Applying band-aids over security wounds with systemtap
A data-modification-based approach for fixing the unfixable.
We present a live-patching technique based on systemtap's programmable in-situ instrumentation. These patches are limited to modifying data instead of code, but are often sufficient to put a bandage on a bleeding security vulnerability - or even a plain bug.
Some security vulnerabilities can't be patched right away. Maybe the vendor hasn't provided an update; maybe the service can't be restarted; maybe the software is private, abandoned, or unchangeable.
Do not despair! Systemtap, a programmable system introspection tool, is customarily used to trace and profile. But its toolkit includes instruments to poke too - to change state. It turns out that this is enough to work around many vulnerabilities. Since systemtap scripts can be run against a live system, we can protect against exploits without a restart.
We will present a set of approaches and applicability criteria, depending on the nature of the vulnerability and its exploits. Some problems can be surgically corrected; others require killing the process before it turns to crime.
|Frank Ch. Eigler|