gml4gtk/data/linux-kernel-defence-map.gv

//
// Linux Kernel Defence Map showing the relationships between:
//  - Vulnerability classes
//  - Exploitation techniques
//  - Bug detection mechanisms
//  - Defence technologies
//
// Author: Alexander Popov <alex.popov@linux.com>
//
// License terms: GNU General Public License (GPL), version 3.0.
// For details see LICENSE file.
//
// N.B. The node connections don't mean "full mitigation". These connections
// represent some kind of relation. So ideally, this map should help to navigate
// in documentation and Linux kernel sources.
//
// It is written in DOT language.
// How to generate svg:
//    dot -Tsvg linux-kernel-defence-map.dot -o linux-kernel-defence-map.svg
//
// References:
//
//  - The State of Kernel Self Protection by Kees Cook
//     https://outflux.net/slides/2018/lca/kspp.pdf
//
//  - grsecurity features
//     https://grsecurity.net/features.php
//
//  - Linux kernel security documentation:
//     https://www.kernel.org/doc/html/latest/security/self-protection.html
//
//  - Linux kernel mitigation checklist by Shawn C
//     https://github.com/hardenedlinux/grsecurity-101-tutorials/blob/master/kernel_mitigation.md
//
/*
https://github.com/a13xp0p0v/linux-kernel-defence-map

Linux kernel security is a very complex topic. Some defence technologies are provided by the Linux kernel mainline. Others are going out‑of‑tree for various reasons (some of them are commercial, for example). Plus there are kernel defences that depend on special hardware features.

It would be nice to have a graphical representation of the current state of Linux kernel security.

So I've created a Linux Kernel Defence Map showing the relationships between:

    Vulnerability classes
    Exploitation techniques
    Bug detection mechanisms
    Defence technologies

N.B. The node connections don't mean "full mitigation." Rather, each connection represents some kind of relationship. So this map should help to navigate the documentation and Linux kernel sources. It also provides the Common Weakness Enumeration (CWE) numbers for vulnerability classes.
How this Map is made

This map is written in the DOT language, which makes maintenance and updating in Git very convenient. The diagram is generated using GraphViz with the following command:

dot -Tsvg linux-kernel-defence-map.dot -o linux-kernel-defence-map.svg

Do you want to check your kernel config?

So there are plenty of security hardening options in the Linux kernel. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.

But nobody likes verifying configs manually. So I've created the kconfig-hardened-check that checks security hardening options of the Linux kernel. You are welcome to try it.
Documentation

    Grsecurity features:

    https://grsecurity.net/features.php

    The State of Kernel Self Protection by Kees Cook:

    https://outflux.net/slides/2018/lca/kspp.pdf

    Linux kernel security documentation:

    https://www.kernel.org/doc/html/latest/security/self-protection.html

    Linux kernel mitigation checklist by Shawn C:

    https://github.com/hardenedlinux/grsecurity-101-tutorials/blob/master/kernel_mitigation.md

    Trends, challenge, and shifts in software vulnerability mitigation by MSRC:

    https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations/2019_02_BlueHatIL

    Pursuing Durable Safety for Systems Software by Matt Miller @mamillmsft:

    https://www.sstic.org/2020/presentation/ouverture_2020/

    A Decade of Linux Kernel Vulnerabilities, their Mitigation and Open Problems by Abhilash Raj:

    https://github.com/maxking/linux-vulnerabilities-10-years

    Linux Kernel Runtime Guard (LKRG) threat model:

    https://openwall.info/wiki/p_lkrg/Threat_model

    Spectre & Meltdown Checker by Stéphane Lesimple @speed47

    https://github.com/speed47/spectre-meltdown-checker
*/

digraph {
  labelloc=top;
  fontsize=30;
  fontname=monospace;
  label="Linux Kernel Defence Map";
  compound=true;
  nodesep=0.5;
  splines=line;
  remincross=true;

  rankdir=LR;
  node [style=filled, fontname=monospace, margin="0.22,0.055"];

  subgraph cluster_legend {
    fontsize=25;
    label="Legend:";
    style="solid";
    margin=35;

