"I've put together an automatic system for applying kernel security patches to the Linux kernel without rebooting it, and I wanted to share this system with the community in case others find it useful or interesting," said Jeff Arnold, announcing ksplice [1]. He explained, "the system takes as input a kernel security patch (which can be a unified diff taken directly from Linus' GIT tree) and the source code corresponding to the running kernel, and it automatically creates a set of kernel modules to perform the update. The running kernel does not need to have been customized in advance in any way." The project's website [2] notes, "ksplice cannot handle semantic changes to data structures—that is, changes that would require existing instances of kernel data structures to be transformed." With this limitation, Jeff suggested ksplice is still able to automatically apply 84% of the kernel security patches released between May 2005 and December 2007. He continued:
"I've been pursuing this project because I don't like dealing with reboots whenever a new local kernel security vulnerability is discovered. The rebootless update practices/systems that are already out there require manually constructing an update (through a process that can be tricky and error-prone), and they tend to have other disadvantages as well (such as requiring a custom kernel, not handling inline functions properly, etc). This new system works on existing kernels, and it simply takes a unified diff as input and does the rest on its own."
From: Jeff Arnold <jbarnold@...>
Subject: A system for rebootless kernel security updates
[2]Date: Apr 23, 2:59 pm 2008
Hello,
I've put together an automatic system for applying kernel security patches
to the Linux kernel without rebooting it, and I wanted to share this
system with the community in case others find it useful or interesting.
Here's the summary: The system takes as input a kernel security patch
(which can be a unified diff taken directly from Linus' GIT tree) and the
source code corresponding to the running kernel, and it automatically
creates a set of kernel modules to perform the update. The running kernel
does not need to have been customized in advance in any way. To be fully
automatic, the system cannot be used to apply patches that introduce
semantic changes to data structures, but most Linux kernel security
patches don't make these kinds of changes. I've evaluated the system
against various kernel versions and security vulnerabilities, and the
system can automatically apply 84% of the significant kernel security
patches from May 2005 through December 2007.
I've been pursuing this project because I don't like dealing with reboots
whenever a new local kernel security vulnerability is discovered. The
rebootless update practices/systems that are already out there require
manually constructing an update (through a process that can be tricky and
error-prone), and they tend to have other disadvantages as well (such as
requiring a custom kernel, not handling inline functions properly, etc).
This new system works on existing kernels, and it simply takes a unified
diff as input and does the rest on its own.
The system's website is http://web.mit.edu/ksplice [3].
The GIT repository, code tarball, and binary tarballs are available here:
http://web.mit.edu/ksplice/ksplice.git [4]
http://web.mit.edu/ksplice/dist/ksplice-src.tar.gz [5]
http://web.mit.edu/ksplice/dist/ksplice-bin-i386.tar.gz [6]
http://web.mit.edu/ksplice/dist/ksplice-bin-x86_64.tar.gz [7]
A document describing how the system works is available here:
http://web.mit.edu/ksplice/doc/ksplice.pdf [8]
Any feedback would be appreciated.
Jeff Arnold
jbarnold@mit.edu [9]
--
From: FD Cami <francois.cami@...>
Subject: Re: A system for rebootless kernel security updates
[9]Date: Apr 23, 5:37 pm 2008
On Wed, 23 Apr 2008 14:59:05 -0400 (EDT)
Jeff Arnold <jbarnold@MIT.EDU> wrote:
> Hello,
Hi Jeff,
> I've put together an automatic system for applying kernel security patches
> to the Linux kernel without rebooting it, and I wanted to share this
> system with the community in case others find it useful or interesting.
(reading on)
> Here's the summary: The system takes as input a kernel security patch
> (which can be a unified diff taken directly from Linus' GIT tree) and the
> source code corresponding to the running kernel, and it automatically
> creates a set of kernel modules to perform the update. The running kernel
> does not need to have been customized in advance in any way. To be fully
> automatic, the system cannot be used to apply patches that introduce
> semantic changes to data structures, but most Linux kernel security
> patches don't make these kinds of changes. I've evaluated the system
> against various kernel versions and security vulnerabilities, and the
> system can automatically apply 84% of the significant kernel security
> patches from May 2005 through December 2007.
Awesome. Please note that reading this, I thought at first that the set of
kernel modules were in fact, updated kernel modules (i.e. necessary unloading/
loading of modules) which I understood was not the case after reading your
PDF. After checking with a friend of mine, he understood it like I did.
Perhaps :
- it automatically creates a set of kernel modules to perform the update.
+ it automatically creates a set of kernel modules containing the kernel
+ functions touched by the update, and arranges for the running kernel to
+ use the new functions from now on.
would be better.
> I've been pursuing this project because I don't like dealing with reboots
> whenever a new local kernel security vulnerability is discovered. The
> rebootless update practices/systems that are already out there require
> manually constructing an update (through a process that can be tricky and
> error-prone), and they tend to have other disadvantages as well (such as
> requiring a custom kernel, not handling inline functions properly, etc).
> This new system works on existing kernels, and it simply takes a unified
> diff as input and does the rest on its own.
It really looks like a non intrusive way of achieving superior uptime.
Congrats !
Best,
Francois
--
Related links:
- Archive of above thread [9]
