bad Module Loading";
    "'ops' Structures Overwrite";
    "Kernel Space Mirroring Attack";
  }

  subgraph cluster_oob {
    label="";
    rank=same;
    style="dashed";
    margin=25;

    // Vulnerabilities
    node [shape=box, color=pink];
    "Heap Out-of-Bounds Access (CWE-122,119)" [URL="https://cwe.mitre.org/data/definitions/122.html"];
    "Stack Out-of-Bounds Access (CWE-121,119)" [URL="https://cwe.mitre.org/data/definitions/121.html"];
    "Global Variable Out-of-Bounds Access (CWE-?,119)" [fontsize=12, margin="0.04", URL="https://cwe.mitre.org/data/definitions/119.html"];
  }

  subgraph cluster_userspace_access {
    label="";
    rank=same;
    style="dashed";
    margin=35;

    // Vulnerability
    "NULL Pointer Dereference (CWE-476)" [shape=box, color=pink, URL="https://cwe.mitre.org/data/definitions/476.html"];

    // Exploitation Technique
    "Userspace Data Access" [shape=box, color=gold];
  }

  subgraph cluster_control_flow_hijack {
    label="  Control Flow Hijack Techniques  ";
    fontsize=18;
    rank=same;
    style="dashed";
    margin=35;
    node [shape=box, color=gold]; // Exploitation Techniques
    subgraph cluster_with_rop {
      label="";
      margin=35;
      "ROP/JOP/COP";
      "ret2usr + ROP/JOP/COP";
      "ret2dir + ROP/JOP/COP";
    }
    "ret2usr";
    "ret2dir";
    "Return Address Overwrite" [fontsize=10.5];
  }

  subgraph cluster_info_exposures {
    label="";
    rank=same;
    style="dashed";
    margin=25;
    node [shape=box, color=pink]; // Vulnerabilities
    "Info Exposure (CWE-200)" [URL="https://cwe.mitre.org/data/definitions/200.html"];
    "Uninitialized Memory Usage (CWE-908)" [URL="https://cwe.mitre.org/data/definitions/908.html"];
  }

  subgraph cluster_hang {
    label="";
    rank=same;
    style="invis";
    margin=15;
    node [shape=box, color=pink]; // Vulnerabilities
    "Deadlock (CWE-833)" [URL="https://cwe.mitre.org/data/definitions/833.html"];
    "Infinite Loop (CWE-835)" [URL="https://cwe.mitre.org/data/definitions/835.html"];
  }


  // Bug Detection Mechanisms
  {
    rank=same;
    node [shape=octagon, color=mediumpurple];
    "UBSAN";
    "KMSAN";
    "KTSAN";
    "KCSAN";
    "KMEMLEAK";
    "PROVE_LOCKING";
    "DEBUG_ATOMIC_SLEEP";
    "LOCKUP_DETECTOR";
    "WQ_WATCHDOG";
    "slub_debug=F"; // sanity checks
    "slub_debug=Z"; // red zoning
  }

  subgraph cluster_uaf_detection {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    node [shape=octagon, color=mediumpurple]; // Bug Detection Mechanisms
    "KASAN_GENERIC";
    "KFENCE";
  }

  // Relations: Bug Detection Mechanisms vs Vulnerabilities
  edge [style=solid, arrowhead=normal, dir=back, headport=_, tailport=_, penwidth=1.5];
  "Global Variable Out-of-Bounds Access (CWE-?,119)":e -> "KASAN_GENERIC":w [ltail=cluster_oob];
  "Use-After-Free (CWE-416)":e -> "KFENCE":w [lhead=cluster_uaf_detection];
  "Double Free (CWE-415)":e -> "KASAN_GENERIC" [lhead=cluster_uaf_detection];
  "Undefined Behaviour (CWE-758)":e -> "UBSAN":w;
  "Int Overflow/Underflow (CWE-190/191)":e -> "UBSAN":w;
  "Uninitialized Memory Usage (CWE-908)":e -> "KMSAN":w [ltail=cluster_info_exposures];
  "Race Condition (CWE-362)":e -> "KTSAN":w;
  "Race Condition (CWE-362)":e -> "KCSAN":w;
  "Memory Leak (CWE-401)":e -> "KMEMLEAK":w;
  "Deadlock (CWE-833)":e -> "PROVE_LOCKING":w;
  "Deadlock (CWE-833)":e -> "DEBUG_ATOMIC_SLEEP":w;
  "Infinite Loop (CWE-835)":e -> "LOCKUP_DETECTOR":w;
  "Infinite Loop (CWE-835)":e -> "WQ_WATCHDOG":w;
  "Heap Out-of-Bounds Access (CWE-122,119)":e -> "slub_debug=Z":w;
  "Double Free (CWE-415)":e -> "slub_debug=F":w;
  "Allocator Data Corruption":e -> "slub_debug=F":w;
  "Heap Out-of-Bounds Access (CWE-122,119)":e -> "KFENCE":w;


  // Relations: Defences vs Vulnerabilities and Exploitation Techniques
  edge [style=solid, arrowhead=normal, dir=forward, headport=_, tailport=_];
  "GRKERNSEC_KSTACKOVERFLOW":e -> "Stack Depth Overflow (CWE-674,?)":w;
  "PAX_MEMORY_STACKLEAK":e -> "Stack Depth Overflow (CWE-674,?)":w;
  "SCHED_STACK_END_CHECK":e -> "Stack Depth Overflow (CWE-674,?)":w;

  "PAX_USERCOPY":e -> "Heap Out-of-Bounds Access (CWE-122,119)":w;
  "ARM64: KASAN_HW_TAGS with ARM64_MTE":e -> "Heap Out-of-Bounds Access (CWE-122,119)":w;
  "FORTIFY_SOURCE":e -> "Heap Out-of-Bounds Access (CWE-122,119)" [ltail=cluster_oob_detection, lhead=cluster_oob];

