ksplice
{{Short description|Live patch extension for Linux kernel}}
{{Use dmy dates|date=June 2021}}
{{infobox software
| logo = Ksplice-logo.png
| screenshot = Ksplice-uptrack-applied.png
| caption = A screenshot of the Ksplice Uptrack with applied updates
| collapsible =
| author =
| developer = Ksplice, Inc.
| released = {{Start date|df=yes|2008|04|23}}{{cite mailing list|last=Arnold|first=Jeff|title=A system for rebootless kernel security updates|url=http://kerneltrap.org/mailarchive/linux-kernel/2008/4/23/1570474|date=23 April 2008|access-date=27 July 2013|mailing-list=LKML|archive-url=https://web.archive.org/web/20120511105350/http://kerneltrap.org/mailarchive/linux-kernel/2008/4/23/1570474|archive-date=11 May 2012|url-status=dead}}
| latest release version = 1.0.35
| latest release date =
| latest preview version =
| latest preview date =
| frequently updated =
| programming language =
| operating system = Linux
| platform =
| size =
| language =
| status =
| genre = Kernel extension
| license = GNU GPL version 2{{cite web
| url = https://www.ksplice.com/terms
| title = Ksplice Uptrack Subscription Agreement
| date = 28 September 2011 | access-date = 18 November 2014
| website = ksplice.com
| url = https://oss.oracle.com/ksplice/software/ksplice-0.9.9.1-src.tar.gz
| title = ksplice 0.9.9.1 source code, README file
| date = 2011-07-28 | access-date = 2014-12-31
| website = oss.oracle.com
| quote = This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2.
}}
| website = {{URL|http://www.ksplice.com/}}
}}
Ksplice is an open-source extension of the Linux kernel that allows security patches to be applied to a running kernel without the need for reboots, avoiding downtimes and improving availability (a technique broadly referred to as dynamic software updating). Ksplice supports only the patches that do not make significant semantic changes to kernel's data structures.{{cite web
| url = http://manpages.ubuntu.com/manpages/trusty/man8/ksplice-create.8.html
| title = Ubuntu Manpage: ksplice-create – Create a set of kernel modules for a rebootless kernel
| year = 2009 | access-date = 23 November 2014
| website = manpages.ubuntu.com
}}
Ksplice has been implemented for Linux on the x86-64 and AArch64 architectures.{{cite web
| url = https://docs.oracle.com/en/operating-systems/oracle-linux/ksplice-user/OL-KSPLICE-USER.pdf
| title = Ksplice Users Guide: Available Architectures
| year = 2023 | access-date = 22 March 2023
| website = docs.oracle.com
}} It was developed by Ksplice, Inc. until 21 July 2011, when Oracle acquired Ksplice and then offered support for Oracle Linux. Support for Red Hat Enterprise Linux was dropped and turned into a free 30-day trial for RHEL customers as an incentive to migrate to Oracle Linux Premier Support.{{cite web|title=Free 30-day trial of Ksplice Zero-Downtime Updates for Red Hat Enterprise Linux Customers|url=http://www.ksplice.com/rhel-signup|publisher=Ksplice}}{{cite web|url=http://www.oracle.com/us/corporate/Acquisitions/ksplice/customer-letter-430127.html |title=Customer Letter Oracle and Ksplice |publisher=Oracle |date=7 September 2010|access-date=22 July 2011}}
Ksplice is today offered on the two kernel flavors distributed with Oracle Linux:
{{As of|2015|7}}, Ksplice is available for free on desktop Linux installations, with official support available for Ubuntu Linux distribution.{{cite web |url=http://ksplice.oracle.com/try/desktop |title=Oracle Ksplice Free Desktop Edition |date=16 July 2015 |website=Oracle Ksplice |publisher=Oracle |access-date=16 July 2015 |quote=Oracle Ksplice is offered for free on Fedora and Ubuntu Desktop Editions.}}
Design
Ksplice takes as input a unified diff and the original kernel source code, and it updates the running kernel in memory. Using Ksplice does not require any preparation before the system is originally booted, (the running kernel needs no special prior compiling, for example). In order to generate an update, Ksplice must determine what code within the kernel has been changed by the source code patch. Ksplice performs this analysis at the Executable and Linkable Format (ELF) object code layer, rather than at the C source code layer.{{cite web
| url = http://pdos.csail.mit.edu/papers/ksplice:eurosys.pdf
| title = Ksplice: Automatic Rebootless Kernel Updates
| access-date = 18 November 2014
| author1 = Jeff Arnold | author2 = M. Frans Kaashoek
| website = mit.edu
}}
To apply a patch, Ksplice first freezes execution of a computer so it is the only program running. The system verifies that no processors were in the middle of executing functions that will be modified by the patch. Ksplice modifies the beginning of changed functions so that they instead point to new, updated versions of those functions, and modifies data and structures in memory that need to be changed. Finally, Ksplice resumes each processor running where it left off.
