fbpx
Wikipedia

Dynamic software updating

January 01, 1970

In computer science, dynamic software updating (DSU) is a field of research pertaining to upgrading programs while they are running. DSU is not currently widely used in industry. However, researchers have developed a wide variety of systems and techniques for implementing DSU. These systems are commonly tested on real-world programs.

Current operating systems and programming languages are typically not designed with DSU in mind. As such, DSU implementations commonly either utilize existing tools, or implement specialty compilers. These compilers preserve the semantics of the original program, but instrument either the source code or object code to produce a dynamically updateable program. Researchers compare DSU-capable variants of programs to the original program to assess safety and performance overhead.

Introduction edit

Any running program can be thought of a tuple  , where   is the current program state and   is the current program code. Dynamic software updating systems transform a running program   to a new version  . In order to do this, the state must be transformed into the representation   expects. This requires a state transformer function. Thus, DSU transforms a program   to  . An update is considered valid if and only if the running program   can be reduced to a point tuple   that is reachable from the starting point of the new version of the program,  .[1]

The location in a program where a dynamic update occurs is referred to as an update point. Existing DSU implementations vary widely in their treatment of update points. In some systems, such as UpStare and PoLUS, an update can occur at any time during execution. Ginseng's compiler will attempt to infer good locations for update points, but can also use programmer-specified update points. Kitsune and Ekiden require developers to manually specify and name all update points.

Updating systems differ in the types of program changes that they support. For example, Ksplice only supports code changes in functions, and does not support changes to state representation. This is because Ksplice primarily targets security changes, rather than general updates. In contrast, Ekiden can update a program to any other program capable of being executed, even one written in a different programming language. Systems designers can extract valuable performance or safety assurances by limiting the scope of updates. For example, any update safety check limits the scope of updates to updates which pass that safety check. The mechanism used to transform code and state influences what kinds of updates a system will support.

DSU systems, as tools, can also be evaluated on their ease-of-use and clarity to developers. Many DSU systems, such as Ginseng, require programs to pass various static analyses. While these analyses prove properties of programs that are valuable for DSU, they are by nature sophisticated and difficult to understand. DSU systems that do not use a static analysis might require use of a specialized compiler. Some DSU systems require neither static analysis nor specialty compilers.

Programs that are updated by a DSU system are referred to as target programs. Academic publications of DSU systems commonly include several target programs as case studies. vsftpd, OpenSSH, PostgreSQL, Tor, Apache, GNU Zebra, memcached, and Redis are all dynamic updating targets for various systems. Since few programs are written with support for dynamic updating in mind, retrofitting existing programs is a valuable means of evaluating a DSU system for practical use.

Related fields edit

The problem space addressed by dynamic updating can be thought of as an intersection of several others. Examples include checkpointing, dynamic linking, and persistence. As an example, a database that must be backward-compatible with previous versions of its on-disk file format, must accomplish the same type of state transformation expected of a dynamic updating system. Likewise, a program that has a plugin architecture, must be able to load and execute new code at runtime.

Similar techniques are sometimes also employed for the purpose of dynamic dead-code elimination to remove conditionally dead or unreachable code at load or runtime, and recombine the remaining code to minimize its memory footprint or improve speed.[2][3]

History edit

The earliest precursor to dynamic software updating is redundant systems. In a redundant environment, spare systems exist ready to take control of active computations in the event of a failure of the main system. These systems contain a main machine and a hot spare. The hot spare would be periodically seeded with a checkpoint of the primary system. In the event of a failure, the hot spare would take over, and the main machine would become the new hot spare. This pattern can be generalized to updating. In the event of an update, the hot spare would activate, the main system would update, and then the updated system would resume control.

The earliest true Dynamic Software Updating system is DYMOS (Dynamic Modification System).[4] Presented in 1983 in the PhD dissertation of Insup Lee, DYMOS was a fully integrated system that had access to an interactive user interface, a compiler and runtime for a Modula variant, and source code. This enabled DYMOS to type-check updates against the existing program.

Implementation edit

DSU systems must load new code into a running program, and transform existing state into a format that is understood by the new code. Since many motivational use-cases of DSU are time-critical (for example, deploying a security fix on a live and vulnerable system), DSU systems must provide adequate update availability. Some DSU systems also attempt to ensure that updates are safe before applying them.

There is no one canonical solution to any of these problems. Typically, a DSU system that performs well in one problem area does so at a trade-off to others. For example, empirical testing of dynamic updates indicates that increasing the number of update points results in an increased number of unsafe updates.[5]

Code transformation edit

Most DSU systems use subroutines as the unit of code for updates; however, newer DSU systems implement whole-program updates.[6][7]

If the target program is implemented in a virtual machine language, the VM can use existing infrastructure to load new code, since modern virtual machines support runtime loading for other use cases besides DSU (mainly debugging). The HotSpot JVM supports runtime code loading, and DSU systems targeting Java (programming language) can utilize this feature.