  "PAX_USERCOPY":e -> "Stack Out-of-Bounds Access (CWE-121,119)":w;

  "PAX_REFCOUNT":e -> "Int Overflow/Underflow (CWE-190/191)":w;
  "PAX_SIZE_OVERFLOW":e -> "Int Overflow/Underflow (CWE-190/191)":w;

  "PAX_MEMORY_STACKLEAK":e -> "Uninitialized Memory Usage (CWE-908)" [lhead=cluster_info_exposures];
  "PAX_MEMORY_STRUCTLEAK":e -> "Uninitialized Memory Usage (CWE-908)" [ltail=cluster_stack_init, lhead=cluster_info_exposures];
  "Heap free() Poisoning":e -> "Uninitialized Memory Usage (CWE-908)" [ltail=cluster_heap_erasing, lhead=cluster_info_exposures];

  "Heap free() Poisoning":s -> "Use-After-Free (CWE-416)":w [ltail=cluster_heap_erasing];
  "ARM64: KASAN_HW_TAGS with ARM64_MTE":e -> "Use-After-Free (CWE-416)":w;

  "SLAB_FREELIST_HARDENED":e -> "Double Free (CWE-415)":w;
  "ARM64: KASAN_HW_TAGS with ARM64_MTE":e -> "Double Free (CWE-415)":w;

  "kptr_restrict":e -> "Info Exposure (CWE-200)":w [ltail=cluster_info_exposure_mitigations];

  "DEBUG_{LIST,SG,CREDENTIALS,NOTIFIERS,VIRTUAL}":e -> "Metadata Corruption":w;
  "BUG_ON_DATA_CORRUPTION":e -> "Metadata Corruption":w;
  "PROTECTABLE_MEMORY":e -> "Metadata Corruption":w;
  grsecurity_hardened_usermodehelper:e -> "Metadata Corruption":w;
  "Linux Kernel Runtime Guard":e -> "Metadata Corruption":w;

  grsecurity_hardened_freelist:e -> "Allocator Data Corruption":w;
  "SLAB_FREELIST_HARDENED":e -> "Allocator Data Corruption":w;

  "__read_only":e -> "'ops' Structures Overwrite":w [ltail=cluster_ro];

  "SLAB_FREELIST_RANDOM":e -> "Heap Layout Control":w;
  "slab_nomerge":e -> "Heap Layout Control":w;
  "SHUFFLE_PAGE_ALLOCATOR":e -> "Heap Layout Control":w;
  "AUTOSLAB":e -> "Heap Layout Control":w;
  "RANDOM_KMALLOC_CACHES":e -> "Heap Layout Control":w;

  "STACKPROTECTOR":e -> "Return Address Overwrite":w;
  "Backward-edge CFI":e -> "Return Address Overwrite":w;

  "Backward-edge CFI":n -> "ROP/JOP/COP":s [lhead=cluster_control_flow_hijack, ltail=cluster_cfi];

  "PAX_KERNEXEC":e -> "ret2usr":w;
  "X86_64: pti=on (MITIGATION_PAGE_TABLE_ISOLATION)":e -> "ret2usr":w;
  "SMEP/PXN":e -> "ret2usr":w;
  "SMAP/PAN":s -> "ret2usr":w [ltail=cluster_smap_pan_uderef];

  "PAX_UDEREF":n -> "Userspace Data Access":w [ltail=cluster_smap_pan_uderef, lhead=cluster_userspace_access];

  "DEFAULT_MMAP_MIN_ADDR=65536":e -> "NULL Pointer Dereference (CWE-476)":w;

  "SMAP/PAN":e -> "ret2usr + ROP/JOP/COP":w [ltail=cluster_smap_pan_uderef];

  "PAX_KERNEXEC":e -> "ret2dir":w;
  "XPFO":e -> "ret2dir":w;

  "XPFO":e -> "ret2dir + ROP/JOP/COP":w;

  "PAX_RANDKSTACK":e -> "Finding Kernel Objects":w [ltail=cluster_layout_randomization];

  "PAX_LATENT_ENTROPY":e -> "Insufficient Entropy (CWE-331)":w;
  "HW_RANDOM_TPM":e -> "Insufficient Entropy (CWE-331)":w;

  "GRKERNSEC_JIT_HARDEN":e -> "JIT Abuse":w;
  "bpf_jit_harden":e -> "JIT Abuse":w;

  "PAX_KERNEXEC":e -> "WX Area Abuse":w;
  "STRICT_{KERNEL,MODULE}_RWX":e -> "WX Area Abuse":w;
  "DEBUG_WX":e -> "WX Area Abuse":w;
  "ARM64: RODATA_FULL_DEFAULT_ENABLED":e -> "WX Area Abuse":w;

  "LOCKDOWN_LSM":e -> "Changing Kernel Image":w;
  "Linux Kernel Runtime Guard":e -> "Changing Kernel Image":w;

  "GRKERNSEC_MODHARDEN":e -> "Bad Module Loading":w;
  "MODULE_SIG*":e -> "Bad Module Loading":w;
  "request_module_cap()":e -> "Bad Module Loading":w;
  "LDISC_AUTOLOAD is not set":e -> "Bad Module Loading":w;

  "mitigations=auto,nosmt":e -> "Transient Execution Vulnerabilities (CWE-514)":w [ltail=cluster_cwe514_mitigations];
  "X86_64: pti=on (MITIGATION_PAGE_TABLE_ISOLATION)":e -> "Transient Execution Vulnerabilities (CWE-514)":w;

  "Read-only swapper_pg_dir":e -> "Kernel Space Mirroring Attack":w;
}