Applying updates to an active kernel with Ksplice
The current 0.8.6 version is available as a tarball with prebuilt binaries or as a source code archive under the GPLv2. Distribution packages do not exist as of this writing. If you build the tool from the source code, you will also need the BFD library, which you can retrieve on Debian or a derivative such as Ubuntu with the following command:
sudo aptitude install binutils-dev
Prominent developers, including Andi Kleen, have proposed adding Ksplice to the official kernel as an upstream extension. Kleen hopes this step would mean permanent support for the project, which would, in the long term, lead to an incremental compiler . This would remove the need for developers to completely rebuild the kernel to test and modify patches.
The program itself consists of four Perl scripts that call a number of tools written in C to analyze the object code. ksplice-create only needs a path to the directory with the running kernel and details of the patch. One practical feature is that the administrator can specify a change in diff format with the --patch option or specify a file with the --diffext option in which the changes have already been completed. On top of this, the program needs a ksplice subdirectory in the kernel tree, where the administrator stores both the kernel configuration and the symbol table (see Figure 3).
Depending on what kind of system you are using, the first phase can take a while because Ksplice needs to build two complete kernels: one in ksplice/pre and one in ksplice/post. After doing so, the program searches for differences and merges the results to create two kernel modules.
By calling ksplice-apply, you can apply the hotfix. The program first loads a module that takes care of trampoline management, then waits for the right moment. When the moment occurs, Ksplice loads the changes into the kernel, executes them, then removes itself to save memory.
Ksplice can also change a patched kernel. To do so, the patches from the first phase must reside in the source code's pre tree. ksplice-create and ksplice-apply take the trampolines into consideration and modify them correspondingly. The same mechanism makes it possible to undo changes by calling ksplice-undo because the system "remembers" the vector addresses. ksplice-view shows the changes performed by Ksplice.
On his website, Ksplice author Jeffrey Brian Arnold shows another potential application scenario for the tool: debugging the active kernel. If you just want to add a couple of printk() calls at various points to view data structures that are otherwise difficult to access, Ksplice gives you a simple approach to injecting them into a running system. However, this approach does not lend itself to more complex applications, for which dynamically loadable modules, Kprobes, or Systemtap are more useful.
Developers have pointed out that Microsoft posted a patent application with the US Patent Office (USPO) in December 2002 titled "Patching of In-Use Functions on a Running Computer System." USPO had refused the application, and Microsoft had appealed and posted a whole bunch of additional applications, including one for Efficient Patching (USPO reference 20050257208).
In response to this, half a dozen developers piped up in various forums pointing out that this technology was public knowledge on various platforms from PDP-11 through a state-of-the-art PC long before the software patent application was filed.
Buy this article as PDF
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.
The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Legendary Uber-distro splits over the systemd controversy.
New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
One of CeBIT’s most successful forums returns in 2015.
A new study says it is possible to unmask 81% of TOR users.
Redmond joins the revolution by turning the .NET Core Runtime into a GitHub project.
Users only had 7 hours to update before the intrusions started.
It's official: The new web arrives