SlideShare uma empresa Scribd logo

Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel

Anne Nicolas
Anne Nicolas

The talk introduces the need of live kernel patching. Further, it explains what is kGraft, how it works, what are its limitations, and our plans with the implementation in the future. The presentation includes also a live demo if stars constellation allows. Jiri Slaby, SUSE

Software
1 de 23
Baixar para ler offline
kGraft Live patching of the Linux kernel Jiˇrí Kosina, Petr Mládek, Vojt ˇech Pavlík, Jiri Slaby SUSE Labs September 25th 2014 Paris, France Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 1 / 23
Why Live Patching? 1000 machines & severe security problem Needs fixing now! Rebooting the machines Is not a quick way to fix an issue Has a risk of not coming up Live patching Allows quick response Leaves an actual update to a scheduled downtime window Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 2 / 23
Where is Live Patching Useful? Common tiers of change management 1 Incident response – we are exploited 2 Emergency change – we could be exploited (we are vulnerable) 3 Scheduled change – time is not critical, we are safe Live patching fits in with 1 and 2 Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 3 / 23
Presentation Outline 1 KGRAFT 2 KGRAFT Internals 3 Live Demo 4 Conclusion Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 4 / 23
Section 1 KGRAFT Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 5 / 23
KGRAFT Research project Live patching technology Developed by SUSE Labs Specifically for the Linux kernel Based on modern Linux technologies INT3/IPI-NMI self-modifying code Lazy update mechanism fentry-based NOP space allocation Standard kernel module loading/linking mechanisms Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 6 / 23
Advantages of KGRAFT Does not require stopping the kernel Ever! Not even for short time periods Unlike competing technologies Allows code review on KGRAFT patch sources Patches can be built from C source directly No need for object code manipulation Only an alternative: object code based automated patch generation kGraft is lean Small amount of code Leveraging other Linux technologies No complex instruction en/decoders or such Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 7 / 23
How does KGRAFT work? A kGraft patch is a .ko kernel module The .ko is inserted into the kernel using insmod All linking (incl. the fix) is done by kernel KGRAFT replaces whole functions in the kernel Even while those functions may be executed An updated KGRAFT module can replace an existing patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 8 / 23
Limitations kGraft is designed for fixing critical bugs Primarily for simple changes Changes in kernel data structure layout require special care Depending on the size of the change, reboot may be needed Same as with other live patching techniques KGRAFT depends on a stable build environment Having history of built kernels Best suited for Linux distributions Their customers Anyone who builds their own kernels Not good for 3rd party support Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 9 / 23
Section 2 KGRAFT Internals Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 10 / 23
KGRAFT and fentry KGRAFT needs some space at the start of a function To insert a jump to a patched function The space can be provided by GCC profiling -pg -mfentry KGRAFT uses this fentry call instructions Patched out at boot Replaced with 5-byte NOPs kernel_func CALL fentry kernel_func 5-byte NOP Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 11 / 23
Using 5-byte NOPs Space KGRAFT uses the ftrace infrastructure to perform patching INT3 handler is installed with a JMP to the destination address 1 First byte of NOP is replaced by INT3 2 Remaining bytes are replaced by address 3 First byte is replaced by JMP 4 NMI IPIs are used to flush instruction decoders on other CPUs kernel_func kernel_func 5-byte NOP INT3 | xxxx INT3 handler JMP addr kernel_func INT3 | addr kernel_func JMP addr Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 12 / 23
Patching a Function Patching during runtime, no stop_kernel(); Callers are never patched Rather, callee’s NOPs are replaced by a JMP to the new function JMP remains forever But this takes care of function pointers, including in structures Like indirect calls (handler->function()) Does not require saving any old data in case we want to un-patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 13 / 23
Patching a Function in Pictures kernel_func buggy_func(); buggy_func JMP fixed fixed_func Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 14 / 23
Issue: Non-consistency What happens when Replaced function changes semantics and subsequent calls rely on each other? It is called recursively? kernel_func buggy_func(); buggy_func(); BOOM! buggy_func KGRAFT patch comes in fixed_func Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 15 / 23
Cure: RCU-like Replacement We need to provide a consistent “world-view” to each thread User processes Kernel processes Interrupts Solution: “reality check” trampoline Per-thread flag set on each kernel entry/exit Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 16 / 23
RCU-like Replacement kernel_func heavy work buggy_func(); reality_check which universe are you coming from? buggy_func fixed_func Userspace Kernelspace Welcome to the new universe! Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 17 / 23
Lazy Replacement All processes must wake up or execute a syscall Sometimes this requires a signal to be sent (like for getty’s) Once all processes have the "new universe" flag set Patching is complete Trampolines can be removed Files to check /proc/<pid>/kgr_in_progress /sys/kernel/kgraft/kgr_in_progress Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 18 / 23
Lazy Replacement kernel_func heavy work buggy_func(); buggy_func fixed_func Userspace Kernelspace Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 19 / 23
Get It Upstreaming KGRAFT was submitted and reviewed upstream There are other groups working on competing technologies KPATCH, KSPLICE, criu-based aproach, . . . SUSE will work together with them Expectations: common standard kernel live patching Publishing Part of SLE12 kernel tree GIT repository upstream http://git.kernel.org/pub/scm/linux/kernel/git/jirislaby/ kgraft.git Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 20 / 23
Maintenance KGRAFT patch is an RPM package Once installed, always protected Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 21 / 23
Live Demo Kernel with a security vulnerability Exploit program kGraft patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 22 / 23
Conclusion SUSE provides Demanded live Linux kernel patching Dubbed KGRAFT Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 23 / 23

