Brussels / 30 & 31 January 2016


Applying band-aids over security wounds with systemtap

A data-modification-based approach for fixing the unfixable.

We present a live-patching technique based on systemtap's programmable in-situ instrumentation. These patches are limited to modifying data instead of code, but are often sufficient to put a bandage on a bleeding security vulnerability - or even a plain bug.

Some security vulnerabilities can't be patched right away. Maybe the vendor hasn't provided an update; maybe the service can't be restarted; maybe the software is private, abandoned, or unchangeable.

Do not despair! Systemtap, a programmable system introspection tool, is customarily used to trace and profile. But its toolkit includes instruments to poke too - to change state. It turns out that this is enough to work around many vulnerabilities. Since systemtap scripts can be run against a live system, we can protect against exploits without a restart.

We will present a set of approaches and applicability criteria, depending on the nature of the vulnerability and its exploits. Some problems can be surgically corrected; others require killing the process before it turns to crime.


Photo of Frank Ch. Eigler Frank Ch. Eigler