    "Mainline Defences" [shape=oval, color=palegreen3];
    "Out-of-tree Defences" [shape=oval, color=cornflowerblue];
    "Commercial Defences" [shape=oval, color=lightgrey];
    "HW Defences" [shape=oval, color=aquamarine];
    "Generic Defence Techniques" [shape=oval, color=black, style=solid];
    "Bug Detection" [shape=octagon, color=mediumpurple];
    "Vulnerabilities" [shape=box, color=pink];
    "Exploitation Techniques" [shape=box, color=gold];
  }

  // For pretty legend layout:
  edge [arrowhead=none, style=invis];
  "Mainline Defences":e -> "Out-of-tree Defences";
  "Out-of-tree Defences":e -> "Commercial Defences";
  "Commercial Defences":e -> "HW Defences";
  "Generic Defence Techniques":e -> "Bug Detection";
  "Bug Detection":e -> "Vulnerabilities";
  "Vulnerabilities":e -> "Exploitation Techniques";


  // Defences
  {
    rank=same;

    // Mainline Defences
    node [shape=oval, color=palegreen3, style=filled];
    "DEBUG_{LIST,SG,CREDENTIALS,NOTIFIERS,VIRTUAL}";
    "SLAB_FREELIST_RANDOM";
    "SHUFFLE_PAGE_ALLOCATOR";
    "STRICT_{KERNEL,MODULE}_RWX";
    "DEBUG_WX";
    "ARM: RODATA_FULL_DEFAULT_ENABLED";
    "BUG_ON_DATA_CORRUPTION";
    "MODULE_SIG*";
    "SECURITY_LOADPIN";
    "bpf_jit_harden";
    "DEFAULT_MMAP_MIN_ADDR=65536";
    "SCHED_STACK_END_CHECK";
    "TIF_FSCHECK flag";
    "slab_nomerge"; // similar to disabled SLAB_MERGE_DEFAULT
    "LOCKDOWN_LSM";
    "unprivileged_userfaultfd=0";
    "LDISC_AUTOLOAD is not set";
    "ARM: SHADOW_CALL_STACK";
    "STACKPROTECTOR";
    "ARM: KASAN_HW_TAGS with ARM64_MTE";

    // Mainline Defences against Transient Execution Attacks
    "X86: mds=full,nosmt";
    "X86: l1tf=full,force";

    // Out-of-tree Defences
    node [shape=oval, color=cornflowerblue];
    "XPFO";
    "PROTECTABLE_MEMORY";
    "request_module_cap()";
    "LKRG"; // Disable MODULE_UNLOAD to make bypass harder

    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "GRKERNSEC_KSTACKOVERFLOW";
    "PAX_REFCOUNT";
    "PAX_SIZE_OVERFLOW";
    "PAX_USERCOPY";
    "PAX_KERNEXEC";
    "GRKERNSEC_JIT_HARDEN";
    "PAX_MEMORY_STACKLEAK";
    "GRKERNSEC_MODHARDEN";
    grsecurity_hardened_usermodehelper [label="by default in grsecurity"];
    "AUTOSLAB";

    // HW Defences
    node [shape=oval, color=aquamarine];
    "SMEP/PXN";

    // Generic Defence Techniques
    node [shape=oval, color=black, style=solid];
    "Control Flow Integrity";
  }

  subgraph cluster_cwe514_mitigations {
    label="";
    rank=same;
    style="solid"; // Should work together
    margin=10;
    node [shape=oval, color=palegreen3]; // Mainline Defences
    "mitigations=auto,nosmt";
    "X86: MICROCODE";
  }

  subgraph cluster_pti {
    label="";
    rank=same;
    style="solid"; // Similar functionality, for different architectures
    margin=10;
    node [shape=oval, color=palegreen3]; // Mainline Defences
    "X86: pti=on (PAGE_TABLE_ISOLATION)";
    "ARM: kpti=on (UNMAP_KERNEL_AT_EL0)";
  }

  subgraph cluster_smap_pan_uderef {
    label="";
    rank=same;
    style="solid"; // Similar functionality
    margin=10;
    "SMAP/PAN" [shape=oval, color=aquamarine]; // HW Defence
    "PAX_UDEREF" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_ro {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "__read_only";
    "PAX_CONSTIFY_PLUGIN";
  }

  subgraph cluster_v1_mitigations {
    label="";
    rank=same;
    style="solid"; // Similar functionality
    margin=15;
    "RESPECTRE" [shape=oval, color=lightgrey]; // Commercial Defence
    "Manual usage of nospec barriers" [shape=oval, color=palegreen3]; // Mainline Defence
  }