In native languages such as C or C++, DSU systems can use specialized compilers that insert indirection into the program. At update time, this indirection is updated to point to the newest version. If a DSU system does not use a compiler to insert these indirections statically, it insert them at runtime with binary rewriting. Binary rewriting is the process of writing low-level code into the memory image of a running native program to re-direct functions. While this requires no static analysis of a program, it is highly platform-dependent.

Ekiden and Kitsune load new program code via starting an entirely new program, either through fork-exec or dynamic loading. The existing program state is then transferred to the new program space.[6][7]

State transformation edit

During an update, program state must be transformed from the original representation to the new version's representation. This is referred to as state transformation. A function which transforms a state object or group of objects is referred to as a transformer function or state transformer.

DSU systems can either attempt to synthesize transformer functions, or require that the developer manually supply them. Some systems mix these approaches, inferring some elements of transformers while requiring developer input on others.

These transformer functions can either be applied to program state lazily, as each piece of old-version state is accessed, or eagerly, transforming all state at update time. Lazy transformation ensures that the update will complete in constant time, but also incurs steady-state overhead on object access. Eager transformation incurs more expense at the time of update, requiring the system to stop the world while all transformers run. However, eager transformation allows compilers to fully optimize state access, avoiding the steady-state overhead involved with lazy transformation.

Update safety edit

Most DSU systems attempt to show some safety properties for updates. The most common variant of safety checking is type safety, where an update is considered safe if it does not result in any new code operating on an old state representation, or vice versa.

Type safety is typically checked by showing one of two properties, activeness safety or cons-freeness safety. A program is considered activeness-safe if no updated function exists on the call stack at update time. This proves safety because control can never return to old code that would access new representations of data.

Cons-Freeness is another way to prove type safety, where a section of code is considered safe if it does not access state of a given type in a way that requires knowledge of the type representation. This code can be said to not access the state concretely, while it may access the state abstractly. It is possible to prove or disprove cons-freeness for all types in any section of code, and the DSU system Ginseng uses this to prove type safety.[8][9] If a function is proven cons-free, it can be updated even if it is live on the stack, since it will not cause a type error by accessing state using the old representation.

Empirical analysis of cons-freeness and activeness safety by Hayden et al. show that both techniques permit most correct updates and deny most erroneous updates. However, manually selecting update points results in zero update errors, and still allows frequent update availability.[5]

Existing systems edit

DYMOS edit

DYMOS is notable in that it was the earliest proposed DSU system. DYMOS consists of a fully integrated environment for programs written in a derivative of Modula, giving the system access to a command interpreter, source code, compiler, and runtime environment, similar to a REPL. In DYMOS, updates are initiated by a user executing a command in the interactive environment. This command includes directives specifying when an update can occur, called when-conditions. The information available to DYMOS enables it to enforce type-safety of updates with respect to the running target program.[4]

Ksplice, kpatch and kGraft edit

See also: Category:Linux kernel live patching

Ksplice is a DSU system that targets only the Linux kernel, making itself one of the specialized DSU systems that support an operating system kernel as the target program. Ksplice uses source-level diffs to determine changes between current and updated versions of the Linux kernel, and then uses binary rewriting to insert the changes into the running kernel.[10] Ksplice was maintained by a commercial venture founded by its original authors, Ksplice Inc., which was acquired by Oracle Corporation in July 2011.[11] Ksplice is used on a commercial basis and exclusively in the Oracle Linux distribution.[12]

SUSE developed kGraft as an open-source alternative for live kernel patching, and Red Hat did likewise with kpatch. They both allow function-level changes to be applied to a running Linux kernel, while relying on live patching mechanisms established by ftrace. The primary difference between kGraft and kpatch is the way they ensure runtime consistency of the updated code sections while hot patches are applied. kGraft and kpatch were submitted for inclusion into the Linux kernel mainline in April 2014 and May 2014, respectively,[13][14] and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015.[15]

Since April 2015, there is ongoing work on porting kpatch and kGraft to the common live patching core provided by the Linux kernel mainline. However, implementation of the function-level consistency mechanisms, required for safe transitions between the original and patched versions of functions, has been delayed because the call stacks provided by the Linux kernel may be unreliable in situations that involve assembly code without proper stack frames; as a result, the porting work remains in progress as of September 2015. In an attempt to improve the reliability of kernel's call stacks, a specialized sanity-check stacktool userspace utility has also been developed with the purpose of checking kernel's compile-time object files and ensuring that the call stack is always maintained; it also opens up a possibility for achieving more reliable call stacks as part of the kernel oops messages.[16][17]

Ginseng edit

Ginseng is a general-purpose DSU system. It is the only DSU system to use the cons-freeness safety technique, allowing it to update functions that are live on the stack as long as they do not make concrete accesses to updated types.

