Cook: Live Patching the Kernel


Over on his blog, kernel security developer Kees Cook has a description of live patching the kernel to disable the kexec system call in older kernels. The idea is to be able to turn off kexec without rebuilding the older kernels (future kernels may be able to use the proposed /proc/sys/kernel/kexec_disabled). He examines several possible routes (ksplice, systemtap) before deciding on a more direct approach. “So, finally, I decided to just do it by hand, and wrote a friendly kernel rootkit. Instead of dealing with flipping page table permissions on the normally-unwritable kernel code memory, I borrowed from PaX’s KERNEXEC feature, and just turn off write protect checking on the CPU briefly to make the changes.

Read more at LWN