Ksplice
Encyclopedia
Ksplice is an open source extension of the Linux kernel
which allows system administrator
s to apply security patches to a running kernel
without having to reboot
the operating system
. Ksplice has been implemented for Linux on the x86-32 and x86-64
architectures. It was developed by Ksplice, Inc. until 21 July 2011, when Oracle
acquired Ksplice, started offering support for Oracle Linux, and dropped support for Red Hat Enterprise Linux
among other distributions.
. Using Ksplice does not require any preparation before the system is originally booted
(the running kernel does not need to have been specially compile
d, for example). In order to generate an update, Ksplice must determine what code within the kernel has been changed by the source code patch. Ksplice performs this analysis at the Executable and Linking Format (ELF) object code layer, rather than at the C
source code layer.
To apply a patch, Ksplice first freezes execution of a computer so it is the only program running. The system verifies that no processors
were in the middle of executing functions that will be modified by the patch. Ksplice modifies the beginning of changed functions so that they instead point to new, updated versions of those functions, and modifies data and structures in memory that need to be changed. Finally, Ksplice resumes each processor running where it left off.
To be fully automatic, Ksplice's design was originally limited to patches that did not introduce semantic changes to data structures, since most Linux kernel security patches do not make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to May 2008 found that Ksplice was able to apply all the 64 significant kernel vulnerabilities
discovered in that interval. In 2009, major Linux vendors asked their customers to install a kernel update more than once per month.
For patches that do introduce semantic changes to data structures, Ksplice requires a programmer to write a short amount of additional code to help apply the patch.
This was necessary for 12% of the updates in that time period.
.
Around August of 2009, the company stopped providing the source code for Ksplice, thus preventing other entities from creating alternative updates.
While the Ksplice software was provided under an open source license, Ksplice, Inc. provided a service to make it easier to use the software. Ksplice, Inc. provided prebuilt and tested updates for the Red Hat
, Cent OS, Debian
, Ubuntu
and Fedora
Linux distributions,. The virtualization technologies OpenVZ
and Virtuozzo were also supported. Updates for Ubuntu Desktop and Fedora systems were provided free of charge, whereas other platforms were offered on a subscription basis.
On July 21, 2011, Oracle announced they acquired Ksplice, Inc. At the time the company was acquired, Ksplice, Inc. claimed to have over 700 companies using the service to protect over 100,000 servers. While the service had been available for multiple Linux distributions, it was stated at the time Ksplice, Inc. was acquired that "Oracle believes it will be the only enterprise Linux provider that can offer zero downtime updates." More explicitly, "Oracle does not plan to support the use of Ksplice technology with Red Hat Enterprise Linux." . It was widely misreported that Oracle dropped support for SUSE Linux distributions
; however, the commercial service offered by Ksplice, Inc. never supported SUSE.
A strong reaction from the community indicates a high expectation of a fork of the original source-code, and a new competing product developed to support the remaining kernel variants, with heavy emphasis on the original project's open-source license.
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
which allows system administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
s to apply security patches to a running kernel
Kernel (computing)
In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
without having to reboot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. Ksplice has been implemented for Linux on the x86-32 and x86-64
X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
architectures. It was developed by Ksplice, Inc. until 21 July 2011, when Oracle
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
acquired Ksplice, started offering support for Oracle Linux, and dropped support for Red Hat Enterprise Linux
Red Hat Enterprise Linux
Red Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
among other distributions.
Design
Ksplice takes as input a unified diff and the original kernel source code, and it updates the running kernel in memoryComputer memory
In computing, memory refers to the physical devices used to store programs or data on a temporary or permanent basis for use in a computer or other digital electronic device. The term primary memory is used for the information in physical systems which are fast In computing, memory refers to the...
. Using Ksplice does not require any preparation before the system is originally booted
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
(the running kernel does not need to have been specially compile
Compile
Compile may refer to:* Compile , a Japanese video game company founded in 1983 that specialized in shoot 'em up and computer puzzle game genres...
d, for example). In order to generate an update, Ksplice must determine what code within the kernel has been changed by the source code patch. Ksplice performs this analysis at the Executable and Linking Format (ELF) object code layer, rather than at the C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
source code layer.
To apply a patch, Ksplice first freezes execution of a computer so it is the only program running. The system verifies that no processors
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
were in the middle of executing functions that will be modified by the patch. Ksplice modifies the beginning of changed functions so that they instead point to new, updated versions of those functions, and modifies data and structures in memory that need to be changed. Finally, Ksplice resumes each processor running where it left off.
To be fully automatic, Ksplice's design was originally limited to patches that did not introduce semantic changes to data structures, since most Linux kernel security patches do not make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to May 2008 found that Ksplice was able to apply all the 64 significant kernel vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
discovered in that interval. In 2009, major Linux vendors asked their customers to install a kernel update more than once per month.
For patches that do introduce semantic changes to data structures, Ksplice requires a programmer to write a short amount of additional code to help apply the patch.
This was necessary for 12% of the updates in that time period.
History
The Ksplice software was started by four MIT students based on Jeff Arnold's master's thesis. Jeff Arnold later created Ksplice, Inc. with himself as the president of the company. Around May of 2009, the company won the MIT $100K Entrepreneurship Competition and the Cyber Security Challenge of Global Security ChallengeGlobal Security Challenge
The Global Security Challenge runs international business plan competitions to find and select the most promising security technology startups in the world. The GSC holds regional selection events and a Security Summit in London to bring together innovators with government, industry and investors...
.
Around August of 2009, the company stopped providing the source code for Ksplice, thus preventing other entities from creating alternative updates.
While the Ksplice software was provided under an open source license, Ksplice, Inc. provided a service to make it easier to use the software. Ksplice, Inc. provided prebuilt and tested updates for the Red Hat
Red Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
, Cent OS, Debian
Debian
Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
, Ubuntu
Ubuntu (operating system)
Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
and Fedora
Fedora (operating system)
Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...
Linux distributions,. The virtualization technologies OpenVZ
OpenVZ
OpenVZ is an operating system-level virtualization technology based on the Linux kernel and operating system. OpenVZ allows a physical server to run multiple isolated operating system instances, known as containers, Virtual Private Servers , or Virtual Environments...
and Virtuozzo were also supported. Updates for Ubuntu Desktop and Fedora systems were provided free of charge, whereas other platforms were offered on a subscription basis.
On July 21, 2011, Oracle announced they acquired Ksplice, Inc. At the time the company was acquired, Ksplice, Inc. claimed to have over 700 companies using the service to protect over 100,000 servers. While the service had been available for multiple Linux distributions, it was stated at the time Ksplice, Inc. was acquired that "Oracle believes it will be the only enterprise Linux provider that can offer zero downtime updates." More explicitly, "Oracle does not plan to support the use of Ksplice technology with Red Hat Enterprise Linux." . It was widely misreported that Oracle dropped support for SUSE Linux distributions
SUSE Linux distributions
SUSE Linux is a computer operating system. It is built on top of the open source Linux kernel and is distributed with system and application software from other open source projects. SUSE Linux is of German origin and mainly developed in Europe. The first version appeared in early 1994, making...
; however, the commercial service offered by Ksplice, Inc. never supported SUSE.
A strong reaction from the community indicates a high expectation of a fork of the original source-code, and a new competing product developed to support the remaining kernel variants, with heavy emphasis on the original project's open-source license.