Live patching the Xen Project hypervisor
- Track: Virtualisation and IaaS devroom
- Room: UB2.252A (Lameere)
- Day: Saturday
- Start: 11:30
- End: 11:55
Live patching -- the process of updating software while it is running -- has become a popular topic of late, with several companies offering services providing live patching for Linux culminating with an implementation being contributed to Linux. While Xen supports live migration of VMs which mitigates the need for live patching, there are still some reasons why live patching is useful. For example, to minimize downtime, when running applications with low latency requirements, and when using PCI passthrough.
This talk reviews the state of live patching for Xen. A live patching implementation has recently been contributed to Xen so we will look at the design and implementation in detail, noting how and why it differs from live patching for Linux. We will look at some of the ways that live patches can be created and the pitfalls to watch out for when doing so. There will also be a status report of ongoing and future work for live patching for Xen. Finally, the talk will show a demo of live patching in action by building a live patch for a known security issue and applying it to a vulnerable system.
Xen LivePatch is a new tech preview feature in Xen 4.7 for live patching the hypervisor. It is the result of collaboration between several members in the community guided by the existing live patching efforts for Linux. We will talk about this and how Xen's requirements differ from Linux.
The core idea of Xen LivePatch is to insert a "trampoline" in each buggy function with a jump to a replacement function. This is simple in principle, but there are a number of complexities which make it interesting to look at.
Live patches can be built by hand, by compiling the replacement functions in a separate source file. This is a manual process and can also be unreliable due to the nature of compiler optimizations. So we repurposed kpatch's live patch creation tool for Xen. This computes a binary difference of the output binaries before and after a source patch is applied. This simplifies the process of creating live patches and overcomes issues with compiler optimizations but is still not without difficulties. We look at the process of creating live patches and why it is hard.