Ginseng is implemented as a source-to-source compiler written using the C Intermediate Language framework in OCaml. This compiler inserts indirection to all function calls and type accesses, enabling Ginseng to lazily transform state at the cost of imposing a constant-time overhead for the entirety of the program execution.[9] Ginseng's compiler proves the cons-freeness properties of the entire initial program and of dynamic patches.

Later versions of Ginseng also support a notion of transactional safety. This allows developers to annotate a sequence of function calls as a logical unit, preventing updates from violating program semantics in ways that are not detectable by either activeness safety or cons-freeness safety. For example, in two versions of OpenSSH examined by Ginseng's authors, important user verification code was moved between two functions called in sequence. If the first version of the first function executed, an update occurred, and the new version of the second function was executed, then the verification would never be performed. Marking this section as a transaction ensures that an update will not prevent the verification from occurring.[18]

UpStare edit

UpStare is a DSU system that uses a unique updating mechanism, stack reconstruction. To update a program with UpStare, a developer specifies a mapping between any possible stack frames. UpStare is able to use this mapping to immediately update the program at any point, with any number of threads, and with any functions live on the stack.[19]

PoLUS edit

PoLUS is a binary-rewriting DSU system for C. It is able to update unmodified programs at any point in their execution. To update functions, it rewrites the prelude to a target function to redirect to a new function, chaining these redirections over multiple versions. This avoids steady-state overhead in functions that have not been updated.[20]

Katana edit

Katana is a research system that provides limited dynamic updating (similar to Ksplice and its forks) for user-mode ELF binaries. The Katana patching model operates on the level of ELF objects, and thus has the capacity to be language-agnostic as long as the compilation target is ELF.

Kitsune and Ekiden edit

Ekiden and Kitsune are two variants of a single DSU system that implements the state-transfer style of DSU for programs written in C. Rather than updating functions within a single program, Ekiden and Kitsune perform updates over whole programs, transferring necessary state between the two executions. While Ekiden accomplishes this by starting a new program using the UNIX idiom of fork-exec, serializing the target program's state, and transferring it, Kitsune uses dynamic linking to perform "in-place" state transfer. Kitsune is derived from Ekiden's codebase, and can be considered a later version of Ekiden.

Ekiden and Kitsune are also notable in that they are implemented primarily as application-level libraries, rather than specialized runtimes or compilers. As such, to use Ekiden or Kitsune, an application developer must manually mark state that is to be transferred, and manually select points in the program where an update can occur. To ease this process, Kitsune includes a specialized compiler that implements a domain-specific language for writing state transformers.[6][7]

Erlang edit

Erlang supports Dynamic Software Updating, though this is commonly referred to as "hot code loading". Erlang requires no safety guarantees on updates, but Erlang culture suggests that developers write in a defensive style that will gracefully handle type errors generated by updating.[citation needed]

Pymoult edit

Pymoult is a prototyping platform for dynamic update written in Python. It gathers many techniques from other systems, allowing their combination and configuration. The objective of this platform is to let developers chose the update techniques they find more appropriate for their needs. For example, one can combine lazy update of the state as in Ginseng while changing the whole code of the application as in Kitsune or Ekiden.[21][22]

Microsoft Visual C++ edit

Microsoft is utilizing internal patching technology for Microsoft Visual C++ that supports patching individual C++ functions while maintaining functional correctness of patches. Currently known applications is SQL Server in Azure SQL Database.[23]

