Ksplice is an interesting open source project out of MIT that automates the process of applying security patches to the Linux kernel without rebooting the system, and it’s getting notice by the Linux Foundation.
Top kernel developer and Linux Foundation fellow Ted Ts’o said the Ksplice software is much needed by telecommunications providers and anyone who hates downtime. “It allows you to hot patch the Linux kernel with a security update without rebooting the computer. It’s a binary patch capability that is highly automated,” said T’so. “Users in the carrier grade linux space have been clamoring for this for a while. If you are a carrier in telephony and don’t want downtime, this stuff is pure gold.”
The best part? It doesn’t require any kernel modifications, Ts’o said.
According to a technical paper released by Ksplice developer Jeffrey Brian Arnold of MIT, Kspliace was tested against Linux security patches from May of 2005 to December of 2007 and automatically (and successfully) patched 84 percent of 50 “significant kernel vulnerabilities” in that timeframe. Ksplice can handle many security updates but not changes to data structures, the report notes.
It is available under GPL 2 and has been tested on Linux kernel versions from 2.6.8 to the recently released 2.6.25 and on several Linux distributions including Debian, Ubuntu, Red Hat Enterprise Linux and Gentoo, Arnold writes.
Ts’o does not know if the developer has any commercial plans around Ksplice but notes that the software is free and ready to go. Arnold does point out in his white paper, however, that the software is still in test mode and can cause problems in some systems. He also acknowledges that Ksplice could theoretically help “bad guys” introduce bad code into the kernel but maintains those folks already have the tools to do harm.
[
details]
04-23-2008, 05:11 PM
Ksplice automates applying security patches to Linux kernel — with no reboot
Status: Offline
Linear Mode
