LibCare -- Patch Userspace Code on Live Processes
Welcome to LibCare --- Live Patch Updates for Userspace Processes and Libraries.
LibCare delivers live patches to any of your Linux executables or libraries at the runtime, without the need for restart of your applications. Most frequently it is used to perform critical security updates such as glibc's GHOST (aka CVE-2015-0235, see how we deal with it in GHOST sample) and QEMU's CVE-2017-2615, but can also be used for serious bug fixes on the fly to avoid interruption of service (see server sample).
See https://kernelcare.com for live Linux Kernel updates also.
FAQ
How the live patches are generated?
We use the same code generating procedure we used in production for years in kernelcare.com:
- both original and patched source code are translated to assembler,
- corresponding assembler files are compared and new instrumented assembler code is generated, where patches are stored into special ELF sections,
- instrumented assembler code is compiled using target project's build system while patch ELF sections are collected in binaries',
- binary patch files are extracted from the ELF sections.
The libcare-patch-make script is a handy script for the patch generation for a makeable project. Just do:
$ src/libcare-patch-make some_serious_bug.patchAnd find binary patches for all the deliverables of the project in the
patchroot directory. See our simple server
for usage sample.
For more details follow to the patch preparation chapter of the internals.
How the live patches are applied?
It is a lot like loading a shared library into another process' memory:
- our binary libcare-ctl (the doctor) attaches to a patient via ptrace(2),
- patient's objects are examined by the doctor,
- doctor puppets the patient to allocate patch memory near the original object,
- references in the patch are resolved by the doctor, the patch code is ready to be executed now,
- doctor rewrites targeted original functions with unconditional jumps to the appropriate patched versions, ensuring that no thread of patient is executing them first.
Now the patient executes patched versions of the functions.
For more details follow to the Patching chapter of the internals.
Will my patches re-apply if I restart the process?
Not at the moment. We only track start of the new processes for the tests, see here.
Does live patching affect performance?
Negligibly. Since code patches simply redirect execution from original code functions to the new ones the overhead is small and comparable to additional “jmp” instruction.
Installation and dependencies
All the Linux-distros with available libunwind, elfutils and binutils
packages are supported.
However, the libcare is only tested on Ubuntu from 12.04 to 16.04 and on
CentOS from 6.8 to 7.x.
Dependencies
To install the dependencies on RHEL/CentOS do the following:
$ sudo yum install -y binutils elfutils elfutils-libelf-devel libunwind-develTo install the dependencies on Debian/Ubuntu do the following:
$ sudo apt-get install -y binutils elfutils libelf-dev libunwind-devBuilding libcare
To build libcare emit at project's root dir:
$ make -C src
...This should build all the utilities required to produce a patch out of some project's source code.
It is highly recommended to run the tests as well, enabling Doctor
libcare-ctl to attach ptracecles to any of the processes first:
$ sudo setcap cap_sys_ptrace+ep ./src/libcare-ctl
$ make -C tests && echo OK
...
OKNow all the required tools are built and we can build some patches. Skip to server sample for that.
How does it work?
Internals are quite confusing and are described here.