Attack chains, APIs, Ksplice

linux4evr5581 · 10-02-2016, 06:50 PM

Can anyone explain why it's difficult to modify a kernel in an attack chain? Whats exactly makes it hard to recomplile and boot from a new kernel? I understand that there are programs like ksplice which allows you to not have to recompile and boot in order to use it. Which leads me to another question, do ABIs play a role in such programs? (EDIT: In the title I meant ABI not API I apologize)

jpollard · 10-03-2016, 05:41 PM

The problem is the currently existing processes.

ksplice loads the new kernel and hands off current processes to the new kernel.. but there is a limit that capability.

If the new kernel process model is not quite compatible with the current one, it won't work. That is why reboots still have to happen, just not as often when using ksplice. Minor updates/bug fixes should usually work.

linux4evr5581 · 10-03-2016, 10:24 PM

Ahh ok I think I get the jist of it, thats another reason why you keep your system up to date, and as soon as possible. So compatability issues dont arise as often, especially while in an attack chain.. If im off the mark then I understand still that its process model compatability issue, thanks duude!