  subgraph cluster_v2_mitigations {
    label="";
    rank=same;
    style="solid"; // Similar functionality, for different architectures
    margin=15;
    node [shape=oval, color=palegreen3]; // Mainline Defence
    "X86: spectre_v2=on (RETPOLINE)";
    "ARM: HARDEN_BRANCH_PREDICTOR";
  }

  subgraph cluster_ssb_mitigations {
    label="";
    rank=same;
    style="solid"; // Similar functionality, for different architectures
    margin=15;
    node [shape=oval, color=palegreen3]; // Mainline Defence
    "X86: spec_store_bypass_disable=on";
    "ARM: ssbd=force-on";
  }

  subgraph cluster_layout_randomization {
    label="Layout Randomization";
    rank=same;
    fontsize=18;
    style="dashed";
    margin=15;
    "RANDOMIZE_{BASE,MEMORY}" [shape=oval, color=palegreen3]; // Mainline Defence
    "GRKERNSEC_RANDSTRUCT" [shape=oval, color=lightgrey]; // Commercial Defence
    "PAX_RANDKSTACK" [shape=oval, color=lightgrey]; // Commercial Defence
    "PAX_LATENT_ENTROPY" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_info_exposure_mitigations {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "X86: X86_INTEL_UMIP" [shape=oval, color=palegreen3]; // Mainline Defence
    "kptr_restrict" [shape=oval, color=palegreen3]; // Mainline Defence
    "GRKERNSEC_HIDESYM" [shape=oval, color=lightgrey]; // Commercial Defence
    "GRKERNSEC_DMESG" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_freelist_hardening {
    label="";
    rank=same;
    style="invis";
    margin=15;
    "SLAB_FREELIST_HARDENED" [shape=oval, color=palegreen3]; // Mainline Defence
    grsecurity_hardened_freelist [label="by default in grsecurity", shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_stack_init {
    label="";
    rank=same;
    style="solid"; // Similar functionality
    margin=15;
    "INIT_STACK_ALL_ZERO" [shape=oval, color=palegreen3]; // Mainline Defence
    "PAX_MEMORY_STRUCTLEAK" [shape=oval, color=lightgrey]; // Commercial Defence
  }

  subgraph cluster_heap_erasing {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    "Heap free() Poisoning" [shape=oval, color=black, style=solid]; // Generic Defence Technique
    "init_on_alloc" [shape=oval, color=palegreen3]; // Mainline Defence
  }

  subgraph cluster_oob_detection {
    label="";
    rank=same;
    style="dashed";
    margin=15;
    node [shape=oval, color=palegreen3]; // Mainline Defence
    "FORTIFY_SOURCE";
    "UBSAN_BOUNDS";
  }

  // Defences: child nodes
  {
    rank=same;

    // Mainline Defences
    node [shape=oval, color=palegreen3];
    "REFCOUNT_FULL";
    "HARDENED_USERCOPY";
    "PAGE_POISONING";
    "VMAP_STACK";
    "THREAD_INFO_IN_TASK";
    "RANDSTRUCT";
    "STRUCTLEAK_BYREF_ALL";
    "LATENT_ENTROPY";
    "__ro_after_init";
    "SECURITY_DMESG_RESTRICT";
    "ARM: CPU_SW_DOMAIN_PAN";
    "ARM: ARM64_SW_TTBR0_PAN";
    "STATIC_USERMODEHELPER";
    "slub_debug=P"; // object and padding poisoning
    "init_on_free";
    "STACKLEAK";

    // Out-of-tree Defences
    node [shape=oval, color=cornflowerblue];
    "RANDOMIZE_KSTACK_OFFSET_DEFAULT";
    "Clang CFI";

    // Commercial Defences
    node [shape=oval, color=lightgrey];
    "PAX_RAP";
    "PAX_MEMORY_SANITIZE";

    // HW Defences
    node [shape=oval, color=aquamarine];
    "ARM: ARM64_PTR_AUTH + ARM64_BTI_KERNEL" [fontsize=10];
    "X86: Intel CET";
  }

