|| ||Jeff Arnold <jbarnold@MIT.EDU>|
|| ||A system for rebootless kernel security updates|
|| ||Wed, 23 Apr 2008 14:59:05 -0400 (EDT)|
I've put together an automatic system for applying kernel security patches
to the Linux kernel without rebooting it, and I wanted to share this
system with the community in case others find it useful or interesting.
Here's the summary: The system takes as input a kernel security patch
(which can be a unified diff taken directly from Linus' GIT tree) and the
source code corresponding to the running kernel, and it automatically
creates a set of kernel modules to perform the update. The running kernel
does not need to have been customized in advance in any way. To be fully
automatic, the system cannot be used to apply patches that introduce
semantic changes to data structures, but most Linux kernel security
patches don't make these kinds of changes. I've evaluated the system
against various kernel versions and security vulnerabilities, and the
system can automatically apply 84% of the significant kernel security
patches from May 2005 through December 2007.
I've been pursuing this project because I don't like dealing with reboots
whenever a new local kernel security vulnerability is discovered. The
rebootless update practices/systems that are already out there require
manually constructing an update (through a process that can be tricky and
error-prone), and they tend to have other disadvantages as well (such as
requiring a custom kernel, not handling inline functions properly, etc).
This new system works on existing kernels, and it simply takes a unified
diff as input and does the rest on its own.
The system's website is http://web.mit.edu/ksplice.
The GIT repository, code tarball, and binary tarballs are available here:
A document describing how the system works is available here:
Any feedback would be appreciated.