kcore_filtered

A Linux kernel module that creates /proc/kcore_filtered — a data-minimized alternative to /proc/kcore. Kernel memory is exposed in ELF core format (readable by drgn, readelf, crash) with user-space pages redacted to zeroes, reducing data exposure by 80–95%. Note: page-level filtering cannot catch user data fragments inside kernel slab objects (see doc/future-mitigation-layers.md).

Quick Start

make
sudo insmod kcore_filtered.ko
sudo drgn -c /proc/kcore_filtered   # safe kernel introspection

Build & Test

make                # build the module
make checkpatch     # kernel style check (0 errors, 0 warnings)
make sparse         # static analysis
make test           # full test suite (requires root + loaded module)

Filter Policy

Page Type	Default
Anonymous / swap-backed	DENY (zeroes)
Free / buddy	DENY
User page cache	DENY
Slab (kernel objects)	allow (configurable)
Kernel text / vmalloc / vmemmap	allow

Tune at load time: sudo insmod kcore_filtered.ko filter_slab=1

License

GPL-2.0-only — see LICENSE.

Name		Name	Last commit message	Last commit date
Latest commit History 28 Commits
.github		.github
doc		doc
tests		tests
.gitignore		.gitignore
AGENTS.md		AGENTS.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
elf_core.c		elf_core.c
elf_core.h		elf_core.h
kcore_filtered.4		kcore_filtered.4
kcore_filtered_main.c		kcore_filtered_main.c
page_filter.c		page_filter.c
page_filter.h		page_filter.h
region.c		region.c
region.h		region.h

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

kcore_filtered

Quick Start

Build & Test

Filter Policy

License

About

Uh oh!

Releases

Packages

Contributors 2

Uh oh!

Languages

License

sdimitro/kcore_filtered

Folders and files

Latest commit

History

Repository files navigation

kcore_filtered

Quick Start

Build & Test

Filter Policy

License

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Uh oh!

Languages

Packages