  // Defences relations
  edge [style=dotted, arrowhead=none, dir=none, headport=_, tailport=_];
  "Clang CFI":e -> "Control Flow Integrity":w;
  "PAX_RAP":e -> "Control Flow Integrity":w;
  "ARM: ARM64_PTR_AUTH + ARM64_BTI_KERNEL":e -> "Control Flow Integrity":w;
  "X86: Intel CET":e -> "Control Flow Integrity":w;
  "REFCOUNT_FULL":e -> "PAX_REFCOUNT":w;
  "HARDENED_USERCOPY":e -> "PAX_USERCOPY":w;
  "PAGE_POISONING" -> "PAX_MEMORY_SANITIZE";
  "VMAP_STACK":e -> "GRKERNSEC_KSTACKOVERFLOW":w;
  "THREAD_INFO_IN_TASK":e -> "GRKERNSEC_KSTACKOVERFLOW":w;
  "RANDSTRUCT":e -> "GRKERNSEC_RANDSTRUCT";
  "STRUCTLEAK_BYREF_ALL":e -> "PAX_MEMORY_STRUCTLEAK":w;
  "LATENT_ENTROPY":e -> "PAX_LATENT_ENTROPY";
  "__ro_after_init":e -> "__read_only";
  "SECURITY_DMESG_RESTRICT":e -> "GRKERNSEC_DMESG";
  "STACKLEAK":e -> "PAX_MEMORY_STACKLEAK":w;
  "ARM: CPU_SW_DOMAIN_PAN":e -> "SMAP/PAN":w;
  "ARM: ARM64_SW_TTBR0_PAN":e -> "SMAP/PAN":w;
  "STATIC_USERMODEHELPER":e -> grsecurity_hardened_usermodehelper;
  "SLAB_FREELIST_HARDENED" -> grsecurity_hardened_freelist [constraint=false];
  "PAX_MEMORY_SANITIZE":e -> "Heap free() Poisoning":w [style=filled];
  "slub_debug=P":e -> "Heap free() Poisoning":w [style=filled];
  "init_on_free" -> "Heap free() Poisoning":w [style=filled];
  "RANDOMIZE_KSTACK_OFFSET_DEFAULT":e -> "PAX_RANDKSTACK";


  // Vulnerabilities and Exploitation Techniques
  {
    rank=same;

    // Vulnerabilities
    node [shape=box, color=pink];
    "Stack Depth Overflow (CWE-674,?)" [URL="https://cwe.mitre.org/data/definitions/674.html"];
    "Int Overflow/Underflow (CWE-190/191)" [URL="https://cwe.mitre.org/data/definitions/190.html"];
    "Use-After-Free (CWE-416)" [URL="https://cwe.mitre.org/data/definitions/416.html"];
    "Double Free (CWE-415)" [URL="https://cwe.mitre.org/data/definitions/415.html"];
    "Race Condition (CWE-362)" [URL="https://cwe.mitre.org/data/definitions/362.html"];
    "Undefined Behaviour (CWE-758)" [URL="https://cwe.mitre.org/data/definitions/758.html"];
    "Type Confusion (CWE-843)" [URL="https://cwe.mitre.org/data/definitions/843.html"];
    "Double Fetch (CWE-367)" [URL="https://cwe.mitre.org/data/definitions/367.html"];
    "Memory Leak (CWE-401)" [URL="https://cwe.mitre.org/data/definitions/401.html"];

    // Exploitation Techniques
    node [shape=box, color=gold];
    "Metadata Corruption";
    "Allocator Data Corruption";
    "Heap Layout Control";
    "Finding Kernel Objects";
    "JIT Abuse";
    "WX Area Abuse";
    "Changing Kernel Image";
    "Bad Module Loading";
    "Unbalanced set_fs()";
    "'ops' Structures Overwrite";
  }

  subgraph cluster_oob {
    label="";
    rank=same;
    style="dashed";
    margin=25;

    // Vulnerabilities
    node [shape=box, color=pink];
    "Heap Out-of-Bounds Access (CWE-122,119)" [URL="https://cwe.mitre.org/data/definitions/122.html"];
    "Stack Out-of-Bounds Access (CWE-121,119)" [URL="https://cwe.mitre.org/data/definitions/121.html"];
    "Global Variable Out-of-Bounds Access (CWE-?,119)" [fontsize=12, margin="0.04", URL="https://cwe.mitre.org/data/definitions/119.html"];
  }

  subgraph cluster_userspace_access {
    label="";
    rank=same;
    style="dashed";
    margin=25;

    // Vulnerability
    "NULL Pointer Dereference (CWE-476)" [shape=box, color=pink, URL="https://cwe.mitre.org/data/definitions/476.html"];