Recomendados

"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel
Edge AI and Vision Alliance
 
180 nm Tape out experience using Open POWER ISA
180 nm Tape out experience using Open POWER ISA180 nm Tape out experience using Open POWER ISA
180 nm Tape out experience using Open POWER ISA
Ganesan Narayanasamy
 
Concurrency and Python - PyCon MY 2015
Concurrency and Python - PyCon MY 2015Concurrency and Python - PyCon MY 2015
Concurrency and Python - PyCon MY 2015
Boey Pak Cheong
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
Linaro
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource Partitioning
Yoshitake Kobayashi
 
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
ISSEL
 
PyParis2018 - Python tooling for continuous deployment
PyParis2018 - Python tooling for continuous deploymentPyParis2018 - Python tooling for continuous deployment
PyParis2018 - Python tooling for continuous deployment
Arthur Lutz
 
OpenCV DNN module vs. Ours method
OpenCV DNN module vs. Ours method OpenCV DNN module vs. Ours method
OpenCV DNN module vs. Ours method
Ryosuke Tanno
 

Recomendados

"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel
Edge AI and Vision Alliance
 
180 nm Tape out experience using Open POWER ISA
180 nm Tape out experience using Open POWER ISA180 nm Tape out experience using Open POWER ISA
180 nm Tape out experience using Open POWER ISA
Ganesan Narayanasamy
 
Concurrency and Python - PyCon MY 2015
Concurrency and Python - PyCon MY 2015Concurrency and Python - PyCon MY 2015
Concurrency and Python - PyCon MY 2015
Boey Pak Cheong
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
Linaro
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource Partitioning
Yoshitake Kobayashi
 
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
Μεταπρογραµµατισµός κώδικα Python σε γλώσσα γραµµικού χρόνου για αυτόµατη επα...
ISSEL
 
PyParis2018 - Python tooling for continuous deployment
PyParis2018 - Python tooling for continuous deploymentPyParis2018 - Python tooling for continuous deployment
PyParis2018 - Python tooling for continuous deployment
Arthur Lutz
 
OpenCV DNN module vs. Ours method
OpenCV DNN module vs. Ours method OpenCV DNN module vs. Ours method
OpenCV DNN module vs. Ours method
Ryosuke Tanno
 
