We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Live patching the Xen Project hypervisor

8
 Zitieren
 Teilen
 Herunterladen
 Bestellen
Logo von FOSDEM VZWFOSDEM VZW
 Lagerwall, Ross

Formale Metadaten

Titel
Live patching the Xen Project hypervisor
Serientitel
Anzahl der Teile
611
Autor
Lizenz
CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache
Produktionsjahr2017

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Live patching -- the process of updating software while it is running -- hasbecome a popular topic of late, with several companies offering servicesproviding live patching for Linux culminating with an implementation beingcontributed to Linux. While Xen supports live migration of VMs which mitigatesthe need for live patching, there are still some reasons why live patching isuseful. For example, to minimize downtime, when running applications with lowlatency requirements, and when using PCI passthrough. This talk reviews the state of live patching for Xen. A live patchingimplementation has recently been contributed to Xen so we will look at thedesign and implementation in detail, noting how and why it differs from livepatching for Linux. We will look at some of the ways that live patches can becreated and the pitfalls to watch out for when doing so. There will also be astatus report of ongoing and future work for live patching for Xen. Finally,the talk will show a demo of live patching in action by building a live patchfor a known security issue and applying it to a vulnerable system. Xen LivePatch is a new tech preview feature in Xen 4.7 for live patching thehypervisor. It is the result of collaboration between several members in thecommunity guided by the existing live patching efforts for Linux. We will talkabout this and how Xen's requirements differ from Linux. The core idea of Xen LivePatch is to insert a "trampoline" in each buggyfunction with a jump to a replacement function. This is simple in principle,but there are a number of complexities which make it interesting to look at. Live patches can be built by hand, by compiling the replacement functions in aseparate source file. This is a manual process and can also be unreliable dueto the nature of compiler optimizations. So we repurposed kpatch's live patchcreation tool for Xen. This computes a binary difference of the outputbinaries before and after a source patch is applied. This simplifies theprocess of creating live patches and overcomes issues with compileroptimizations but is still not without difficulties. We look at the process ofcreating live patches and why it is hard.