Ksplice allows system administrators to apply security patches to the Linux kernel without having to reboot. Ksplice takes as input a source code change in unified diff format and the kernel source code to be patched, and it applies the patch to the corresponding running kernel. The running kernel does not need to have been prepared in advance in any way.
To be fully automatic, Ksplice's design is limited to patches that do not introduce semantic changes to data structures, but most Linux kernel security patches don't make these kinds of changes. An evaluation against Linux kernel security patches from May 2005 to December 2007 finds that Ksplice can automatically apply 84% of the 50 significant kernel vulnerabilities from this interval.
Ksplice has been implemented for Linux on the x86-32 and x86-64 architectures. Please be aware that this software is quite new, and it might contain bugs that could cause severe problems. The code is available in a Git repository, as a source code tarball, as an x86-32 binary distribution tarball, and as an x86-64 binary distribution tarball. Building the source code requires the GNU BFD library from GNU Binutils, which is available in Debian (as binutils-dev) and in other Linux distributions. Ksplice is free software; you can redistribute and/or modify it under the terms of the GNU General Public License, version 2.
Comments
Post new comment