In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.