Reply to post:

NetBSD, OpenBSD improve kernel security, randomly

Kiwi Silver badge

However, if you're going to remove the old code, you need to prevent execution of it regardless (like stopping all CPUs and resuming their execution at a known location).

Have taken a bit more of a look into it, and the CPU doesn't get stopped, just pointers changed (simplified version). Looking at kgraft only for this, I haven't delved much deeper or into any other such products.


"...Imagine, if you will, applying a kernel patch to your production servers in the middle of the day, during peak transaction periods, and not … missing … a beat...."


The gist of kGraft is this:

  • kGraft locates differences between the running kernel and the patch.
  • It creates replacement functions based on those differences.
  • It loads and links the patched functions.
  • It redirects code execution to patched functions.

and also

"...Businesses with massive server deployments that demand 24/7/365 uptime are ripe for Live Kernel Patching. As well, this technology is perfectly suited for big data. Why? When you’re looking at terabytes of in-memory data that will take hours to reload on reboot ─ you need Live Kernel Patching to ensure those security patches (patches that can range from a mere two lines of code to thousands) can be loaded without having to give the dreadful command to “shut it down”. This can be a real game-changer when the bureaucratic red tape of rebooting can delay the process days, weeks, and even months (or send the CEO, COO, and CFO into fits of apoplectic shock)..."


First, a patch module that contains all the new functions and some initialization code that registers with the kGraft code in kernel is loaded. Since it contains the new functions as regular code, the kernel module loader links them to any functions they may be calling inside the kernel.

Then, kGraft uses an ftrace-like approach to replace existing functions with their fixed instances by inserting a long jump at the beginning of each function that needs to be replaced. Ftrace uses a clever method based on inserting a breakpoint opcode (INT3) into the patched code first, only then replacing the rest of the bytes by the jump address and removing the breakpoint and replacing it with long jump opcode. Inter-processor non-maskable interrupts are used throughout the process to flush speculative decoding queues of other CPUs in the system. This allows switching to the new function without ever stopping the kernel, not even for a very short moment. The interruptions by IPI NMIs can be measured in microseconds.

So doesn't seem to stop the CPUs at all, not in the way you(?) were mentioning earlier where video playback would have noticeable pauses.

Admittedly patching is not the same as moving portions of the kernel every x minutes, but from these texts the same processes could be applied to shifting kernel code to a new location without noticeable impact on performance. Hell, my 6+yr old machine runs a couple of VMS and still has more than enough grunt to have games running in the background while I watch a movie via Kodi. If moving thousands of lines worth of code is "measured in microseconds" then the impact of moving significant chunks on a fairly regular basis would be unnoticeable by most (at least until one of those glitches occurs where a pointer isn't updated correctly - but then if kgraft is as good as advertised and acceptable to the target markets, I seriously doubt that would be something that happens often).

I understand the issue of locations being "leaked" - after all if you don't know where to find a bit of code it's a little hard to call it when needed, but this could help mitigate some attacks in that the attacker would always have to be keeping track of where stuff is moving to. Maybe not that big a hurdle but one that could have an impact, further making buffer over runs harder to work (just because you found the location a minute ago doesn't mean it'll be there, though there is a good chance it still will be unless you're changing locations every couple of seconds which might be a tad excessive!)

[El Reg please for fucks sake GET RID OF THAT FUCKING CLODFOOL STUPIDITY! Fuck that shit is so fucking annoying and useless! IT takes longer to get through that fucking mess of stupidity than it does to write a post like this, even with a 5minute full-foam rant at the end! You're a tech site, you should be better than this shit!]

--> Icon Please oh please let me meet the people behind clodfool in a dark alley!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020