Ksplice: Rebootless Linux kernel security updates

http://web.mit.edu/ksplice/木铎校园 BBS 社区?#IK4j[lIj
木铎校园 BBS 社区8jgt7mV e?0Q

Overview

iM$_7})mv A:}8|7D7T*i0Ksplice allows system administrators to apply security patches to the Linux kernel without having to reboot. Ksplice takes as input a source code change in unified diff format and the kernel source code to be patched, and it applies the patch to the corresponding running kernel. The running kernel does not need to have been prepared in advance in any way.

bp U(sWo-I5h0木铎校园 BBS 社区&G M-Ts!?7f9_cp$L

To be fully automatic, Ksplice's design is limited to patches that do not introduce semantic changes to data structures, but most Linux kernel security patches don't make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to December 2007 finds that Ksplice can automatically apply 84% of the 50 significant kernel vulnerabilities from this interval.木铎校园 BBS 社区Es7T"r$|;A,T+Q:@O

o |3Y%k]U0Ksplice has been implemented for Linux on the x86-32 and x86-64 architectures. Please be aware that this software is quite new, and it might contain bugs that could cause severe problems. The code is available in aGit repository, as asource code tarball, as anx86-32 binary distribution tarball, and as anx86-64 binary distribution tarball. Building the source code requires the GNU BFD library fromGNU Binutils, which is available in Debian (asbinutils-dev) and in other Linux distributions. Ksplice is free software; you can redistribute and/or modify it under the terms of theGNU General Public License, version 2.

5x(s_m z[&@j7h0

T\[\C!Te0If you'd like to try Ksplice, instructions are available forinstalling Kspliceandmaking a sample modification to a running kernel.

JD VS&H5HEW_E8b0

Usage Example

9\HC$}n7k|ni'F0On July 12, 2006, the Linux kernel developers committed the following security patch to the mainline Linux kernel, protecting against CVE-2006-2451, a significant vulnerability involving the kernel'ssys_prctlfunction:木铎校园 BBS 社区(j*u2aW$s w:NS4p p

diff --git a/kernel/sys.c b/kernel/sys.c木铎校园 BBS 社区V z R
g"J { [EI3_
index dbb3b9c..e236f98 100644木铎校园 BBS 社区YP/|.]y7g!q$Go {
--- a/kernel/sys.c
j*O5s#Pz,W0+++ b/kernel/sys.c
$I7K@ar	ej{bg]0@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,木铎校园 BBS 社区n%WgDzN w
error = current->mm->dumpable;木铎校园 BBS 社区}x8BY Y
break;

Jx/U _qL7VvM0case PR_SET_DUMPABLE:木铎校园 BBS 社区MU#B3x	c)v
-                       if (arg2 < 0 || arg2 > 2) {
;IcdPry0cO0+                       if (arg2 < 0 || arg2 > 1) {
	AX1IR&xF8P
g/@;PH0error = -EINVAL;
D9DJ*M.e!Xl0break;
S+FbBFtpi"k0}
A.Q*d-pa_0

木铎校园 BBS 社区X wQ)m'\

Normally, a system administrator would need to reboot in order to conveniently apply this kind of update to a Linux system.木铎校园 BBS 社区$]DA4Z9Q`[`3~j

+i4D Mp+`.S/IL0Ksplice allows this kind of update to be applied with the following commands. This example assumes that the source code for the running kernel,2.6.16, is already unpacked in~/linux-sourceand that the security patch above is in the file~/prctl.

k9t!eA,h{)Oqn0

user@localhost:~$ mkdir ~/linux-source/ksplice
r#Qd
LZN0user@localhost:~$ cp /boot/config-2.6.16-1-686-smp ~/linux-source/ksplice/.config木铎校园 BBS 社区.H(m3A;T6h[
user@localhost:~$ cp /boot/System.map-2.6.16-1-686-smp ~/linux-source/ksplice/System.map
i4{ry
|$q
C0user@localhost:~$ ksplice-create --patch=./prctl ~/linux-source/ksplice
c~0e+a6A$^.tvY0Ksplice update tarball written to ksplice-bzrz1v2h.tar.gz木铎校园 BBS 社区{:M8h3a2JZ
[the user should then become root]
?-u~k1BEe0root@localhost:/home/user# ksplice-apply ./ksplice-bzrz1v2h.tar.gz木铎校园 BBS 社区7Ar4q-B0j4S8O
Done!
H#]~k*E&h)Kq0

木铎校园 BBS 社区-l aMk6sS0\

The first three lines provide Ksplice with information about the kernel's original configuration, which is needed in order to construct the update. Ksplice expects to be provided with the original kernel's.configfile andSystem.mapfile, but these files are essentially always easily available (most Linux distributions put them in/bootor distribute them with the kernel source).木铎校园 BBS 社区^%x"e?%`iE

木铎校园 BBS 社区.LI9Lo N)L4@|"c

After ksplice-apply has printed "Done!", the update has been applied to the running kernel, and the system is no longer subject to this security vulnerability.木铎校园 BBS 社区5n^x'? r$y;?

