user space live patching
play

User Space Live Patching Joo Moreira SUSE Labs User Space Live - PowerPoint PPT Presentation

Mar 18, 2023 •467 likes •941 views

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br Software has bugs, and bugs have to be fixed + security issues + execution degradation + undefined

  1. User Space Live Patching João Moreira SUSE Labs

  2. User Space Live Patching João Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br

  3. Software has bugs, and bugs have to be fixed + security issues + execution degradation + undefined behavior

  4. Fixing bugs + kill the process + replace the respective binary with a fixed version + restart the process + wait until process is ready + re-establish services

  5. Fixing bugs: downtime + kill the process + replace the respective binary with a fixed version + restart the process + wait until process is ready + re-establish services

  6. Downside of downtime + Some services may take very long to restart + Active connections will drop + Interruption of large computations

  7. Live Patching + Fixing bugs in live software without restart + Already a thing in the Linux kernel Libpulp + User Space Live Patching Library + Actually... not only a library, but a full framework

  8. Quiessence + Changes should not lead to inconsistent states + Patches must be applied atomically + Functions cannot be patched while running

  9. Kernel Consistency model + Execution boundary between user and kernel space + Hold new kernel threads and wait all others to finish + Safe to patch + Stack unwinding + Identify that to-be-patched functions are not running + Safe to patch

  10. ! ? Consistency model W O Kernel + Execution boundary between user and kernel space H + Hold new kernel threads and wait all others to finish + Safe to patch + Stack unwinding + Identify that to-be-patched functions are not running + Safe to patch

  11. ! ? Consistency model W libpulp to the O Kernel + Execution boundary between user and kernel space H + Hold new kernel threads and wait all others to finish + Safe to patch RESCUE!!1! + Stack unwinding + Identify that to-be-patched functions are not running + Safe to patch

  12. libpulp Consistency Model + Uses shared libs model to identify quiescent states + If lib was not entered, all its functions can be patched + Before patch is applied, check if library was entered

  13. ! ? W O libpulp Consistency Model H + Uses shared libs model to identify quiescent states + If lib was not entered, all its functions can be patched + Before patch is applied, check if library was entered

  14. For now, imagine that we... + can magically change the functions in a process + just need to ensure that these functions aren't running

  15. libpulp Consistency Model + Entry points to the library are its exported functions + Referenced in the ELF dynamic symbol table (.dynsym)

  16. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .trm entries - relocations are now resolved to .trm entry + .trm saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  17. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .ulp entries - relocations are now resolved to .ulp entry + .trm saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  18. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .ulp entries - relocations are now resolved to .ulp entry + .ulp saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  19. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .ulp entries - relocations are now resolved to .ulp entry + .ulp saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  20. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .ulp entries - relocations are now resolved to .ulp entry + .ulp saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  21. libpulp Consistency Model + Linker emits .ulp section with entries for exp. functions + .dynsym symbols modified to point to .ulp entries - relocations are now resolved to .ulp entry + .ulp saves function reference and jumps to ulp_entry + ulp_entry flags entrance, realigns stack, calls function + Function returns to ulp_entry + ulp_entry flags exit, restores return address, returns

  23. Thread-local Universes + We don't want to wait for all threads to leave the library + Some may never leave the library + libpulp keeps per-thread patching states, or universes

  24. Thread-local Universes + One global universe counter - Updated upon patching + Per-thread universe counters - Synchronized to the global universe in ulp_entry - When a patch is effectively applied to a thread

  25. Thread-local Universes + Functions are emitted with padding nops area

  26. Thread-local Universes + Nops modified into universe checker when patched

  27. Thread-local Universes + Libpulp keeps a list of patched functions + Each node contains another list of function versions + Universe checking routine selects which detour to take

  28. Thread-local Universes

  29. libpulp + Library that can be LD_PRELOAD'ed + Provides self-modifying capabilities + Keeps needed data structures + Activated from the outside, through ptrace

  30. libpulp + Library that can be LD_PRELOAD'ed + Provides self-modifying capabilities + Keeps needed data structures + Activated from the outside, through ptrace - This is the magic

  31. All Together Now! + P is running process that LD_PRELOAD'ed libpulp + P uses specially compiled libs + We need to fix function F in lib L , but we can't kill P + A ptrace-based tool called T (trigger) attaches to P

  32. All Together Now! + T stops P , parses its memory and saves its context + Redirects a thread to a patch_apply routine in libpulp + Redirects all other threads to a infinite loop routine + Restarts P

  33. All Together Now! + patch_apply: - Modifies the to-be-patched functions - Loads .so file with function replacements - Updates data structures and increments universe - Interrupts, returning the control to T + T restores the original context and restarts P

  34. All Together Now! + P calls F in L , which is being entered by the thread + Control-flow goes through ulp_entry + Thread-local universe counter is updated + F first runs the universe checking routine + New version of F is executed

