Results 1 - 10
of
21
Practical Dynamic Software Updating
, 2008
"... This dissertation makes the case that programs can be updated while they run, with modest programmer effort, while providing certain update safety guarantees, and without imposing a significant performance overhead. Few systems are designed with on-the-fly updating in mind. Those systems that permit ..."
Abstract
-
Cited by 108 (33 self)
- Add to MetaCart
(Show Context)
This dissertation makes the case that programs can be updated while they run, with modest programmer effort, while providing certain update safety guarantees, and without imposing a significant performance overhead. Few systems are designed with on-the-fly updating in mind. Those systems that permit it support only a very limited class of updates, and generally provide no guarantees that following the update, the system will behave as intended. We tackle the on-the-fly updating problem using a compiler-based approach called dynamic software updating (DSU), in which a program is patched with new code and data while it runs. The challenge is in making DSU practical: it should support changes to programs as they occur in practice, yet be safe, easy to use, and not impose a large overhead. This dissertation makes both theoretical contributions—formalisms for reasoning about, and ensuring update safety—and practical contributions—Ginseng, a DSU implementation for C. Ginseng supports a broad range of changes to C programs, and performs a suite of safety analyses to ensure certain update safety
KSplice: Automatic Rebootless Kernel Updates
- In EuroSys 2009
, 2009
"... Ksplice allows system administrators to apply patches to their operating system kernels without rebooting. Unlike previous hot update systems, Ksplice operates at the object code layer, which allows Ksplice to transform many traditional source code patches into hot updates with little or no programm ..."
Abstract
-
Cited by 58 (2 self)
- Add to MetaCart
Ksplice allows system administrators to apply patches to their operating system kernels without rebooting. Unlike previous hot update systems, Ksplice operates at the object code layer, which allows Ksplice to transform many traditional source code patches into hot updates with little or no programmer involvement. In the common case that a patch does not change the semantics of persistent data structures, Ksplice can create a hot update without a programmer writing any new code. Security patches are one compelling application of hot updates. An evaluation involving all significant x86-32 Linux security patches from May 2005 to May 2008 finds that most security patches—56 of 64—require no new code to be performed as a Ksplice update. In other words, Ksplice can correct 88 % of the Linux kernel vulnerabilities from this interval without the need for rebooting and without writing any new code. If a programmer writes a small amount of new code to assist with the remaining patches (about 17 lines per patch, on average), then Ksplice can apply all 64 of the security patches from this interval without rebooting.
Enhanced operating system security through efficient and fine-grained address space randomization
- In Proceedings of the 21st USENIX Security Symposium
, 2012
"... In recent years, the deployment of many application-level countermeasures against memory errors and the in-creasing number of vulnerabilities discovered in the ker-nel has fostered a renewed interest in kernel-level ex-ploitation. Unfortunately, no comprehensive and well-established mechanism exists ..."
Abstract
-
Cited by 40 (3 self)
- Add to MetaCart
(Show Context)
In recent years, the deployment of many application-level countermeasures against memory errors and the in-creasing number of vulnerabilities discovered in the ker-nel has fostered a renewed interest in kernel-level ex-ploitation. Unfortunately, no comprehensive and well-established mechanism exists to protect the operating system from arbitrary attacks, due to the relatively new development of the area and the challenges involved. In this paper, we propose the first design for fine-grained address space randomization (ASR) inside the operating system (OS), providing an efficient and com-prehensive countermeasure against classic and emerg-ing attacks, such as return-oriented programming. To motivate our design, we investigate the differences with application-level ASR and find that some of the well-established assumptions in existing solutions are no longer valid inside the OS; above all, perhaps, that infor-mation leakage becomes a major concern in the new con-text. We show that our ASR strategy outperforms state-of-the-art solutions in terms of both performance and se-curity without affecting the software distribution model. Finally, we present the first comprehensive live reran-domization strategy, which we found to be particularly important inside the OS. Experimental results demon-strate that our techniques yield low run-time perfor-mance overhead (less than 5 % on average on both SPEC and syscall-intensive benchmarks) and limited run-time memory footprint increase (around 15 % during the exe-cution of our benchmarks). We believe our techniques can greatly enhance the level of OS security without compromising the performance and reliability of the OS. 1
Safe and automatic live update for operating systems
- in Proc. of the 18th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems
"... Increasingly many systems have to run all the time with no down-time allowed. Consider, for example, systems controlling electric power plants and e-banking servers. Nevertheless, security patches and a constant stream of new operating system versions need to be deployed without stopping running pro ..."