    // Exploitation Technique
    "Userspace Data Access" [shape=box, color=gold];
  }

  subgraph cluster_control_flow_hijack {
    label="  Control Flow Hijack Techniques  ";
    fontsize=18;
    rank=same;
    style="dashed";
    margin=25;
    node [shape=box, color=gold]; // Exploitation Techniques
    subgraph cluster_with_rop {
      label="";
      margin=25;
      "ROP";
      "ret2usr + ROP";
      "ret2dir + ROP";
    }
    "ret2usr";
    "ret2dir";
    "Return Address Overwrite";
  }

  subgraph cluster_info_exposures {
    label="";
    rank=same;
    style="dashed";
    margin=25;
    node [shape=box, color=pink]; // Vulnerabilities
    "Info Exposure (CWE-200)" [URL="https://cwe.mitre.org/data/definitions/200.html"];
    "Uninitialized Memory Usage (CWE-908)" [URL="https://cwe.mitre.org/data/definitions/908.html"];
  }

  subgraph cluster_hang {
    label="";
    rank=same;
    style="invis";
    margin=25;
    node [shape=box, color=pink]; // Vulnerabilities
    "Deadlock (CWE-833)" [URL="https://cwe.mitre.org/data/definitions/833.html"];
    "Infinite Loop (CWE-835)" [URL="https://cwe.mitre.org/data/definitions/835.html"];
  }

  subgraph cluster_transient_execution_vulnerabilities {
    label="Transient Execution Vulnerabilities \n (Covert Channels, CWE-514)";
    URL="https://cwe.mitre.org/data/definitions/514.html";
    rank=same;
    fontsize=18;
    style="solid"; // CWE-514
    margin=25;
    node [shape=box, color=pink]; // Vulnerabilities

    subgraph cluster_v1 {
      label="";
      style="solid";
      margin=25;
      "Spectre v1 / BCB / CVE-2017-5753";
      "Spectre v1.1 / BCBS / CVE-2018-3693";
      "Spectre v1 swapgs / CVE-2019-1125";
    }
    subgraph cluster_v2 {
      label="";
      style="solid";
      margin=25;
      "Spectre v2 / BTI / CVE-2017-5715";
      "Spectre RSB / CVE-2018-15572";
    }
    "Spectre v3 / RDCL / CVE-2017-5754 / Meltdown";
    "Spectre v3a / RSRE / CVE-2018-3640";
    "Spectre v4 / SSB / CVE-2018-3639";
    "L1TF / CVE-2018-3620,3646 / Foreshadow";
    "Lazy FP State Restore / CVE-2018-3665";
    subgraph cluster_mds_all {
      label="MDS (aka RIDL)";
      style="solid";
      margin=25;
      subgraph cluster_mds {
        label="";
        "MFBDS / CVE-2018-12130 / ZombieLoad";
        "MLPDS / CVE-2018-12127";
        "MDSUM / CVE-2019-11091";
        "TAA / CVE-2019-11135 / ZombieLoad v2 ";
        "MSBDS / CVE-2018-12126 / Fallout";
        "VRS / CVE-2020-0548";
      }
      "SRBDS / CVE-2020-0543 / CROSSTalk";
      "L1DES / CVE-2020-0549 / CacheOut";
      "Snoop / CVE-2020-0550";
    }
  }


  // Bug Detection Mechanisms
  {
    rank=same;
    node [shape=octagon, color=mediumpurple];
    "UBSAN";
    "KMSAN";
    "KTSAN";
    "KCSAN";
    "KMEMLEAK";
    "PROVE_LOCKING";
    "DEBUG_ATOMIC_SLEEP";
    "LOCKUP_DETECTOR";
    "WQ_WATCHDOG";
    "slub_debug=F"; // sanity checks
    "slub_debug=Z"; // red zoning
  }

  subgraph cluster_uaf_detection {
    label="";
    rank=same;
    style="dashed";
    margin=25;
    node [shape=octagon, color=mediumpurple]; // Bug Detection Mechanisms
    "KASAN_GENERIC";
    "KFENCE";
  }

