KernelGuard

0.2.2 verified Sat May 09 auth: no python

KernelGuard is a rule-based GPU kernel hack detector for Python. It scans CUDA and HIP kernel source for suspicious patterns indicative of potential exploits or malicious modifications. Version 0.2.2 is current, with weekly releases.

pip install kernelguard

Common errors

error AttributeError: module 'kernelguard' has no attribute 'scan' ↓

cause scan is no longer a top-level function; use KernelScanner

fix

from kernelguard import KernelScanner; scanner = KernelScanner(); scanner.scan(source)

error TypeError: Rule.__init__() got an unexpected keyword argument 'severity' ↓

cause In 0.2.0, severity parameter changed to expect RuleSeverity enum, but the error occurs when passing a string that is not a valid keyword (actually older API).

fix

Use enum: from kernelguard import RuleSeverity; Rule(..., severity=RuleSeverity.HIGH)

error ValueError: Pattern is not a valid regex ↓

cause Pattern string contains unescaped characters that cause invalid regex

fix

Use raw string r"..." and escape special regex characters.

Warnings

gotcha KernelScanner.scan() expects a string, not a file path — use open().read() first. ↓

fix with open('kernel.cu') as f: source = f.read()

deprecated The 'rules' parameter in KernelScanner constructor is deprecated in 0.2.0; use add_rule() instead. ↓

fix scanner = KernelScanner(); scanner.add_rule(rule)

breaking Rule severity enum values changed in 0.2.0 from strings ('low', 'medium', 'high') to enum members (RuleSeverity.LOW etc.). ↓

fix from kernelguard import RuleSeverity; rule = Rule(..., severity=RuleSeverity.HIGH)

gotcha Patterns must be raw strings or escaped properly — backslashes are Python string escapes. ↓

fix Use r"pattern" instead of "pattern".

Imports

KernelScanner

wrong

from kernelguard.scanner import KernelScanner

correct

from kernelguard import KernelScanner

KernelScanner is a top-level export.

scan_kernel
wrong
```
import kernelguard; kernelguard.scan_kernel()
```
correct
```
from kernelguard import scan_kernel
```
scan_kernel is not a module attribute; it's a function exported at package level.

Quickstart

Basic scan with custom rule.

from kernelguard import KernelScanner, Rule
import os

scanner = KernelScanner()
rule = Rule(
    name="check_unsafe_memcpy",
    pattern=r"cudaMemcpy\s*\(",
    severity="high",
    message="Direct cudaMemcpy call detected"
)
scanner.add_rule(rule)
source_code = """
__global__ void kernel() {
    cudaMemcpy(dest, src, size, cudaMemcpyDeviceToHost);
}
"""
results = scanner.scan(source_code)
for r in results:
    print(r)