Abstract
-
Cited by 14 (9 self)
- Add to MetaCart
(Show Context)
Increasingly many systems have to run all the time with no down-time allowed. Consider, for example, systems controlling electric power plants and e-banking servers. Nevertheless, security patches and a constant stream of new operating system versions need to be deployed without stopping running programs. These factors nat-urally lead to a pressing demand for live update—upgrading all or parts of the operating system without rebooting. Unfortunately, existing solutions require significant manual intervention and thus work reliably only for small operating system patches. In this paper, we describe an automated system for live update that can safely and automatically handle major upgrades without rebooting. We have implemented our ideas in PROTEOS, a new research OS designed with live update in mind. PROTEOS relies on system support and nonintrusive instrumentation to handle even very complex updates with minimal manual effort. The key novelty is the idea of state quiescence, which allows updates to happen only in safe and predictable system states. A second novelty is the ability to automatically perform transactional live updates at the process level, ensuring a safe and stable update process. Unlike prior solutions, PROTEOS supports automated state transfer, state checking, and hot rollback. We have evaluated PROTEOS on 50 real updates and on novel live update scenarios. The results show that our techniques can effectively support both simple and complex updates, while outperforming prior solutions in terms of flexibility, security, reliability, and stability of the update process.
Safe and Automated State Transfer for Secure and Reliable Live Update
- In Proceedings of the Fourth International Workshop on Hot Topics in Software Upgrades
, 2012
"... Abstract—Traditional live update systems offer little or no automated support for state transfer between two different program versions with changes in the program state. In this paper, we report our efforts to build a safe and automated state transfer framework for C programs that requires a minima ..."
Abstract
-
Cited by 10 (7 self)
- Add to MetaCart
(Show Context)
Abstract—Traditional live update systems offer little or no automated support for state transfer between two different program versions with changes in the program state. In this paper, we report our efforts to build a safe and automated state transfer framework for C programs that requires a minimal number of program state annotations and handles common structural state changes with no programmer assistance. To handle more complex state transformations, the framework includes a number of extension mechanisms designed to min-imize the overall programming effort. Our experience with real-world programs suggests that our framework can handle all the standard C idioms and support safe and automated state transfer for complex state changes. We believe our approach is effective in several update scenarios and significantly raises the bar on the security and reliability of live update. I.
Cooperative Update: A New Model for Dependable Live Update
"... Many real-world systems require continuous operation. Downtime is ill-affordable and scheduling maintenance for regular software updates is a tremendous challenge for system administrators. For this reason, live update is a potential solution as it allows running software to be replaced by a newer v ..."
Abstract
-
Cited by 7 (6 self)
- Add to MetaCart
Many real-world systems require continuous operation. Downtime is ill-affordable and scheduling maintenance for regular software updates is a tremendous challenge for system administrators. For this reason, live update is a potential solution as it allows running software to be replaced by a newer version without stopping the system. The vast majority of live update approaches proposed as a solution to this problem aims to support existing software systems, while striving to maintain a good level of safety and flexibility. In this paper, we consider the opposite direction. Our work aims to build dependable and trustworthy live updatable systems that do not attempt to be backward compatible but look forward to solving the update problem in future systems. To this end, we highlight possible issues and limitations in existing approaches and propose a new cooperative model for live update to provide better safety and flexibility guarantees.
Security impact ratings considered harmful
"... In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner. 1
A Taxonomy of Live Updates
"... Many high-availability systems require regular software updates but can hardly afford any downtime. Existing general-purpose live update approaches proposed as a solution to this problem have failed to reach broad acceptance. In this paper, we investigate the root causes of the poor acceptance and a ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Many high-availability systems require regular software updates but can hardly afford any downtime. Existing general-purpose live update approaches proposed as a solution to this problem have failed to reach broad acceptance. In this paper, we investigate the root causes of the poor acceptance and argue that a new model is necessary to offer adequate dependability guarantees. To substantiate our claim, we propose a taxonomy of live updates and analyze many practical examples from operating systems. We show how the nature of the update is crucial to determine the properties and limitations of the resulting live update process and discuss the emerging need for update-aware systems. 1
Mutable checkpoint-restart: automating live update for generic server programs
- In Proceedings of the 15th International Middleware Conference
, 2014
"... The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual ef-fort, factors wh ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual ef-fort, factors which discourage live update adoption. This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and mul-tithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data struc-tures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collec-tion techniques to trace all the global pointers and apply the required state transformations on the fly. Experimen-tal results on popular server programs (Apache
1 Seamless Kernel Updates
"... Abstract—Kernel patches are released frequently to fix bugs and security vulnerabilities. However, users and system administrators often delay installing these updates because they require a system reboot, which results in disruption of service and the loss of application state. Unfortunately, the l ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Kernel patches are released frequently to fix bugs and security vulnerabilities. However, users and system administrators often delay installing these updates because they require a system reboot, which results in disruption of service and the loss of application state. Unfortunately, the longer a system remains out-of-date, the higher is the likelihood of system failure or a successful attack. Approaches, such as dynamic patching and hot swapping, have been proposed for updating the kernel. All of them either limit the types of updates that are supported, or require significant programming effort to manage. We have designed a system that checkpoints application-visible state, updates the kernel, and restores the application state thus minimizing disruption of service. By checkpointing high-level state, our system no longer depends on the precise implementation of a patch and can apply all backward compatible patches. Our results show that updates to major releases of the Linux kernel can be applied with minimal effort and no observable overhead. I.
