Ksplice: Rebootless Linux kernel security updates

http://web.mit.edu/ksplice/木铎校园 BBS 社区L8tI$M#}k

VfeZ&GRX F
K0

Overview

木铎校园 BBS 社区&N#GH8Y6z#~ f/j"q

Ksplice allows system administrators to apply security patches to the Linux kernel without having to reboot. Ksplice takes as input a source code change in unified diff format and the kernel source code to be patched, and it applies the patch to the corresponding running kernel. The running kernel does not need to have been prepared in advance in any way.木铎校园 BBS 社区DW)^K)N.l.Aa,DK

木铎校园 BBS 社区5S]~g3G

To be fully automatic, Ksplice's design is limited to patches that do not introduce semantic changes to data structures, but most Linux kernel security patches don't make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to December 2007 finds that Ksplice can automatically apply 84% of the 50 significant kernel vulnerabilities from this interval.

_1GN0g&T${0木铎校园 BBS 社区}Z'fju0|5\

Ksplice has been implemented for Linux on the x86-32 and x86-64 architectures. Please be aware that this software is quite new, and it might contain bugs that could cause severe problems. The code is available in aGit repository, as asource code tarball, as anx86-32 binary distribution tarball, and as anx86-64 binary distribution tarball. Building the source code requires the GNU BFD library fromGNU Binutils, which is available in Debian (asbinutils-dev) and in other Linux distributions. Ksplice is free software; you can redistribute and/or modify it under the terms of theGNU General Public License, version 2.木铎校园 BBS 社区tv]u$mo

木铎校园 BBS 社区5}.V5m^/qV

If you'd like to try Ksplice, instructions are available forinstalling Kspliceandmaking a sample modification to a running kernel.

'}#s:qxhBX
FR!a0

Usage Example

木铎校园 BBS 社区H7y!EPr(ZaL#d

On July 12, 2006, the Linux kernel developers committed the following security patch to the mainline Linux kernel, protecting against CVE-2006-2451, a significant vulnerability involving the kernel'ssys_prctlfunction:

d\c@~5F4b0

diff --git a/kernel/sys.c b/kernel/sys.c木铎校园 BBS 社区[wLA ^t
index dbb3b9c..e236f98 100644木铎校园 BBS 社区mh&n:]])CQ)T
--- a/kernel/sys.c
*g0fE*l
y!As9F,Co0+++ b/kernel/sys.c木铎校园 BBS 社区ve	rG1O4B
sT
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,木铎校园 BBS 社区L;zH6o]	K2a^
error = current->mm->dumpable;木铎校园 BBS 社区%k/`)fsW&wU5K*W
break;木铎校园 BBS 社区&F
j	HeX.c.B
case PR_SET_DUMPABLE:木铎校园 BBS 社区#\GAc;T}
-                       if (arg2 < 0 || arg2 > 2) {木铎校园 BBS 社区]]h3\f)G
+                       if (arg2 < 0 || arg2 > 1) {木铎校园 BBS 社区#J5a+ec5L
error = -EINVAL;
;LNx2uj/pc,l/F0break;
BLz0fyF
]r4q0}木铎校园 BBS 社区Wq7g]B._{

t o'B.@c8b"o0Normally, a system administrator would need to reboot in order to conveniently apply this kind of update to a Linux system.木铎校园 BBS 社区 agk+QS$YCR_4Q

Q,J+X*z9w7p~C;@n;P^0Ksplice allows this kind of update to be applied with the following commands. This example assumes that the source code for the running kernel,2.6.16, is already unpacked in~/linux-sourceand that the security patch above is in the file~/prctl.

|vo |9A0

user@localhost:~$ mkdir ~/linux-source/ksplice
DywgE0user@localhost:~$ cp /boot/config-2.6.16-1-686-smp ~/linux-source/ksplice/.config

CFH
o
Qu#OF$A)d0user@localhost:~$ cp /boot/System.map-2.6.16-1-686-smp ~/linux-source/ksplice/System.map
`Z/Cu DCN0user@localhost:~$ ksplice-create --patch=./prctl ~/linux-source/ksplice木铎校园 BBS 社区5F3l8kJfS+G
Ksplice update tarball written to ksplice-bzrz1v2h.tar.gz木铎校园 BBS 社区\(h)m7^!v
[the user should then become root]
%q1c/tR8g!T0root@localhost:/home/user# ksplice-apply ./ksplice-bzrz1v2h.tar.gz
jW*~\H&DWd0Done!
,\o	]
O2B*s0

1MIct+B$l0The first three lines provide Ksplice with information about the kernel's original configuration, which is needed in order to construct the update. Ksplice expects to be provided with the original kernel's.configfile andSystem.mapfile, but these files are essentially always easily available (most Linux distributions put them in/bootor distribute them with the kernel source).

