KernelCare

KernelCare is a live kernel patching service that provides security patches and bugfixes for a range of popular Linux kernels^[2] that can be installed without rebooting the server^[3]

KernelCare software is released under GPL2. The first beta was introduced in March 2014 and it was commercially launched in May 2014. KernelCare supports CentOS/RHEL 5.x, 6.x and 7.x; CloudLinux 5.x, 6.x and 7.x; Parallels Cloud Server; Virtuozzo; OpenVZ; Debian 6.x, 7.x and 8.x; and Ubuntu 14.04 LTS, 15.10 ^[4][5]

How it works

KernelCare agent resides on user’s server. It periodically checks in with KernelCare distribution servers. If there are new patches available for the currently running kernel, KernelCare agent downloads and applies those patches to the running kernel. A KernelCare patch is a piece of code used to substitute vulnerable or buggy code in a kernel. It can be an arbitrary code line modification, or it can be a missing security check, a set of functions, or even modified data structures.^[6] The patch is compiled as usual, but the generated code has additional information about all changed code pieces caused by original source code modification and information on to how to apply these code pieces. The resulting code modifications are safely applied to the running kernel. A special KernelCare kernel module applies the patches. It loads the patches into the kernel address space, sets up the relocations (i.e., fixes the references to the original kernel code and data), and safely switches the execution path from the original code to updated code blocks. The code ensures the patch is applied safely so the CPU doesn't execute the original code blocks at the same moment when switch to a new version.^[7][8]

References

External links

• Official website