lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.1.00.0802221606520.21343@vinegar-pot.mit.edu>
Date:	Wed, 23 Apr 2008 14:59:05 -0400 (EDT)
From:	Jeff Arnold <jbarnold@....EDU>
To:	linux-kernel@...r.kernel.org
Subject: A system for rebootless kernel security updates

Hello,

I've put together an automatic system for applying kernel security patches 
to the Linux kernel without rebooting it, and I wanted to share this 
system with the community in case others find it useful or interesting.

Here's the summary:  The system takes as input a kernel security patch 
(which can be a unified diff taken directly from Linus' GIT tree) and the 
source code corresponding to the running kernel, and it automatically 
creates a set of kernel modules to perform the update.  The running kernel 
does not need to have been customized in advance in any way.  To be fully 
automatic, the system cannot be used to apply patches that introduce 
semantic changes to data structures, but most Linux kernel security 
patches don't make these kinds of changes.  I've evaluated the system 
against various kernel versions and security vulnerabilities, and the 
system can automatically apply 84% of the significant kernel security 
patches from May 2005 through December 2007.

I've been pursuing this project because I don't like dealing with reboots 
whenever a new local kernel security vulnerability is discovered.  The 
rebootless update practices/systems that are already out there require 
manually constructing an update (through a process that can be tricky and 
error-prone), and they tend to have other disadvantages as well (such as 
requiring a custom kernel, not handling inline functions properly, etc). 
This new system works on existing kernels, and it simply takes a unified 
diff as input and does the rest on its own.

The system's website is http://web.mit.edu/ksplice.

The GIT repository, code tarball, and binary tarballs are available here:
http://web.mit.edu/ksplice/ksplice.git
http://web.mit.edu/ksplice/dist/ksplice-src.tar.gz
http://web.mit.edu/ksplice/dist/ksplice-bin-i386.tar.gz
http://web.mit.edu/ksplice/dist/ksplice-bin-x86_64.tar.gz

A document describing how the system works is available here: 
http://web.mit.edu/ksplice/doc/ksplice.pdf

Any feedback would be appreciated.

Jeff Arnold
jbarnold@....edu
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