Re-engineering Eclipse MDT/OCL for Xtext
Re-engineering Eclipse MDT/OCL for XtextRe-engineering Eclipse MDT/OCL for Xtext
Re-engineering Eclipse MDT/OCL for Xtext
Edward Willink
 
The Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLThe Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDL
Ulisses Costa
 
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Anne Nicolas
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
Kohei Tokunaga
 
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Anne Nicolas
 
LAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backportingLAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backporting
Linaro
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
hybr1s
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
lwref: insane idea on reference counting
lwref: insane idea on reference countinglwref: insane idea on reference counting
lwref: insane idea on reference counting
Gleb Smirnoff
 
new ifnet(9) KPI for FreeBSD network stack
new ifnet(9) KPI for FreeBSD network stacknew ifnet(9) KPI for FreeBSD network stack
new ifnet(9) KPI for FreeBSD network stack
Gleb Smirnoff
 
How to Make Hand Detector on Native Activity with OpenCV
How to Make Hand Detector on Native Activity with OpenCVHow to Make Hand Detector on Native Activity with OpenCV
How to Make Hand Detector on Native Activity with OpenCV
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
EclipseOMRBuildingBlocks4Polyglot_TURBO18
EclipseOMRBuildingBlocks4Polyglot_TURBO18EclipseOMRBuildingBlocks4Polyglot_TURBO18
EclipseOMRBuildingBlocks4Polyglot_TURBO18
Xiaoli Liang
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
NETWAYS
 
Real time SHVC decoder
Real time SHVC decoderReal time SHVC decoder
Real time SHVC decoder
wassim hamidouche
 
How to Use OpenMP on Native Activity
How to Use OpenMP on Native ActivityHow to Use OpenMP on Native Activity
How to Use OpenMP on Native Activity
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
Jung Kim
 
IL2CPP: Debugging and Profiling
IL2CPP: Debugging and ProfilingIL2CPP: Debugging and Profiling
IL2CPP: Debugging and Profiling
joncham
 
App container rkt
App container rktApp container rkt
App container rkt
Xiaofeng Guo
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
SZ Lin
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
Hajime Tazaki
 

Mais conteúdo relacionado

Mais procurados

Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Anne Nicolas
 
LAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backportingLAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backporting
Linaro
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
NETWAYS
 

Mais procurados (19)

Re-engineering Eclipse MDT/OCL for Xtext
Re-engineering Eclipse MDT/OCL for XtextRe-engineering Eclipse MDT/OCL for Xtext
Re-engineering Eclipse MDT/OCL for Xtext
 
The Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLThe Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDL
 
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
 
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
Kernel Recipes 2018 - 10 years of automated evolution in the Linux kernel - J...
 
LAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backportingLAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backporting
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
lwref: insane idea on reference counting
lwref: insane idea on reference countinglwref: insane idea on reference counting
lwref: insane idea on reference counting
 
new ifnet(9) KPI for FreeBSD network stack
new ifnet(9) KPI for FreeBSD network stacknew ifnet(9) KPI for FreeBSD network stack
new ifnet(9) KPI for FreeBSD network stack
 
How to Make Hand Detector on Native Activity with OpenCV
How to Make Hand Detector on Native Activity with OpenCVHow to Make Hand Detector on Native Activity with OpenCV
How to Make Hand Detector on Native Activity with OpenCV
 
EclipseOMRBuildingBlocks4Polyglot_TURBO18
EclipseOMRBuildingBlocks4Polyglot_TURBO18EclipseOMRBuildingBlocks4Polyglot_TURBO18
EclipseOMRBuildingBlocks4Polyglot_TURBO18
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
 
Real time SHVC decoder
Real time SHVC decoderReal time SHVC decoder
Real time SHVC decoder
 
How to Use OpenMP on Native Activity
How to Use OpenMP on Native ActivityHow to Use OpenMP on Native Activity
How to Use OpenMP on Native Activity
 