{@2G6|n0木铎校园 BBS 社区B.M|h/?9V'C/@{6?

After ksplice-apply has printed "Done!", the update has been applied to the running kernel, and the system is no longer subject to this security vulnerability.木铎校园 BBS 社区 `$j#Q;Dx8H

Design Features

• Works with most existing Linux 2.6.x kernel versions (no advance preparation or modifications required)
• Works with most existing kernel configurations (works best withCONFIG_KALLSYMS, but Ksplice can apply many patches without this option)
• Can handle patches to kernel modules and kernel assembly code
• Can handle patches containing symbols that are not in the kernel symbol table (symbols can be discovered from running code)
• Works best if provided with the exact compiler and linker used to compile the original kernel (when the original toolchain is not available, Ksplice will protect against differences in behavior between the original toolchain and the toolchain used to create the update, and Ksplice will abort the upgrade if necessary)

Documentation

The manual pages for the Ksplice utilities are provided with the software and are available here on the web:

• ksplice-create- Create a set of kernel modules for a rebootless kernel update
• ksplice-apply- Apply an on-disk Ksplice update to the running kernel
• ksplice-view- View in-kernel or on-disk Ksplice kernel updates
• ksplice-undo- Undo a Ksplice update that has been applied to the running kernel

Npe B2k8t9t0More details about how Ksplice works and how it has been evaluated are available in thisKsplice technical overview document.

a Ls#CJ0

vu G@P6Hn \1u0In addition to the evaluation described in that document, Ksplice has been tested on Linux kernel versions ranging from 2.6.8 to 2.6.25, and on several Linux distributions, including Debian, Ubuntu, RHEL, Gentoo, and ASP Linux.

w:_*h.o$K.Ar9qK0

Beyond Security Patches

a6b.`8Z;a&?P0In addition to patching security vulnerabilities, Ksplice can also be used to add debugging code to the kernel or to make any other code changes that do not modify data structure semantics. For example, you canuse Ksplice to modify the behavior ofprintk.木铎校园 BBS 社区5OS#R:gRi@

Frequently Asked Questions

木铎校园 BBS 社区 I$L9lp@2g'W m

Q:What kinds of patches can't Ksplice handle? Why can't Ksplice handle these patches?木铎校园 BBS 社区 xHYe
rb,ZG$^

木铎校园 BBS 社区F"D4wnx1j6g~7L(O

A: Ksplice cannot handlesemantic changesto data structures—that is, changes that would require existing instances of kernel data structures to be transformed. For example, a patch that adds a field to a global data structure would require the existing data structures to change. We examined 32 months of Linux kernel patches and found that most (42 out of 50) kernel security patches do not require such semantic changes.木铎校园 BBS 社区Gf9~#A J

木铎校园 BBS 社区-nsSuK0[a-zu

The design choice to not handle semantic changes avoids burdening the hot update creator with writing code to transform the original kernel data structures to the state expected by the new code. An imperfect state transformation function could lead to disastrous consequences, so avoiding this source of effort and potential for human error makes sense until hot update systems are more widely deployed.

#|6b-p0~@,G4I[0

}&^xk U/`%EUD(q0Q:Doesn't Ksplice help bad guys introduce non-GPL code in the kernel and/or create malware?

e?:m~A \/v0

n:z0fZvqn0A: The bad guys already know how to accomplish their goals using ad hoc kernel inspection and modification techniques. If someone wanted to get aroundEXPORT_SYMBOL_GPL, there are simpler ways to do so than using Ksplice.木铎校园 BBS 社区]
zphN4T

Contact

d$Q8gh*pu0If you have any questions, complaints, comments, bug reports, or patches, please send them to me at jbarnold@mit.edu or ksplice@mit.edu.

,yw+Y
d0]Yk+J)u0木铎校园 BBS 社区Y3fH;yy0c2hvIG

If you are interested in participating in Ksplice development discussion, you cansubscribe to the mailing list ksplice-devel@mit.edu.木铎校园 BBS 社区,N#Ui%nS2D&eQ

木铎校园 BBS 社区a1qm w%A4~]9{-Y