[Linux-aus] Say Goodbye to Reboots with Ksplice

[Chris Smart]

2009/7/3 David Newall <davidn at davidnewall.com>:
> Hi Chris,
>
> Is the title just a teensy bit of an exaggeration?  Ksplice, if memory
> serves, doesn't work with all patches, and in particular, not with
> patches that change the layout of structures.  "Reboot less often with
> Ksplice" would perhaps be more accurate?

Hey David,

I put your questions to the Ksplice team, here is their reply:

"Ksplice can indeed handle patches that add or remove fields from data
structures.  The Ksplice paper (http://www.ksplice.com/paper) describes
how Ksplice has been used to apply all of the significant Linux kernel
security patches over a period of three years--so yes, you can keep your
system secure without rebooting at all."

>
> I think this is an even bigger stretch.  My reading of Mitre's records
> shows the first fix, a hot fix, which was described as "not sufficiently
> tested for production level deployment", was released the day
> /following/ Debian's compromise.  Even had they "been running Ksplice"
> (sic), they were compromised before any patch existed and hence downtime
> was guaranteed.  (It would be crazy not to reboot after that level of
> compromise.)

Here is their reply again:

"The sys_prctl vulnerability was known internally to Red Hat (and quite
possibly other vendors as well) as of June 14th and was made public (along
with a patch [1] to eliminate the vulnerability) on July 6th.  The Debian
compromise happened on July 12th.  If Ksplice had been in widespread use
in July 2006, the fix could have been widely pushed six days before the
Debian compromise.

[1] "http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=9e4e45f19bdd41b4091e5fe556f816f4046c7598"
"

>
> Best not to oversell Ksplice.

Looks like maybe I'm not overselling it after all :-)

-c