| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Apr 2008 14:59:05 -0400 (EDT) From: Jeff Arnold <jbarnold@....EDU> To: linux-kernel@...r.kernel.org Subject: A system for rebootless kernel security updates Hello, I've put together an automatic system for applying kernel security patches to the Linux kernel without rebooting it, and I wanted to share this system with the community in case others find it useful or interesting. Here's the summary: The system takes as input a kernel security patch (which can be a unified diff taken directly from Linus' GIT tree) and the source code corresponding to the running kernel, and it automatically creates a set of kernel modules to perform the update. The running kernel does not need to have been customized in advance in any way. To be fully automatic, the system cannot be used to apply patches that introduce semantic changes to data structures, but most Linux kernel security patches don't make these kinds of changes. I've evaluated the system against various kernel versions and security vulnerabilities, and the system can automatically apply 84% of the significant kernel security patches from May 2005 through December 2007. I've been pursuing this project because I don't like dealing with reboots whenever a new local kernel security vulnerability is discovered. The rebootless update practices/systems that are already out there require manually constructing an update (through a process that can be tricky and error-prone), and they tend to have other disadvantages as well (such as requiring a custom kernel, not handling inline functions properly, etc). This new system works on existing kernels, and it simply takes a unified diff as input and does the rest on its own. The system's website is http://web.mit.edu/ksplice. The GIT repository, code tarball, and binary tarballs are available here: http://web.mit.edu/ksplice/ksplice.git http://web.mit.edu/ksplice/dist/ksplice-src.tar.gz http://web.mit.edu/ksplice/dist/ksplice-bin-i386.tar.gz http://web.mit.edu/ksplice/dist/ksplice-bin-x86_64.tar.gz A document describing how the system works is available here: http://web.mit.edu/ksplice/doc/ksplice.pdf Any feedback would be appreciated. Jeff Arnold jbarnold@....edu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists