| Article explores Linux hot-patching utility |
May 08, 2008
LWN.net has published an article about ksplice, a hot-patching utility for the Linux kernel that was developed by an MIT grad student. Ksplice lets users make changes to running kernel code -- for example to apply a security patch -- without rebooting the system or interrupting services running on it.
The article was written by LWN.net co-founder Jonathan Corbet. It inspired a lively discussion of the technology, and its chances of being merged into the mainline Linux kernel source code tree. Carrier Grade Linux and high-availability Linux distributions typically already have hot-patching implementations of their own, but the mainline kernel still does not.
Ksplice was announced on April 23rd on LWN.net in a post by the utility's lead developer, Jeffrey Brian Arnold, a graduate student at MIT. Ksplice works on any patch that "does not introduce semantic changes to data structures," says Arnold in his MIT paper on the subject, "Ksplice: An automatic system for rebootless Linux kernel security updates". On the Ksplice project site, Arnold reports that an evaluation of Linux kernel security patches from May 2005 to December 2007 found that Ksplice automatically applied 84 percent of "50 significant kernel vulnerabilities."
According to Corbet, ksplice should attract considerable interest from Linux administrators who need to install security patches to correct vulnerabilities in the Linux kernel. Each patch requires several minutes of downtime, which can either be an inconvenience or in the case of critical systems, an intolerable interruption.
Ksplice process for creating a hot update
[Source: Jeffrey Brian Arnold, MIT,
" Ksplice: An automatic system for rebootless Linux kernel security updates"]
(Click to enlarge)
From Corbet's description, ksplice compiles the system's kernel from source, with and without the patch, creating a kind of binary diff. It then inserts "trampolines" inside of functions affected by the patch. The trampolines simply bounce processing over to newly instantiated, patched object code. Clever stuff.
Ksplice still needs work, says Corbet, but he likes what he sees, enough to suggest that it might be a good addition to mainline. However, Arnold feels that such a move is unnecessary, says Corbet, and there is also a potential conflict from a 2002 Microsoft patent covering similar hot-patching.
The general consensus in the Linux development crowd is that the patent is invalid, says Corbet, since similar approaches have been used for decades. But who really wants to take Microsoft in court when writing code is so much more fun?
Availability
The full LWN.net article, entitled "Ksplice: kernel patches without reboots," should be available here.
Related Stories:
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
Use of this site is governed by our Terms of
Service and Privacy Policy.
Except where otherwise specified, the contents of this site are copyright © 1999-2008
Ziff Davis Enterprise Holdings Inc. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is
prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.
news feed