Design Features

• Works with most existing Linux 2.6.x kernel versions (no advance preparation or modifications required)
• Works with most existing kernel configurations (works best withCONFIG_KALLSYMS, but Ksplice can apply many patches without this option)
• Can handle patches to kernel modules and kernel assembly code
• Can handle patches containing symbols that are not in the kernel symbol table (symbols can be discovered from running code)
• Works best if provided with the exact compiler and linker used to compile the original kernel (when the original toolchain is not available, Ksplice will protect against differences in behavior between the original toolchain and the toolchain used to create the update, and Ksplice will abort the upgrade if necessary)

Documentation

The manual pages for the Ksplice utilities are provided with the software and are available here on the web:

• ksplice-create- Create a set of kernel modules for a rebootless kernel update
• ksplice-apply- Apply an on-disk Ksplice update to the running kernel
• ksplice-view- View in-kernel or on-disk Ksplice kernel updates
• ksplice-undo- Undo a Ksplice update that has been applied to the running kernel

木铎校园 BBS 社区(sO^(gy8T

More details about how Ksplice works and how it has been evaluated are available in thisKsplice technical overview document.

[ntV&L.N*_0木铎校园 BBS 社区%\2L0Br!dh n/TV6K(? r

In addition to the evaluation described in that document, Ksplice has been tested on Linux kernel versions ranging from 2.6.8 to 2.6.25, and on several Linux distributions, including Debian, Ubuntu, RHEL, Gentoo, and ASP Linux.木铎校园 BBS 社区(y"jwVL_

Beyond Security Patches

木铎校园 BBS 社区Ti$NS~Q?MsU

In addition to patching security vulnerabilities, Ksplice can also be used to add debugging code to the kernel or to make any other code changes that do not modify data structure semantics. For example, you canuse Ksplice to modify the behavior ofprintk.

9j_j~I']
`9|e0

Frequently Asked Questions

木铎校园 BBS 社区{@NF8h7N

Q:What kinds of patches can't Ksplice handle? Why can't Ksplice handle these patches?

y9zj!qV*J0木铎校园 BBS 社区 ]RJ+m'O,V&a:Y

A: Ksplice cannot handlesemantic changesto data structures—that is, changes that would require existing instances of kernel data structures to be transformed. For example, a patch that adds a field to a global data structure would require the existing data structures to change. We examined 32 months of Linux kernel patches and found that most (42 out of 50) kernel security patches do not require such semantic changes.木铎校园 BBS 社区O?.D-t?

$N V2X)\tR9F0The design choice to not handle semantic changes avoids burdening the hot update creator with writing code to transform the original kernel data structures to the state expected by the new code. An imperfect state transformation function could lead to disastrous consequences, so avoiding this source of effort and potential for human error makes sense until hot update systems are more widely deployed.木铎校园 BBS 社区-F-?#pE;vi%b"y.M

d(q9Hv#EI"i9Z0Q:Doesn't Ksplice help bad guys introduce non-GPL code in the kernel and/or create malware?

z!`&L R2^7sn
{L0木铎校园 BBS 社区9]Q.XiEeL

A: The bad guys already know how to accomplish their goals using ad hoc kernel inspection and modification techniques. If someone wanted to get aroundEXPORT_SYMBOL_GPL, there are simpler ways to do so than using Ksplice.

-C[XC&R0

Contact

n pZ`U0If you have any questions, complaints, comments, bug reports, or patches, please send them to me at jbarnold@mit.edu or ksplice@mit.edu.木铎校园 BBS 社区nQm2A+aj/h:s

w%z f^@!V#H0If you are interested in participating in Ksplice development discussion, you cansubscribe to the mailing list ksplice-devel@mit.edu.木铎校园 BBS 社区eC
x)YLX U-J

木铎校园 BBS 社区5R6W pz L,M\5Z