  35. All Together Now! + P calls F in L , from a thread which was already in L + Control-flow goes through ulp_entry + Thread-local universe update is bypassed + F first runs the universe checking routine + Thread-local universe is obsolete + Previous version of F is executed

  36. The Trigger + Fully based on ptrace + Uses original binary to map all symbols within the process + Checks if libpulp was loaded into the process memory + Hijacks control-flow of threads to invoke libpulp routines

  37. Live patch anatomy + Two separate parts + Compiled .so file that contains replacement functions + Metadata file with data required for applying the patch - Names of functions that will be replaced - Names of replacement functions - Sanity check: dependencies, target build-ids

  38. Metadata Generation + There is also a packer tool + Gets patch description text file and all objects involved + Generates metadata and reverse patches automatically

  39. Stacked Patches + Multiple patches can be applied to the same process + Universe may be higher than the universes of available detours for given functions + Detour with higher universe below the compared universe is picked

  40. Unpatching + Unpacthing is similar to patching + Global universe is incremented + Doesn't load .so, only marks detours as inactive + Inactive detour picked if its universe matches exactly

  42. Overheads + ~2% for libpulp-prepared glibc on SPEC + Worst case scenario for a process with a patch-applied - Recursive fibonacci sequence computation - Similar to having all called functions patched - Up to 50x overhead

  43. github.com/SUSE/libpulp

  45. twitter.com/linuxdevbr instagram.com/linuxdevbr t.me/linuxdevbr

  46. User Space Live Patching João Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2 Conference Netdev 1.2 Conference Oct 5-7, 2016; Tokyo, Japan User-space TCP Traditionally, TCP stack in kernel space A TCP stack in user space can

557 views • 24 slides
LIVE LEARN DANCE LIVE PROGRAM: MIXE D INCOME HOUSING + ART S SPACE

LIVE LEARN DANCE LIVE PROGRAM: MIXE D INCOME HOUSING + ART S SPACE

LIVE LEARN DANCE LIVE PROGRAM: MIXE D INCOME HOUSING + ART S SPACE Mixed-Use/Mixed-Income 405 total units 122 affordable units 14,000 sq ft of Art Space 255 seat Black Box Theater Arts Lane Public Art

269 views • 15 slides
Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology E-mail: geoffrey.patching@psy.lu.se The Bayes Factor The Bayes factor ( BF ) is the likelihood ratio of the evidences given the hypotheses ! # | % !

601 views • 13 slides
CRE AT I NG SPACE S F OR I NDI GE NOUS WOME N Who live with HI V/ AI DS Pre se nte

CRE AT I NG SPACE S F OR I NDI GE NOUS WOME N Who live with HI V/ AI DS Pre se nte

CRE AT I NG SPACE S F OR I NDI GE NOUS WOME N Who live with HI V/ AI DS Pre se nte r Disc lo sure De nise Baldwin , I DU Outre a c h Co o rdina to r, Oa ha s No re la tio nships with c o mme rc ia l inte re sts to de c la re

1.05k views • 56 slides
Cary St Library I Introduction II User Analysis III Space Matrix IV Concept V Building

Cary St Library I Introduction II User Analysis III Space Matrix IV Concept V Building

Cary St Library I Introduction II User Analysis III Space Matrix IV Concept V Building VI Movement VII Space Planning VIII Materiality IX Spaces I Introduction II User Analysis III Space Matrix IV Concept V Building VI

514 views • 38 slides
that it is not sufficient to preserve security in outer space. Via the UN General Assembly

that it is not sufficient to preserve security in outer space. Via the UN General Assembly

Prospects for Progress on Space Security Diplomacy Presentation by Paul Meyer Senior Fellow, The Simons Foundation Space Security Index side event Tracking Space Security: Are We Ready to Go Live? held during the United Nations General

229 views • 3 slides
secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer

secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer

secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer <mathias.payer@inf.ethz.ch> 1 Mathias Payer: secuBT - User-Space Virtualization Motivation Virtualizing and encapsulating running programs is important:

693 views • 40 slides
Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of Doma of Warfar are Lan and Se Sea Joint M ultinational Combined Arms Live-Fire Exercise Camp Grayling-Alpena CRTC 2010-2018 NORTHERN

310 views • 4 slides
Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara Katz, RN, MSN President, BK Healthcare Consulting, LLC www.bkhealthconsulting.com Learning

596 views • 32 slides
User Interfaces for Live Programming Jun Kato https://junkato.jp Researcher, LIVE 2017

User Interfaces for Live Programming Jun Kato https://junkato.jp Researcher, LIVE 2017

User Interfaces for Live Programming Jun Kato https://junkato.jp Researcher, LIVE 2017 Keynote, 10/24/2017 Jun Kato junkato https://junkato.jp Research Topic Computer Science (Human-Computer Interaction, Programming Language) Phybots

918 views • 50 slides
T EX Live Managers rare gems User mode and multi-repository support Norbert Preining JAIST,