  // Relations: Bug Detection Mechanisms vs Vulnerabilities
  edge [style=solid, arrowhead=normal, dir=back, headport=_, tailport=_];
  "Global Variable Out-of-Bounds Access (CWE-?,119)":e -> "KASAN_GENERIC":w [ltail=cluster_oob];
  "Use-After-Free (CWE-416)":e -> "KFENCE" [lhead=cluster_uaf_detection];
  "Double Free (CWE-415)":e -> "KASAN_GENERIC" [lhead=cluster_uaf_detection];
  "Undefined Behaviour (CWE-758)":e -> "UBSAN";
  "Int Overflow/Underflow (CWE-190/191)":e -> "UBSAN";
  "Uninitialized Memory Usage (CWE-908)":e -> "KMSAN" [ltail=cluster_info_exposures];
  "Race Condition (CWE-362)":e -> "KTSAN";
  "Race Condition (CWE-362)":e -> "KCSAN";
  "Memory Leak (CWE-401)":e -> "KMEMLEAK";
  "Deadlock (CWE-833)" -> "PROVE_LOCKING":w;
  "Deadlock (CWE-833)" -> "DEBUG_ATOMIC_SLEEP":w;
  "Infinite Loop (CWE-835)" -> "LOCKUP_DETECTOR":w;
  "Infinite Loop (CWE-835)" -> "WQ_WATCHDOG":w;
  "Heap Out-of-Bounds Access (CWE-122,119)":e -> "slub_debug=Z":w;
  "Double Free (CWE-415)" -> "slub_debug=F";
  "Allocator Data Corruption" -> "slub_debug=F";
  "Heap Out-of-Bounds Access (CWE-122,119)":e -> "KFENCE":w;


  // Relations: Defences vs Vulnerabilities and Exploitation Techniques
  edge [style=solid, arrowhead=normal, dir=forward, headport=_, tailport=_];
  "GRKERNSEC_KSTACKOVERFLOW":e -> "Stack Depth Overflow (CWE-674,?)";
  "PAX_MEMORY_STACKLEAK":e -> "Stack Depth Overflow (CWE-674,?)";
  "SCHED_STACK_END_CHECK":e -> "Stack Depth Overflow (CWE-674,?)";

  "PAX_USERCOPY":e -> "Heap Out-of-Bounds Access (CWE-122,119)":w;
  "ARM: KASAN_HW_TAGS with ARM64_MTE":e -> "Heap Out-of-Bounds Access (CWE-122,119)":w;
  "FORTIFY_SOURCE":e -> "Heap Out-of-Bounds Access (CWE-122,119)" [ltail=cluster_oob_detection, lhead=cluster_oob];

  "PAX_USERCOPY":e -> "Stack Out-of-Bounds Access (CWE-121,119)":w;

  "PAX_REFCOUNT":e -> "Int Overflow/Underflow (CWE-190/191)";
  "PAX_SIZE_OVERFLOW":e -> "Int Overflow/Underflow (CWE-190/191)";

  "PAX_MEMORY_STACKLEAK":e -> "Uninitialized Memory Usage (CWE-908)" [lhead=cluster_info_exposures];
  "PAX_MEMORY_STRUCTLEAK":e -> "Uninitialized Memory Usage (CWE-908)" [ltail=cluster_stack_init, lhead=cluster_info_exposures];
  "Heap free() Poisoning":e -> "Uninitialized Memory Usage (CWE-908)" [ltail=cluster_heap_erasing, lhead=cluster_info_exposures];

  "Heap free() Poisoning":s -> "Use-After-Free (CWE-416)" [ltail=cluster_heap_erasing];
  "ARM: KASAN_HW_TAGS with ARM64_MTE":e -> "Use-After-Free (CWE-416)":w;

  "SLAB_FREELIST_HARDENED":e -> "Double Free (CWE-415)";
  "ARM: KASAN_HW_TAGS with ARM64_MTE":e -> "Double Free (CWE-415)":w;

  "kptr_restrict":e -> "Info Exposure (CWE-200)":w [ltail=cluster_info_exposure_mitigations];

  "DEBUG_{LIST,SG,CREDENTIALS,NOTIFIERS,VIRTUAL}":e -> "Metadata Corruption";
  "BUG_ON_DATA_CORRUPTION":e -> "Metadata Corruption";
  "PROTECTABLE_MEMORY":e -> "Metadata Corruption";
  grsecurity_hardened_usermodehelper:e -> "Metadata Corruption";
  "LKRG":e -> "Metadata Corruption";

  grsecurity_hardened_freelist:e -> "Allocator Data Corruption";
  "SLAB_FREELIST_HARDENED":e -> "Allocator Data Corruption";