See also edit

References edit

  1. ^ Gupta, Deepak; Jalote, Pankaj; Barua, Gautam (1996). (PDF). IEEE Transactions on Software Engineering. 22 (2): 120–131. doi:10.1109/32.485222. Archived from the original (PDF) on 2014-04-07.
  2. ^ Paul, Matthias R.; Frinke, Axel C. (1997-10-13) [first published 1991], FreeKEYB - Enhanced DOS keyboard and console driver (User Manual) (v6.5 ed.) (NB. The K3PLUS successor FreeKEYB is a fully reconfigurable driver with many dynamically loadable special features. It implements a unique form of byte-level granular dynamic dead code elimination and relocation techniques at load-time as well as self-modifying code and reconfigurability at run-time to minimize its memory footprint close to the canonical form depending on the hardware, operating system, other environment and driver configuration as well as the selected feature set and locale (about sixty configuration switches with hundreds of options for an almost unlimited number of possible combinations). The build process utilizes a macro assembler as well as a framework of automatic pre- and post-processing tools analyzing the temporary binaries to generate dependency and code morphing meta data to be embedded into the resulting executable file alongside the binary code and a self-discarding, relaxing and relocating loader to dynamically (re)combine, (over)load, modify, update or unload the runtime image (code and data) of the driver as requested. The complexity is hidden in a single self-contained file so that for a user the handling is the same as for a normal (semi-)monolithic driver/terminate-and-stay-resident program.
  3. ^ Paul, Matthias R.; Frinke, Axel C. (2006-01-16), FreeKEYB - Advanced international DOS keyboard and console driver (User Manual) (v7 preliminary ed.)
  4. ^ a b Lee, Insup (1983). Dymos: a dynamic modification system (Doctor of Philosophy (Computer Science) thesis). University of Wisconsin - Madison. from the original on 2003-09-16.
  5. ^ a b Hayden, Chris; Smith, Edward K.; Hardisty, Eric; Hicks, Michael; Foster, Jeffery (2011). "Evaluating dynamic software update safety using systematic testing" (PDF). IEEE Transactions on Software Engineering (99). IEEE.[permanent dead link]
  6. ^ a b c Hayden, Chris; Smith, Edward K.; Hicks, Michael; Foster, Jeffery (2011). "State transfer for clear and efficient runtime updates" (PDF). Data Engineering Workshops (ICDEW), 2011 IEEE 27th International Conference on. IEEE: 179–184.
  7. ^ a b c Hayden, Chris; Smith, Edward K.; Denchev, Michail; Hicks, Michael; Foster, Jeffery (2011). "Kitsune: Efficient, General-purpose Dynamic Software Updating for C" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
  8. ^ Stoyle, Gareth; Hicks, Michael; Bierman, Gavin; Sewall, Peter; Neamtiu, Iulian (2005). "Mutatis mutandis: Safe and predictable dynamic software updating" (PDF). Proceedings of the ACM Conference on Principles of Programming Languages.
  9. ^ a b Neamtiu, Iulian; Hicks, Michael; Stoyle, Gareth; Oriol, Manuel (2006). "Practical dynamic software updating for C" (PDF). ACM SIGPLAN Notices. 41 (6): 72–83. CiteSeerX 10.1.1.625.4663. doi:10.1145/1133255.1133991.
  10. ^ Arnold, Jeff; Kaashoek, M. Frans (2009). "Ksplice: automatic rebootless kernel updates". Proceedings of the 4th ACM European conference on Computer systems (PDF). pp. 187–198. doi:10.1145/1519065.1519085. hdl:1721.1/51698. ISBN 9781605584829. S2CID 7720018.
  11. ^ "Oracle and Ksplice". Retrieved 2011-07-21.
  12. ^ "Getting Started with Oracle Ksplice". oracle.com. Retrieved 2014-08-02.
  13. ^ Poimboeuf, Josh (2014-05-01). "kpatch: dynamic kernel patching". LWN.net. Retrieved 2014-07-23.
  14. ^ Corbet, Jonathan (2014-04-30). "The initial kGraft submission". LWN.net. Retrieved 2014-11-07.
  15. ^ "Linux kernel 4.0, Section 1.2. Live patching". kernelnewbies.org. 2015-04-26. Retrieved 2015-05-14.
  16. ^ Corbet, Jonathan (2015-09-30). "Compile-time stack validation". LWN.net. Retrieved 2015-10-02.
  17. ^ Poimboeuf, Josh (2015-09-24). "Linux kernel documentation: Documentation/stack-validation.txt (from the v13 patch)". LWN.net. Retrieved 2015-10-02.
  18. ^ Neamtiu, Iulian; Hicks, Michael; Foster, Jeffrey; Pratikakis, Polyvios (2008). "Contextual Effects for Version-Consistent Dynamic Software Updating and Safe Concurrent Programming". Proceedings of the {ACM} Conference on Principles of Programming Languages (POPL): 37–58.
  19. ^ Makris, Kristis; Bazzi, Rida A. (2009). "Immediate Multi-Threaded Dynamic Software Updates Using Stack Reconstruction" (PDF). Proceedings of the 2009 Conference on USENIX Annual Technical Conference.
  20. ^ Chen, Haibo; Yu, Jie; Chen, Rong; Zang, Binyu; Yew, Pen-Chung (2007). (PDF). 29th International Conference on Software Engineering: 271–281. Archived from the original (PDF) on 2012-04-26. Retrieved 2011-12-18.
  21. ^ Sébastien Martinez; Fabien Dagnat; Jérémy Buisson (2013). "Prototyping DSU Techniques using Python". Proceedings of the 5th Workshop on Hot Topics in Software Upgrades (HotSWUp'13).
  22. ^ Martinez, Sébastien (2013-03-06). "Pymoult". Bitbucket. Retrieved 2014-11-27.
  23. ^ "Hot Patching SQL Server Engine in Azure SQL Database". TECHCOMMUNITY.MICROSOFT.COM. 2019-09-11. Retrieved 2019-09-15.

