Return-Oriented programming (ROP),in which attackers corrupt program stack in order to hijack the control flow of the program,is a popular way to attack memory corruption bugs.Control flow integrity (CFI) is a popular approach which thwarts attackers tampering with execution flow,in a way that enforces the legal targets of each indirect branches.While published CFI approaches mainly focus on protecting user programs,the OS kernel is still vulnerable to various attacks such as return-oriented rootkits (ROR),which can launch ROP attacks in vulnerable kernel modules,is able to execute arbitrary code in kernel.Compared with traditional user-level ROP,ROR is more dangerous because it happens in kernel space.According to Linux CVE from 2014 to 2016,76% of kernel bugs appear in kernel module and almost all of the published attacks happen in kernel modules,which infers that kernel modules happen to be the most dangerous area in the kernel space.However currently there are still very few number of kernel-level CFI protection mechanisms,and all of the existing ones require source-code level modification and kernel recompilation,which restricts the usage scenarios of the commodity systems.Facing off these problems,this paper proposes to leverage Intel processor trace (IPT),and presents the first system which can prevent against ROP attacks in kernel modules base on virtualization without relying on the source code of kernel and kernel modules.The evaluation proves the precision,transparency and efficiency of the new system.