  "__read_only":e -> "'ops' Structures Overwrite" [ltail=cluster_ro];

  "SLAB_FREELIST_RANDOM":e -> "Heap Layout Control";
  "slab_nomerge":e -> "Heap Layout Control";
  "SHUFFLE_PAGE_ALLOCATOR":e -> "Heap Layout Control";
  "unprivileged_userfaultfd=0":e -> "Heap Layout Control";
  "AUTOSLAB":e -> "Heap Layout Control";

  "STACKPROTECTOR":e -> "Return Address Overwrite":w;
  "ARM: SHADOW_CALL_STACK":e -> "Return Address Overwrite":w;
  "Control Flow Integrity":e -> "Return Address Overwrite":w;

  "Control Flow Integrity":e -> "ROP" [lhead=cluster_with_rop];

  "PAX_KERNEXEC":e -> "ret2usr":w;
  "X86: pti=on (PAGE_TABLE_ISOLATION)":e -> "ret2usr":w [ltail=cluster_pti];
  "SMEP/PXN":e -> "ret2usr":w;
  "SMAP/PAN":s -> "ret2usr":w [ltail=cluster_smap_pan_uderef];

  "SMAP/PAN":s -> "Userspace Data Access" [ltail=cluster_smap_pan_uderef, lhead=cluster_userspace_access];

  "DEFAULT_MMAP_MIN_ADDR=65536":e -> "NULL Pointer Dereference (CWE-476)":w;

  "SMAP/PAN":s -> "ret2usr + ROP":sw [ltail=cluster_smap_pan_uderef];

  "PAX_KERNEXEC":e -> "ret2dir";
  "XPFO":e -> "ret2dir";

  "XPFO":e -> "ret2dir + ROP";

  "PAX_RANDKSTACK":e -> "Finding Kernel Objects" [ltail=cluster_layout_randomization];

  "GRKERNSEC_JIT_HARDEN":e -> "JIT Abuse";
  "bpf_jit_harden":e -> "JIT Abuse";

  "PAX_KERNEXEC":e -> "WX Area Abuse";
  "STRICT_{KERNEL,MODULE}_RWX":e -> "WX Area Abuse";
  "DEBUG_WX":e -> "WX Area Abuse";
  "ARM: RODATA_FULL_DEFAULT_ENABLED":e -> "WX Area Abuse";

  "LOCKDOWN_LSM":e -> "Changing Kernel Image";
  "LKRG":e -> "Changing Kernel Image";

  "GRKERNSEC_MODHARDEN":e -> "Bad Module Loading";
  "MODULE_SIG*":e -> "Bad Module Loading";
  "SECURITY_LOADPIN":e -> "Bad Module Loading";
  "request_module_cap()":e -> "Bad Module Loading";
  "LDISC_AUTOLOAD is not set":e -> "Bad Module Loading";

  "TIF_FSCHECK flag":e -> "Unbalanced set_fs()";

  "mitigations=auto,nosmt":e -> "Spectre v3a / RSRE / CVE-2018-3640" [ltail=cluster_cwe514_mitigations, lhead=cluster_transient_execution_vulnerabilities]
  "RESPECTRE":e -> "Spectre v1 / BCB / CVE-2017-5753" [ltail=cluster_v1_mitigations, lhead=cluster_v1];
  "X86: spectre_v2=on (RETPOLINE)":e -> "Spectre v2 / BTI / CVE-2017-5715" [ltail=cluster_v2_mitigations, lhead=cluster_v2];
  "X86: pti=on (PAGE_TABLE_ISOLATION)":e -> "Spectre v3 / RDCL / CVE-2017-5754 / Meltdown":w [ltail=cluster_pti];
  "X86: spec_store_bypass_disable=on":e -> "Spectre v4 / SSB / CVE-2018-3639" [ltail=cluster_ssb_mitigations];
  "X86: l1tf=full,force":e -> "L1TF / CVE-2018-3620,3646 / Foreshadow":w;
  "X86: l1tf=full,force":e -> "L1DES / CVE-2020-0549 / CacheOut":w;
  "X86: l1tf=full,force":e -> "Snoop / CVE-2020-0550":w;
  "X86: mds=full,nosmt":e -> "MSBDS / CVE-2018-12126 / Fallout" [lhead=cluster_mds];
}