External links edit

  • Ksplice homepage
  • Ksplice source code
  • Ginseng Project Page and Source Code/ UpStare Paper/ PoLUS paper
  • Erlang homepage
  • Katana homepage
  • Whitepaper blog post on Visual C++ patching

January 01, 1970
dynamic, software, updating, computer, science, dynamic, software, updating, field, research, pertaining, upgrading, programs, while, they, running, currently, widely, used, industry, however, researchers, have, developed, wide, variety, systems, techniques, i. In computer science dynamic software updating DSU is a field of research pertaining to upgrading programs while they are running DSU is not currently widely used in industry However researchers have developed a wide variety of systems and techniques for implementing DSU These systems are commonly tested on real world programs Current operating systems and programming languages are typically not designed with DSU in mind As such DSU implementations commonly either utilize existing tools or implement specialty compilers These compilers preserve the semantics of the original program but instrument either the source code or object code to produce a dynamically updateable program Researchers compare DSU capable variants of programs to the original program to assess safety and performance overhead Contents 1 Introduction 2 Related fields 3 History 4 Implementation 5 Code transformation 6 State transformation 7 Update safety 8 Existing systems 8 1 DYMOS 8 2 Ksplice kpatch and kGraft 8 3 Ginseng 8 4 UpStare 8 5 PoLUS 8 6 Katana 8 7 Kitsune and Ekiden 8 8 Erlang 8 9 Pymoult 8 10 Microsoft Visual C 9 See also 10 References 11 External linksIntroduction editAny running program can be thought of a tuple d P displaystyle delta P nbsp where d displaystyle delta nbsp is the current program state and P displaystyle P nbsp is the current program code Dynamic software updating systems transform a running program d P displaystyle delta P nbsp to a new version d P displaystyle delta P nbsp In order to do this the state must be transformed into the representation P displaystyle P nbsp expects This requires a state transformer function Thus DSU transforms a program d P displaystyle delta P nbsp to S d P displaystyle S delta P nbsp An update is considered valid if and only if the running program S d P displaystyle S delta P nbsp can be reduced to a point tuple d P displaystyle delta P nbsp that is reachable from the starting point of the new version of the program d i n i t P displaystyle delta init P nbsp 1 The location in a program where a dynamic update occurs is referred to as an update point Existing DSU implementations vary widely in their treatment of update points In some systems such as UpStare and PoLUS an update can occur at any time during execution Ginseng s compiler will attempt to infer good locations for update points but can also use programmer specified update points Kitsune and Ekiden require developers to manually specify and name all update points Updating systems differ in the types of program changes that they support For example Ksplice only supports code changes in functions and does not support changes to state representation This is because Ksplice primarily targets security changes rather than general updates In contrast Ekiden can update a program to any other program capable of being executed even one written in a different programming language Systems designers can extract valuable performance or safety assurances by limiting the scope of updates For example any update safety check limits the scope of updates to updates which pass that safety check The mechanism used to transform code and state influences what kinds of updates a system will support DSU systems as tools can also be evaluated on their ease of use and clarity to developers Many DSU systems such as Ginseng require programs to pass various static analyses While these analyses prove properties of programs that are valuable for DSU they are by nature sophisticated and difficult to understand DSU systems that do not use a static analysis might require use of a specialized compiler Some DSU systems require neither static analysis nor specialty compilers Programs that are updated by a DSU system are referred to as target programs Academic publications of DSU systems commonly include several target programs as case studies vsftpd OpenSSH PostgreSQL Tor Apache GNU Zebra memcached and Redis are all dynamic updating targets for various systems Since few programs are written with support for dynamic updating in mind retrofitting existing programs is a valuable means of evaluating a DSU system for practical use Related fields editThe problem space addressed by dynamic updating can be thought of as an intersection of several others Examples include checkpointing dynamic linking and persistence As an example a database that must be backward compatible with previous versions of its on disk file format must accomplish the same type of state transformation expected of a dynamic updating system Likewise a program that has a plugin architecture must be able to load and execute new code at runtime Similar techniques are sometimes also employed for the purpose of dynamic dead code elimination to remove conditionally dead or unreachable code at load or runtime and recombine the remaining code to minimize its memory footprint or improve speed 2 3 History editThe earliest precursor to dynamic software updating is redundant systems In a redundant environment spare systems exist ready to take control of active computations in the event of a failure of the main system These systems contain a main machine and a hot spare The hot spare would be periodically seeded with a checkpoint of the primary system In the event of a failure the hot spare would take over and the main machine would become the new hot spare This pattern can be generalized