Kernel live patching

As kernel patching Live (KLP) or modules hot plugging (MHP) is the ability of the Linux kernel called to close the fly vulnerabilities in the kernel. This can reduce the number of restarts required, which reduces the downtime of servers . Kernel Live Patching is an alternative to high availability servers.

Native live patching / module hot plugging

Kernel Live Patching was developed as the intersection of kpatch and kGraft and integrated into the Linux kernel 4.0. Since then, the Linux kernel has supported live patching without additional programs. At the same time, an interface for kGraft and kpatch was provided, which instead of 90% of all security gaps as with the native solution can close around 95%.

ksplice

Scheme

Ksplice was the first live patching system released in 2008. In 2011, the developer was bought by Oracle , who equipped their server operating system Oracle Linux with it.

ksplicegenerates a patch - module from the comparison of original and patched source code. In contrast to its successors, with ksplice all processes have to be stopped once with stop_machine .

kGraft

Scheme

In February 2014, SUSE presented its live patching solution. kGraftis used as of SUSE Linux Enterprise Server (SLES) 12.

kpatch

Scheme

That same month followed kpatchby Red Hat . It is used in Red Hat Enterprise Linux (RHEL) 7.

Individual evidence

1. ↑ ^{a b c} Linux Kernel Live Patching with kpatch and kGraft March 26, 2015
2. ↑ Michael Larabel: New Kernel Live Patching Combines kGraft & Kpatch. Phoronix , November 7, 2014, accessed April 28, 2015 . 
3. ↑ Jörg Thoma / Kristian Kißling: Linux Kernel 4.0 brings live patching. Linux Magazine, April 13, 2015, accessed April 28, 2015 . 
4. ↑ Thorsten Leemhuis: The innovations of Linux 4.0. In: Kernel Log. heise open , April 13, 2015, accessed on April 28, 2015 . 
5. ↑ Vojtěch Pavlík: kGraft. Live patching of the Linux kernel (English)
6. ↑ Introducing kpatch: Dynamic Kernel Patching