Module 01Day 1 · 2.5 h
Kernel Internals and Architecture
Monolithic architecture, major subsystems, user/kernel boundary, system calls, /proc and /sys interfaces, task_struct.
Course preview
Linux Kernel Module Development
A 5-day, 40-hour hands-on training on writing, debugging, hardening, and reviewing production-quality Linux kernel modules with emphasis on the networking subsystem.
Real-world context
Built around the KoviD research project
Students analyze real rootkit code for networking, hiding, and detection throughout the course — not contrived textbook examples.
Lab-first delivery
Every module has hands-on labs
Students write real kernel modules from Day 1. Labs build on each other and culminate in a capstone network monitoring LKM.
10 modules across 5 days
Full module map
From kernel fundamentals to a capstone project. Networking gets a full day. Security runs through every module.
Module 02Day 1 · 3 h
Loadable Kernel Modules
Module lifecycle, init/exit, parameters, Kbuild, /proc and sysfs interfaces, symbol exports, cross-version compatibility.
Module 03Day 2 · 7 h
Kernel Networking
Full network stack from NIC to socket layer, sk_buff, Netfilter hooks, connection tracking, kernel TCP/UDP sockets, KoviD case study.
Module 04Day 3 · 3 h
Memory Management
Virtual address space, memory zones, kmalloc/vmalloc/slab, GFP flags, DMA mapping, KASAN, KFENCE, memory pools.
Module 05Day 3 · 3.5 h
Concurrency and Locking
Spinlocks, mutexes, RCU deep dive, per-CPU variables, atomic operations, wait queues, memory barriers, lockdep.
Module 06Day 4 · 3.5 h
Debugging and Tracing
printk, ftrace, kprobes/kretprobes, eBPF and BCC tools, perf and flame graphs, crash analysis, KGDB.
Module 07Day 4 · 3.5 h
Secure Coding
Kernel threat model, buffer and integer overflows, use-after-free, TOCTOU, input validation, capability checks.
Module 08Day 4 · 4 h
Hardening
Build-time hardening, KASLR, CFI, module signing, kernel lockdown, LSM framework, rootkit detection techniques.
Module 09Day 5 · 3.5 h
Code Review
Kernel coding style, checkpatch, sparse, smatch, coccinelle, security-focused review checklist, KUnit testing.
Module 10Day 5 · 8 h
Capstone Project
Build a complete Secure Network Monitoring LKM integrating Netfilter, per-CPU counters, RCU, /proc, capability checks.
Before you start
Prerequisites
This training assumes working-level Linux and C skills. It is not an introductory course.
- Strong C programming — pointers, memory management, data structures
- Linux system administration — shell, package management, service management
- Basic OS concepts — processes, memory, I/O, scheduling
- Git version control familiarity
- x86_64 assembly helpful but not required
Who this is for
Target audience
Built for teams that work close to the kernel and need practical, lab-verified skills.
Security vendors
Validating Linux detection coverage, building kernel-level visibility, or training engineering teams on module development.
Blue teams
Building detection engineering workflows, understanding rootkit techniques, and hardening kernel configurations.
Platform defenders
Running Linux fleets in cloud or on-prem environments and needing kernel-level debugging and hardening skills.
Technical instructors
Looking for a serious, lab-heavy curriculum they can deliver to internal teams or training cohorts.
Preview materials
See what the course looks like inside
A sample lab, the full environment setup, and how the AI tutor works.
Unlock preview materials
Enter your email to access lab samples, environment setup, and tutor walkthrough.
One email. No account needed. We send you nothing unless you ask.