to updating In the event of an update the hot spare would activate the main system would update and then the updated system would resume control The earliest true Dynamic Software Updating system is DYMOS Dynamic Modification System 4 Presented in 1983 in the PhD dissertation of Insup Lee DYMOS was a fully integrated system that had access to an interactive user interface a compiler and runtime for a Modula variant and source code This enabled DYMOS to type check updates against the existing program Implementation editDSU systems must load new code into a running program and transform existing state into a format that is understood by the new code Since many motivational use cases of DSU are time critical for example deploying a security fix on a live and vulnerable system DSU systems must provide adequate update availability Some DSU systems also attempt to ensure that updates are safe before applying them There is no one canonical solution to any of these problems Typically a DSU system that performs well in one problem area does so at a trade off to others For example empirical testing of dynamic updates indicates that increasing the number of update points results in an increased number of unsafe updates 5 Code transformation editMost DSU systems use subroutines as the unit of code for updates however newer DSU systems implement whole program updates 6 7 If the target program is implemented in a virtual machine language the VM can use existing infrastructure to load new code since modern virtual machines support runtime loading for other use cases besides DSU mainly debugging The HotSpot JVM supports runtime code loading and DSU systems targeting Java programming language can utilize this feature In native languages such as C or C DSU systems can use specialized compilers that insert indirection into the program At update time this indirection is updated to point to the newest version If a DSU system does not use a compiler to insert these indirections statically it insert them at runtime with binary rewriting Binary rewriting is the process of writing low level code into the memory image of a running native program to re direct functions While this requires no static analysis of a program it is highly platform dependent Ekiden and Kitsune load new program code via starting an entirely new program either through fork exec or dynamic loading The existing program state is then transferred to the new program space 6 7 State transformation editDuring an update program state must be transformed from the original representation to the new version s representation This is referred to as state transformation A function which transforms a state object or group of objects is referred to as a transformer function or state transformer DSU systems can either attempt to synthesize transformer functions or require that the developer manually supply them Some systems mix these approaches inferring some elements of transformers while requiring developer input on others These transformer functions can either be applied to program state lazily as each piece of old version state is accessed or eagerly transforming all state at update time Lazy transformation ensures that the update will complete in constant time but also incurs steady state overhead on object access Eager transformation incurs more expense at the time of update requiring the system to stop the world while all transformers run However eager transformation allows compilers to fully optimize state access avoiding the steady state overhead involved with lazy transformation Update safety editMost DSU systems attempt to show some safety properties for updates The most common variant of safety checking is type safety where an update is considered safe if it does not result in any new code operating on an old state representation or vice versa Type safety is typically checked by showing one of two properties activeness safety or cons freeness safety A program is considered activeness safe if no updated function exists on the call stack at update time This proves safety because control can never return to old code that would access new representations of data Cons Freeness is another way to prove type safety where a section of code is considered safe if it does not access state of a given type in a way that requires knowledge of the type representation This code can be said to not access the state concretely while it may access the state abstractly It is possible to prove or disprove cons freeness for all types in any section of code and the DSU system Ginseng uses this to prove type safety 8 9 If a function is proven cons free it can be updated even if it is live on the stack since it will not cause a type error by accessing state using the old representation Empirical analysis of cons freeness and activeness safety by Hayden et al show that both techniques permit most correct updates and deny most erroneous updates However manually selecting update points results in zero update errors and still allows frequent update availability 5 Existing systems editDYMOS edit DYMOS is notable in that it was the earliest proposed DSU system DYMOS consists of a fully integrated environment for programs written in a derivative of Modula giving the system access to a command interpreter source code compiler and runtime environment similar to a REPL In DYMOS updates are initiated by a user executing a command in the interactive environment This command includes directives specifying when an update can occur called when conditions The information available to DYMOS enables it to enforce type safety of updates with respect to the running target program 4 Ksplice kpatch and kGraft edit See also Category Linux kernel live patching Ksplice is a DSU system that targets only the Linux kernel making itself one of the specialized DSU systems that support an