CloudLinux - CloudLinux Blog - KernelCare: How does it work?

KernelCare: How does it work?

KernelCare: How does it work?

Rebooting is a pain

Rebooting server is a pain. It is often scheduled for the darkest of the night. It requires minutes of downtime, and it can take up to 15 minutes for the server performance to stabilize, and catches to warm up. This is not something you want to do often.Yet, any time there is a security vulnerability in the kernel, a server should be rebooted. This is where KernelCare comes in. It provides a service that will patch security vulnerabilities inside the running kernel - without any downtime or service interruption.

Preparing a patch

Our kernel team monitors security mailing lists. Once they notice that there is a security vulnerability that affects one of the supported kernels - they prepare a patch for that vulnerability. That patch is compiled in a binary format for that exact kernel and deployed to our distribution servers. KernelCare agent residing on your server periodically check in with our distribution servers. If there is a new patch available for the currently running kernel, it will download it - and apply it to the running kernel, making the kernel secure again.

How does patch work?

When we discover a vulnerability, we create a “patch” - a piece of code that will be used to substitute vulnerable code in the kernel with a secure variant. It can be an arbitrary code line modification in the simplest case, an addition of a missing security check, a set of functions changed or even data structures modified. 

The code with the patch is compiled as usual, but the generated code has additional information about all actually changed code pieces due to original source code modification and how to apply this code pieces.

Applying update

To apply the update, a special KernelCare kernel module is used. It loads the update into kernel address space, setups the relocations (i.e. fix up references to original kernel code and data) and safely switches the execution path from the original code to an updated code blocks. It is very important to apply the changes safely to make sure CPU doesn’t execute the original code blocks right at the moment when we gonna switch to a new version. 

Special kernel module

Like a blink of an eye

The process is done in a blink of an eye, causing no downtime, service interruption or packet drops. Everything continues to operate as before, with vulnerability eradicated.

Ultimate security

KernelCare technology is so powerful that it can also be used to bring new features online or missing in stock vendor kernels like hardening the security by an addition of security checks similar to those in popular grsecurity kernels (like TPE). It can also be used for most of traditional bugs fixing not related to HW device state, not just security issues. However, security vulnerabilities is the most practically important class of issues to be fixed as quick as possible and thus deserving the most attention by us.

No reboots! No downtime!

KernelCare protection against Rowhammer privilege ...
Help us see just how good OptimumCache is


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 26 February 2020

Captcha Image