Re: A system for rebootless kernel security updates

From: FD Cami
Date: Wed Apr 23 2008 - 17:37:33 EST


On Wed, 23 Apr 2008 14:59:05 -0400 (EDT)
Jeff Arnold <jbarnold@xxxxxxx> wrote:

> Hello,

Hi Jeff,

> I've put together an automatic system for applying kernel security patches
> to the Linux kernel without rebooting it, and I wanted to share this
> system with the community in case others find it useful or interesting.

(reading on)

> Here's the summary: The system takes as input a kernel security patch
> (which can be a unified diff taken directly from Linus' GIT tree) and the
> source code corresponding to the running kernel, and it automatically
> creates a set of kernel modules to perform the update. The running kernel
> does not need to have been customized in advance in any way. To be fully
> automatic, the system cannot be used to apply patches that introduce
> semantic changes to data structures, but most Linux kernel security
> patches don't make these kinds of changes. I've evaluated the system
> against various kernel versions and security vulnerabilities, and the
> system can automatically apply 84% of the significant kernel security
> patches from May 2005 through December 2007.

Awesome. Please note that reading this, I thought at first that the set of
kernel modules were in fact, updated kernel modules (i.e. necessary unloading/
loading of modules) which I understood was not the case after reading your
PDF. After checking with a friend of mine, he understood it like I did.
Perhaps :

- it automatically creates a set of kernel modules to perform the update.
+ it automatically creates a set of kernel modules containing the kernel
+ functions touched by the update, and arranges for the running kernel to
+ use the new functions from now on.

would be better.

> I've been pursuing this project because I don't like dealing with reboots
> whenever a new local kernel security vulnerability is discovered. The
> rebootless update practices/systems that are already out there require
> manually constructing an update (through a process that can be tricky and
> error-prone), and they tend to have other disadvantages as well (such as
> requiring a custom kernel, not handling inline functions properly, etc).
> This new system works on existing kernels, and it simply takes a unified
> diff as input and does the rest on its own.

It really looks like a non intrusive way of achieving superior uptime.

Congrats !

Best,

Francois
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/