operating system kernel as the target program Ksplice uses source level diffs to determine changes between current and updated versions of the Linux kernel and then uses binary rewriting to insert the changes into the running kernel 10 Ksplice was maintained by a commercial venture founded by its original authors Ksplice Inc which was acquired by Oracle Corporation in July 2011 11 Ksplice is used on a commercial basis and exclusively in the Oracle Linux distribution 12 SUSE developed kGraft as an open source alternative for live kernel patching and Red Hat did likewise with kpatch They both allow function level changes to be applied to a running Linux kernel while relying on live patching mechanisms established by ftrace The primary difference between kGraft and kpatch is the way they ensure runtime consistency of the updated code sections while hot patches are applied kGraft and kpatch were submitted for inclusion into the Linux kernel mainline in April 2014 and May 2014 respectively 13 14 and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4 0 which was released on April 12 2015 15 Since April 2015 there is ongoing work on porting kpatch and kGraft to the common live patching core provided by the Linux kernel mainline However implementation of the function level consistency mechanisms required for safe transitions between the original and patched versions of functions has been delayed because the call stacks provided by the Linux kernel may be unreliable in situations that involve assembly code without proper stack frames as a result the porting work remains in progress as of September 2015 update In an attempt to improve the reliability of kernel s call stacks a specialized sanity check stacktool userspace utility has also been developed with the purpose of checking kernel s compile time object files and ensuring that the call stack is always maintained it also opens up a possibility for achieving more reliable call stacks as part of the kernel oops messages 16 17 Ginseng edit Ginseng is a general purpose DSU system It is the only DSU system to use the cons freeness safety technique allowing it to update functions that are live on the stack as long as they do not make concrete accesses to updated types Ginseng is implemented as a source to source compiler written using the C Intermediate Language framework in OCaml This compiler inserts indirection to all function calls and type accesses enabling Ginseng to lazily transform state at the cost of imposing a constant time overhead for the entirety of the program execution 9 Ginseng s compiler proves the cons freeness properties of the entire initial program and of dynamic patches Later versions of Ginseng also support a notion of transactional safety This allows developers to annotate a sequence of function calls as a logical unit preventing updates from violating program semantics in ways that are not detectable by either activeness safety or cons freeness safety For example in two versions of OpenSSH examined by Ginseng s authors important user verification code was moved between two functions called in sequence If the first version of the first function executed an update occurred and the new version of the second function was executed then the verification would never be performed Marking this section as a transaction ensures that an update will not prevent the verification from occurring 18 UpStare edit UpStare is a DSU system that uses a unique updating mechanism stack reconstruction To update a program with UpStare a developer specifies a mapping between any possible stack frames UpStare is able to use this mapping to immediately update the program at any point with any number of threads and with any functions live on the stack 19 PoLUS edit PoLUS is a binary rewriting DSU system for C It is able to update unmodified programs at any point in their execution To update functions it rewrites the prelude to a target function to redirect to a new function chaining these redirections over multiple versions This avoids steady state overhead in functions that have not been updated 20 Katana edit Katana is a research system that provides limited dynamic updating similar to Ksplice and its forks for user mode ELF binaries The Katana patching model operates on the level of ELF objects and thus has the capacity to be language agnostic as long as the compilation target is ELF Kitsune and Ekiden edit Ekiden and Kitsune are two variants of a single DSU system that implements the state transfer style of DSU for programs written in C Rather than updating functions within a single program Ekiden and Kitsune perform updates over whole programs transferring necessary state between the two executions While Ekiden accomplishes this by starting a new program using the UNIX idiom of fork exec serializing the target program s state and transferring it Kitsune uses dynamic linking to perform in place state transfer Kitsune is derived from Ekiden s codebase and can be considered a later version of Ekiden Ekiden and Kitsune are also notable in that they are implemented primarily as application level libraries rather than specialized runtimes or compilers As such to use Ekiden or Kitsune an application developer must manually mark state that is to be transferred and manually select points in the program where an update can occur To ease this process Kitsune includes a specialized compiler that implements a domain specific language for writing state transformers 6 7 Erlang edit Erlang supports Dynamic Software Updating though this is commonly referred to as hot code loading Erlang requires no safety guarantees on updates but Erlang culture suggests that developers write in a defensive style that will gracefully handle type errors generated by updating citation needed Pymoult edit Pymoult is a prototyping platform for dynamic update written in