On line software version change using state transfer between processes
Software—Practice & Experience
ACM Transactions on Programming Languages and Systems (TOPLAS)
OPUS: online patches and updates for security
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Opening black boxes: using semantic information to combat virtual machine image sprawl
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Ksplice: automatic rebootless kernel updates
Proceedings of the 4th ACM European conference on Computer systems
The critical elements of the patch management process
Communications of the ACM - A Blind Person's Interaction with Technology
RC2-a living lab for cloud computing
LISA'10 Proceedings of the 24th international conference on Large installation system administration
AmazonIA: when elasticity snaps back
Proceedings of the 18th ACM conference on Computer and communications security
Virtual machines with sharable operating system
Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion
Virtual machine images as structured data: the mirage image library
HotCloud'11 Proceedings of the 3rd USENIX conference on Hot topics in cloud computing
CloudER: a framework for automatic software vulnerability location and patching in the cloud
Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
Testing large-scale cloud management
IBM Journal of Research and Development
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Hi-index | 0.00 |
Patching is a critical security service that keeps computer systems up to date and defends against security threats. Existing patching systems all require running systems. With the increasing adoption of virtualization and cloud computing services, there is a growing number of dormant virtual machine (VM) images. Such VM images cannot benefit from existing patching systems, and thus are often left vulnerable to emerging security threats. It is possible to bring VM images online, apply patches, and capture the VMs back to dormant images. However, such approaches suffer from unpredictability, performance challenges, and high operational costs, particularly in large-scale compute clouds where there could be thousands of dormant VM images. This paper presents a novel tool named Nüwa that enables efficient and scalable offline patching of dormant VM images. Nüwa analyzes patches and, when possible, converts them into patches that can be applied offline by rewriting the patching scripts. Nüwa also leverages the VM image manipulation technologies offered by the Mirage image library to provide an efficient and scalable way to patch VM images in batch. Nüwa has been evaluated on freshly built images and on real-world images from the IBM Research Compute Cloud (RC2), a compute cloud used by IBM researchers worldwide. When applying security patches to a fresh installation of Ubuntu-8.04, Nüwa successfully applies 402 of 406 patches. It speeds up the patching process by more than 4 times compared to the online approach and by another 2--10 times when integrated with Mirage. Nüwa also successfully applies the 10 latest security updates to all VM images in RC2.