Secure and Efficient Hybrid Kernel Live Patching via TEEs for Linux Systems
DOI:
https://doi.org/10.65405/gch6ve06Keywords:
Kernel live patching, Linux kernel updates, Trusted Execution Environments (TEEs), virtualization-based patching, checkpoint-and-restart, gossip-based patch propagation, secure patch deploymentAbstract
Frequent operating system updates are essential for addressing security vulnerabilities and improving functionality, but they often require full system reboots that introduce costly downtime and disrupt long-running services. Existing kernel live patching techniques, such as kpatch, Ksplice, kGraft, and KUP, reduce reboot frequency but either incur substantial runtime and memory overheads or rely on the trustworthiness of a potentially compromised operating system kernel. This paper presents a hybrid kernel live patching framework that combines virtualization, selective checkpoint-and-restart, hardware-assisted trusted execution, and distributed patch propagation to enable secure, near zero-downtime updates. A lightweight virtualization layer coordinates patch deployment, while a KUP-inspired engine leverages CRIU and kexec to support major kernel updates with minimal disruption. Patch validation and critical update logic are isolated inside a trusted execution environment, which reduces the trusted computing base and protects against patch tampering and rollback attacks even under kernel compromise. Furthermore, a gossip-based dissemination protocol enables efficient patch propagation in clustered deployments. Experimental results on a Linux-based prototype show that the proposed framework applies kernel patches in less than a few seconds, maintains CPU overhead within a few percent, significantly reduces memory usage compared with full-process checkpointing, and provides stronger security guarantees than traditional reboot-based and standalone live patching solutions.
Downloads
References
[1] S. Farhang, J. Weidman, M. M. Kamani, J. Grossklags, and P. Liu, “Take It or Leave It: A Survey Study on Operating System Upgrade Practices,” in Proceedings of the 34th Annual Computer Security Applications
Conference, 2018.
[2] F. Vitale, J. Mcgrenere, A. Tabard, M. Beaudouin-Lafon, and W. E. Mackay, “High Costs and Small Benefits: A Field Study of How Users Experience Operating System Upgrades,” in Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017.
[3] T. Dumitras¸ and P. Narasimhan, “Why do upgrades fail and what can we do about it?: toward dependable, online upgrades in enterprise system,” in Proceedings of the 10th ACM/IFIP/USENIX International Conference on Middleware, 2009.
[4] Gartner, “Ensure Cost Balances With Risk in High-Availability Data Centers,” https://www:gartner:com/en/documents/3906266/ensure-costbalances-
with-risk-in-high-availability-data, 2019.
[5] H. Chen, J. Yu, R. Chen, B. Zang, and P.-C. Yew, “Polus: A powerful live updating system,” in 29th International Conference on Software Engineering (ICSE’07). IEEE, 2007, pp. 271–281.
[6] A. Ramaswamy, S. Bratus, S. W. Smith, and M. E. Locasto, “Katana: A hot patching framework for elf executables,” in 2010 International Conference on Availability, Reliability and Security. IEEE, 2010, pp. 507–512.
[7] S. Kashyap, C. Min, B. Lee, T. Kim, and P. Emelyanov, “Instant OS updates via userspace checkpoint-and-restart.” in USENIX Annual Technical Conference, 2016.
[8] Y. Chen, Y. Zhang, Z. Wang, L. Xia, C. Bao, and T. Wei, “Adaptive Android kernel live patching,” in Proceedings of the 26th USENIX Security Symposium, 2017.
[9] J. Poimboeuf and S. Jennings, “Introducing kpatch: dynamic kernel patching,” Red Hat Enterprise Linux Blog, vol. 26, 2014.
[10] SUSE, “Live Patching the Linux Kernel Using kGraft,” https://www:suse:com/documentation/sles-15/book sle admin/data/
cha kgraft:html, 2018.
[11] ORACLE, “Ksplice,” http://www:ksplice:com/, 2018.
[12] Ubuntu, “Canonical Livepatch Service,” https://www:ubuntu:com/ livepatch, 2018.
[13] Checkpoint, “Restore in Userspace,” https://criu:org/Main Page, 2018.
[14] Github, “Kpatch bugs,” https://github:com/dynup/kpatch/issues, 2019.
[15] Windows Defender ATP, “Software supply chain cyberattack,”
https://www:microsoft:com/security/blog/2017/05/04/windowsdefender- atp-thwarts-operation-wilysupply-software-supply-chaincyberattack/? source=mmpc, 2017.
[16] Kaspersky, “Operation ShadowHammer,” https://securelist:com/ operation- shadowhammer/89992/, 2019.
[17] GitHub, “Syscall Hijacking on Linux Kernel,” https://github:com/ crudbug/simple-rootkit/, 2014.
[18] I. Khalil, A. Khreishah, and M. Azeem, “Cloud computing security: A survey,” Computers, vol. 3, no. 1, pp. 1–35, 2014.
[19] F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar- Ruiz, and M. Russinovich, “VC3: Trustworthy data analytics in the cloud using SGX,” in 2015 IEEE Symposium on Security and Privacy. IEEE,2015, pp. 38–54.
[20] C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, “Safe and automatic live update for operating systems,” in ACM SIGARCH Computer Architecture News, vol. 41, no. 1. ACM, 2013, pp. 279–292
[21] F. Zhang, J. Wang, K. Sun, and A. Stavrou, “Hypercheck: A hardware assistedintegrity monitor,” 2014.
[22] H. Zhang and Z. Qian, “Precise and accurate patch presence test for binaries,” in Proceedings of the 27th USENIX Security Symposium, 2017.
[23] H. Rays, “IDA Tools,” https://www.hex-rays.com, 2018.
[24] Intel, “64 and IA-32 Architectures Software Devel oper’s Manual,” http://www.intel.com/content/www/us/en/processors/ architectures-software-developer-manuals.html, 2018. [Online]. Avail able: http://www.intel.com/content/www/us/en/processors/architectures software-developer-manuals.html
[25] ARM Ltd., “ARM Security Technology- Building a Secure System using TrustZone Technology,” http://infocenter.arm.com/help/ topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C trustzone security whitepaper.pdf, 2009.
[26] K. Leach, F. Zhang, and W. Weimer, “Scotch: Combining Software Guard Extensions and system management mode to monitor cloud resource usage,” in International Symposium on Research in Attacks, Intrusions, and Defenses, 2017.
[27] S. Mechtaev, J. Yi, and A. Roychoudhury, “Angelix: Scalable multiline program patch synthesis via symbolic analysis,” in Proceedings of the 38th international conference on software engineering. ACM, 2016, pp. 691–701.
[28] P. W. McBurney and C. McMillan, “Automatic source code summa rization of context for Java methods,” IEEE Transactions on Software Engineering, vol. 42, no. 2, pp. 103–119, 2016.
[29] B. S. Baker, “Parameterized duplication in strings: Algorithms and an application to software maintenance,” in SIAM Journal on Computing, 1997.
[30] S. Kim, S. Woo, H. Lee, and H. Oh, “Vuddy: A scalable approach for vulnerable code clone discovery,” in 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 595–614.
[31] B. A. Galitsky, “Generalization of parse trees for iterative taxonomy learning,” Information Sciences, vol. 329, pp. 125–143, 2016.
[32] N. L. Petroni Jr and M. Hicks, “Automated detection of persistent kernel control-flow attacks,” in Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007, pp. 103–115.
[33] D. Gao, M. K. Reiter, and D. Song, “Binhunt: Automatically finding semantic differences in binary programs,” in International Conference on Information and Communications Security. Springer, 2008, pp. 238–255.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Comprehensive Journal of Science
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