T EX Live Managers rare gems User mode and multi-repository support Norbert Preining JAIST,

T EX Live Managers rare gems User mode and multi-repository support Norbert Preining JAIST, Japan, and T EX Live Team October 2013 Tug 2013, Tokyo, Japan 1 Overview User mode Multi repository background operation mode setup, run

359 views • 32 slides
PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

Cyber Security | Compliance | Industrial Computing PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success of our customers by developing innovative technology solutions that optimize and protect

557 views • 37 slides
Metrictank: Building a new time series engine for GrafanaCloud PERCONA LIVE 2018 Raj Dutt /

Metrictank: Building a new time series engine for GrafanaCloud PERCONA LIVE 2018 Raj Dutt /

Metrictank: Building a new time series engine for GrafanaCloud PERCONA LIVE 2018 Raj Dutt / co-founder Grafana Labs dutt@grafana.com @nopzoraps Grafana everywhere CUSTOMER USER USER CUSTOMER USER CUSTOMER USER The Rise of Beautiful

485 views • 13 slides
ECE 650 Systems Programming & Engineering Spring 2018 User Space / Kernel Interaction Tyler

ECE 650 Systems Programming & Engineering Spring 2018 User Space / Kernel Interaction Tyler

ECE 650 Systems Programming & Engineering Spring 2018 User Space / Kernel Interaction Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Operating System Services User and other system programs GUI batch Command

346 views • 13 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
Instance Migration in Dynamic Sofuware Update P. Tesone 1,2 G. Polito 1 L. Fabresse 2 N.

Instance Migration in Dynamic Sofuware Update P. Tesone 1,2 G. Polito 1 L. Fabresse 2 N.

Instance Migration in Dynamic Sofuware Update P. Tesone 1,2 G. Polito 1 L. Fabresse 2 N. Bouraqadi 2 S. Ducasse 1 (1) INRIA LilleNord Europe, France (2) Mines Douai, IA, Univ. Lille, France What is Dynamic Sofuware Update? U p d

187 views • 15 slides
Marcos Lpez for the MAGIC Collaboration Univ. Complutense Madrid, Spain, marcos@gae.ucm.es ICRC

Marcos Lpez for the MAGIC Collaboration Univ. Complutense Madrid, Spain, marcos@gae.ucm.es ICRC

Marcos Lpez for the MAGIC Collaboration Univ. Complutense Madrid, Spain, marcos@gae.ucm.es ICRC 2017 Busan The MAGIC telescopes La Palma island Characteristics 2 Imaging Atmospheric Cherenkov Telescopes 17 m diameter with active

477 views • 18 slides
1 Cellular Automata A dynamic system Invented by John von Neumann With help from

1 Cellular Automata A dynamic system Invented by John von Neumann With help from

Last time Nonlinear dynamic systems The Logistic map Strange attractors The Hnon attractor The Lorenz attractor Producer-consumer dynamics Equation-based modeling Individual-based modeling 9/11 - 05 Emergent

313 views • 15 slides
Systems Delays (contd) Shankar Balachandran* Associate Professor, CSE Department Indian

Systems Delays (contd) Shankar Balachandran* Associate Professor, CSE Department Indian

Spring 2015 Week 5 Module 25 Digital Circuits and Systems Delays (contd) Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay Sequential Element Delays

198 views • 9 slides
Protein Hypernetworks Johannes K oster, Eli Zamir, Sven Rahmann August 20, 2012 1 / 14

Protein Hypernetworks Johannes K oster, Eli Zamir, Sven Rahmann August 20, 2012 1 / 14

Genome Informatics Protein Hypernetworks Johannes K oster, Eli Zamir, Sven Rahmann August 20, 2012 1 / 14 Protein Network Modelling Genome Informatics B A C G H Interaction maps (undirected graphs) F D I E 2 / 14 Protein

969 views • 37 slides
CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for

CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for

CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for today Reading Quiz Concept Questions Homework for next time Announcements Reminder: Do the exercises at the end of the

306 views • 15 slides
Transfer entropy for network reconstruction in a simple dynamical model Roy Goodman NJIT Dept.

Transfer entropy for network reconstruction in a simple dynamical model Roy Goodman NJIT Dept.

Transfer entropy for network reconstruction in a simple dynamical model Roy Goodman NJIT Dept. of Mathematical Sciences How I Spent My Sabbatical My location My commute My host: Mau Por fi ri The Por fi ri Lab A big group working in a lot of

648 views • 36 slides
FPGA security Nele Mentens nele.mentens@kuleuven.be Design and security of cryptographic

FPGA security Nele Mentens nele.mentens@kuleuven.be Design and security of cryptographic

FPGA security Nele Mentens nele.mentens@kuleuven.be Design and security of cryptographic algorithms and devices for real-world applications June 1-6, 2014, ibenik , Croatia Outline Introduction FPGA vs. ASIC FPGA application

443 views • 17 slides

More recommend