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
 
IL2CPP: Debugging and Profiling
IL2CPP: Debugging and ProfilingIL2CPP: Debugging and Profiling
IL2CPP: Debugging and Profiling
 

Semelhante a Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel

Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
Hajime Tazaki
 
Directive-based approach to Heterogeneous Computing
Directive-based approach to Heterogeneous ComputingDirective-based approach to Heterogeneous Computing
Directive-based approach to Heterogeneous Computing
Ruymán Reyes
 
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUsShoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Jiannan Ouyang, PhD
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08
Neil Pittman
 

Semelhante a Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel (20)

App container rkt
App container rktApp container rkt
App container rkt
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
Directive-based approach to Heterogeneous Computing
Directive-based approach to Heterogeneous ComputingDirective-based approach to Heterogeneous Computing
Directive-based approach to Heterogeneous Computing
 
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUsShoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
 
Scaling Puppet Usage to a Global Organization
Scaling Puppet Usage to a Global OrganizationScaling Puppet Usage to a Global Organization
Scaling Puppet Usage to a Global Organization
 
Process synchonization : operating system ( Btech cse )
Process synchonization : operating system ( Btech cse )Process synchonization : operating system ( Btech cse )
Process synchonization : operating system ( Btech cse )
 
IRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleIRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the Preemptible
 
carrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-APIcarrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-API
 
Syntutic
SyntuticSyntutic
Syntutic
 
AMD_11th_Intl_SoC_Conf_UCI_Irvine
AMD_11th_Intl_SoC_Conf_UCI_IrvineAMD_11th_Intl_SoC_Conf_UCI_Irvine
AMD_11th_Intl_SoC_Conf_UCI_Irvine
 
Busy Polling: Past, Present, Future
Busy Polling: Past, Present, FutureBusy Polling: Past, Present, Future
Busy Polling: Past, Present, Future
 
Native Java with GraalVM
Native Java with GraalVMNative Java with GraalVM
Native Java with GraalVM
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08
 
Comparison of Open Source Virtualization Technology
Comparison of Open Source Virtualization TechnologyComparison of Open Source Virtualization Technology
Comparison of Open Source Virtualization Technology
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
 