Python It gathers many techniques from other systems allowing their combination and configuration The objective of this platform is to let developers chose the update techniques they find more appropriate for their needs For example one can combine lazy update of the state as in Ginseng while changing the whole code of the application as in Kitsune or Ekiden 21 22 Microsoft Visual C edit Microsoft is utilizing internal patching technology for Microsoft Visual C that supports patching individual C functions while maintaining functional correctness of patches Currently known applications is SQL Server in Azure SQL Database 23 See also editHot swapping Software Persistence computer science Runtime verificationReferences edit Gupta Deepak Jalote Pankaj Barua Gautam 1996 A Formal Framework for On line Software Version Change PDF IEEE Transactions on Software Engineering 22 2 120 131 doi 10 1109 32 485222 Archived from the original PDF on 2014 04 07 Paul Matthias R Frinke Axel C 1997 10 13 first published 1991 FreeKEYB Enhanced DOS keyboard and console driver User Manual v6 5 ed 1 NB The K3PLUS successor FreeKEYB is a fully reconfigurable driver with many dynamically loadable special features It implements a unique form of byte level granular dynamic dead code elimination and relocation techniques at load time as well as self modifying code and reconfigurability at run time to minimize its memory footprint close to the canonical form depending on the hardware operating system other environment and driver configuration as well as the selected feature set and locale about sixty configuration switches with hundreds of options for an almost unlimited number of possible combinations The build process utilizes a macro assembler as well as a framework of automatic pre and post processing tools analyzing the temporary binaries to generate dependency and code morphing meta data to be embedded into the resulting executable file alongside the binary code and a self discarding relaxing and relocating loader to dynamically re combine over load modify update or unload the runtime image code and data of the driver as requested The complexity is hidden in a single self contained file so that for a user the handling is the same as for a normal semi monolithic driver terminate and stay resident program Paul Matthias R Frinke Axel C 2006 01 16 FreeKEYB Advanced international DOS keyboard and console driver User Manual v7 preliminary ed a b Lee Insup 1983 Dymos a dynamic modification system Doctor of Philosophy Computer Science thesis University of Wisconsin Madison Archived from the original on 2003 09 16 a b Hayden Chris Smith Edward K Hardisty Eric Hicks Michael Foster Jeffery 2011 Evaluating dynamic software update safety using systematic testing PDF IEEE Transactions on Software Engineering 99 IEEE permanent dead link a b c Hayden Chris Smith Edward K Hicks Michael Foster Jeffery 2011 State transfer for clear and efficient runtime updates PDF Data Engineering Workshops ICDEW 2011 IEEE 27th International Conference on IEEE 179 184 a b c Hayden Chris Smith Edward K Denchev Michail Hicks Michael Foster Jeffery 2011 Kitsune Efficient General purpose Dynamic Software Updating for C PDF a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Stoyle Gareth Hicks Michael Bierman Gavin Sewall Peter Neamtiu Iulian 2005 Mutatis mutandis Safe and predictable dynamic software updating PDF Proceedings of the ACM Conference on Principles of Programming Languages a b Neamtiu Iulian Hicks Michael Stoyle Gareth Oriol Manuel 2006 Practical dynamic software updating for C PDF ACM SIGPLAN Notices 41 6 72 83 CiteSeerX 10 1 1 625 4663 doi 10 1145 1133255 1133991 Arnold Jeff Kaashoek M Frans 2009 Ksplice automatic rebootless kernel updates Proceedings of the 4th ACM European conference on Computer systems PDF pp 187 198 doi 10 1145 1519065 1519085 hdl 1721 1 51698 ISBN 9781605584829 S2CID 7720018 Oracle and Ksplice Retrieved 2011 07 21 Getting Started with Oracle Ksplice oracle com Retrieved 2014 08 02 Poimboeuf Josh 2014 05 01 kpatch dynamic kernel patching LWN net Retrieved 2014 07 23 Corbet Jonathan 2014 04 30 The initial kGraft submission LWN net Retrieved 2014 11 07 Linux kernel 4 0 Section 1 2 Live patching kernelnewbies org 2015 04 26 Retrieved 2015 05 14 Corbet Jonathan 2015 09 30 Compile time stack validation LWN net Retrieved 2015 10 02 Poimboeuf Josh 2015 09 24 Linux kernel documentation Documentation stack validation txt from the v13 patch LWN net Retrieved 2015 10 02 Neamtiu Iulian Hicks Michael Foster Jeffrey Pratikakis Polyvios 2008 Contextual Effects for Version Consistent Dynamic Software Updating and Safe Concurrent Programming Proceedings of the ACM Conference on Principles of Programming Languages POPL 37 58 Makris Kristis Bazzi Rida A 2009 Immediate Multi Threaded Dynamic Software Updates Using Stack Reconstruction PDF Proceedings of the 2009 Conference on USENIX Annual Technical Conference Chen Haibo Yu Jie Chen Rong Zang Binyu Yew Pen Chung 2007 POLUS A POwerful Live Updating System PDF 29th International Conference on Software Engineering 271 281 Archived from the original PDF on 2012 04 26 Retrieved 2011 12 18 Sebastien Martinez Fabien Dagnat Jeremy Buisson 2013 Prototyping DSU Techniques using Python Proceedings of the 5th Workshop on Hot Topics in Software Upgrades HotSWUp 13 Martinez Sebastien 2013 03 06 Pymoult Bitbucket Retrieved 2014 11 27 Hot Patching SQL Server Engine in Azure SQL Database TECHCOMMUNITY MICROSOFT COM 2019 09 11 Retrieved 2019 09 15 External links editKsplice homepage Ksplice source code Ginseng Project Page and Source Code UpStare Paper PoLUS paper Erlang homepage Katana homepage Whitepaper blog post on Visual C patching Retrieved from https en wikipedia org w index php title Dynamic software updating amp oldid 1217185447, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.