To be fully automatic, Ksplice's design was originally limited to patches that did not introduce semantic changes to data structures, since most Linux kernel security patches do not make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to May 2008 found that Ksplice was able to apply fixes for all the 64 significant kernel vulnerabilities discovered in that interval. In 2009, major Linux vendors asked their customers to install a kernel update more than once per month.{{cite news|url=http://blog.nexcess.net/2010/11/30/nexcess-adopts-ksplice-uptrack-rebootless-technology/|title=Nexcess Adopts Ksplice Uptrack "Rebootless" Technology|newspaper=Web Hosting Blog |publisher=Nexcess |date=30 November 2010 |access-date=18 February 2011}} For patches that do introduce semantic changes to data structures, Ksplice requires a programmer to write a short amount of additional code to help apply the patch. This was necessary for about 12% of the updates in that time period.{{cite web |url=http://www.ksplice.com/cve-evaluation |title=Performance record |publisher=Ksplice |access-date=4 June 2009 |archive-url=https://web.archive.org/web/20090416194641/http://ksplice.com/cve-evaluation |archive-date=16 April 2009 |url-status=dead }}
History
{{See also|Linux kernel#Live patching}}
The Ksplice software was created by four MIT students based on Jeff Arnold's master's thesis,{{cite web|first=Jake|last=Edge|url=https://lwn.net/Articles/340477/|title=Ksplice provides updates without reboots|publisher=LWN|date=10 June 2009|access-date=21 July 2011}} and they later created Ksplice, Inc. Around May 2009, the company won the MIT $100K Entrepreneurship Competition and the Cyber Security Challenge of Global Security Challenge.
Whereas the Ksplice software was provided under an open source license, Ksplice, Inc. provided a service to make it easier to use the software. Ksplice, Inc. provided prebuilt and tested updates for the Red Hat, CentOS, Debian, Ubuntu and Fedora Linux distributions.{{cite web|url=http://www.ksplice.com/uptrack/ |title=Ksplice Uptrack |publisher=Ksplice |access-date=19 July 2009}} The virtualization technologies OpenVZ and Virtuozzo were also supported. Updates for Ubuntu Desktop and Fedora systems were provided free of charge, whereas other platforms were offered on a subscription basis.{{cite web|url=http://www.ksplice.com/pricing|title=Pricing|publisher=Ksplice, Inc.|access-date=13 March 2011}}
On 21 July 2011, Oracle Corporation announced that they acquired Ksplice, Inc. At the time the company was acquired, Ksplice, Inc. claimed to have over 700 companies using the service to protect over 100,000 servers. While the service had been available for multiple Linux distributions, it was stated at the time of acquisition that "Oracle believes it will be the only enterprise Linux provider that can offer zero downtime updates." More explicitly, "Oracle does not plan to support the use of Ksplice technology with Red Hat Enterprise Linux." Existing legacy customers continue to be supported by Ksplice, but no new customers are being accepted for other platforms.{{cite web|title=Supported Kernels|url=http://www.ksplice.com/uptrack/supported-kernels|work=Ksplice website|publisher=Oracle America|access-date=13 February 2012}}
{{As of|2015|7}}, Ksplice is available for free on Ubuntu Desktop. In January 2016, Ksplice was integrated into Oracle's Unbreakable Enterprise Kernel Release 4 for Oracle Linux 6 and 7, which is Oracle's redistribution of Red Hat Enterprise Linux.{{cite web |title=Oracle Brings Real-Time Kernel Patching to Its Unbreakable Enterprise Kernel Release 4 |url=http://news.softpedia.com/news/oracle-brings-real-time-kernel-patching-to-its-unbreakable-enterprise-kernel-498656.shtml |author=Marius Nestor |website=softpedia.com |date=9 January 2016 |access-date=9 January 2016}}
As of March 2023, Ksplice is integrated into:
- Oracle's Unbreakable Enterprise Kernel Releases 5, 6 and 7, distributed with Oracle Linux 7, Oracle Linux 8 and Oracle Linux 9
- Red Hat Compatible Kernel releases distributed with Oracle Linux 7, Oracle Linux 8 and Oracle Linux 9
See also
{{Portal|Linux}}
- kexec, a method for loading a whole new kernel from a running system
- kGraft, kpatch and KernelCare, other Linux kernel live patching technologies developed by SUSE, Red Hat and CloudLinux, respectively
- Loadable kernel module
References
{{Reflist|30em}}
External links
{{Commons category multi|Ksplice|Linux kernel live patching}}
- {{Official website|ksplice.com}}
{{Linux kernel}}
{{Operating system}}
Category:Free security software programmed in C
Category:Linux kernel live patching