Mais de Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

Mais de Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Último

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 

Último (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 

Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel

  • 1. kGraft Live patching of the Linux kernel Jiˇrí Kosina, Petr Mládek, Vojt ˇech Pavlík, Jiri Slaby SUSE Labs September 25th 2014 Paris, France Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 1 / 23
  • 2. Why Live Patching? 1000 machines & severe security problem Needs fixing now! Rebooting the machines Is not a quick way to fix an issue Has a risk of not coming up Live patching Allows quick response Leaves an actual update to a scheduled downtime window Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 2 / 23
  • 3. Where is Live Patching Useful? Common tiers of change management 1 Incident response – we are exploited 2 Emergency change – we could be exploited (we are vulnerable) 3 Scheduled change – time is not critical, we are safe Live patching fits in with 1 and 2 Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 3 / 23
  • 4. Presentation Outline 1 KGRAFT 2 KGRAFT Internals 3 Live Demo 4 Conclusion Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 4 / 23
  • 5. Section 1 KGRAFT Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 5 / 23
  • 6. KGRAFT Research project Live patching technology Developed by SUSE Labs Specifically for the Linux kernel Based on modern Linux technologies INT3/IPI-NMI self-modifying code Lazy update mechanism fentry-based NOP space allocation Standard kernel module loading/linking mechanisms Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 6 / 23
  • 7. Advantages of KGRAFT Does not require stopping the kernel Ever! Not even for short time periods Unlike competing technologies Allows code review on KGRAFT patch sources Patches can be built from C source directly No need for object code manipulation Only an alternative: object code based automated patch generation kGraft is lean Small amount of code Leveraging other Linux technologies No complex instruction en/decoders or such Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 7 / 23
  • 8. How does KGRAFT work? A kGraft patch is a .ko kernel module The .ko is inserted into the kernel using insmod All linking (incl. the fix) is done by kernel KGRAFT replaces whole functions in the kernel Even while those functions may be executed An updated KGRAFT module can replace an existing patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 8 / 23
  • 9. Limitations kGraft is designed for fixing critical bugs Primarily for simple changes Changes in kernel data structure layout require special care Depending on the size of the change, reboot may be needed Same as with other live patching techniques KGRAFT depends on a stable build environment Having history of built kernels Best suited for Linux distributions Their customers Anyone who builds their own kernels Not good for 3rd party support Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 9 / 23
  • 10. Section 2 KGRAFT Internals Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 10 / 23
  • 11. KGRAFT and fentry KGRAFT needs some space at the start of a function To insert a jump to a patched function The space can be provided by GCC profiling -pg -mfentry KGRAFT uses this fentry call instructions Patched out at boot Replaced with 5-byte NOPs kernel_func CALL fentry kernel_func 5-byte NOP Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 11 / 23
  • 12. Using 5-byte NOPs Space KGRAFT uses the ftrace infrastructure to perform patching INT3 handler is installed with a JMP to the destination address 1 First byte of NOP is replaced by INT3 2 Remaining bytes are replaced by address 3 First byte is replaced by JMP 4 NMI IPIs are used to flush instruction decoders on other CPUs kernel_func kernel_func 5-byte NOP INT3 | xxxx INT3 handler JMP addr kernel_func INT3 | addr kernel_func JMP addr Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 12 / 23
  • 13. Patching a Function Patching during runtime, no stop_kernel(); Callers are never patched Rather, callee’s NOPs are replaced by a JMP to the new function JMP remains forever But this takes care of function pointers, including in structures Like indirect calls (handler->function()) Does not require saving any old data in case we want to un-patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 13 / 23
  • 14. Patching a Function in Pictures kernel_func buggy_func(); buggy_func JMP fixed fixed_func Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 14 / 23
  • 15. Issue: Non-consistency What happens when Replaced function changes semantics and subsequent calls rely on each other? It is called recursively? kernel_func buggy_func(); buggy_func(); BOOM! buggy_func KGRAFT patch comes in fixed_func Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 15 / 23
  • 16. Cure: RCU-like Replacement We need to provide a consistent “world-view” to each thread User processes Kernel processes Interrupts Solution: “reality check” trampoline Per-thread flag set on each kernel entry/exit Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 16 / 23
  • 17. RCU-like Replacement kernel_func heavy work buggy_func(); reality_check which universe are you coming from? buggy_func fixed_func Userspace Kernelspace Welcome to the new universe! Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 17 / 23
  • 18. Lazy Replacement All processes must wake up or execute a syscall Sometimes this requires a signal to be sent (like for getty’s) Once all processes have the "new universe" flag set Patching is complete Trampolines can be removed Files to check /proc/<pid>/kgr_in_progress /sys/kernel/kgraft/kgr_in_progress Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 18 / 23
  • 19. Lazy Replacement kernel_func heavy work buggy_func(); buggy_func fixed_func Userspace Kernelspace Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 19 / 23
  • 20. Get It Upstreaming KGRAFT was submitted and reviewed upstream There are other groups working on competing technologies KPATCH, KSPLICE, criu-based aproach, . . . SUSE will work together with them Expectations: common standard kernel live patching Publishing Part of SLE12 kernel tree GIT repository upstream http://git.kernel.org/pub/scm/linux/kernel/git/jirislaby/ kgraft.git Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 20 / 23
  • 21. Maintenance KGRAFT patch is an RPM package Once installed, always protected Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 21 / 23
  • 22. Live Demo Kernel with a security vulnerability Exploit program kGraft patch Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 22 / 23
  • 23. Conclusion SUSE provides Demanded live Linux kernel patching Dubbed KGRAFT Jiri Slaby (SUSE Labs) kGraft September 25th 2014, Paris 23 / 23