Luci: Loader-based Dynamic Software Updates for Off-the-shelf Shared Objects

Authors: 

Bernhard Heinloth, Peter Wägemann, and Wolfgang Schröder-Preikschat, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Germany

Abstract: 

Shared libraries indisputably facilitate software development but also significantly increase the attack surface, and when using multiple libraries, frequent patches for vulnerabilities are to be expected. However, such a bugfix commonly requires restarting all services depending on the compromised library, which causes downtimes and unavailability of services. This can be prevented by dynamic software updating, but existing approaches are often costly and incur additional maintenance due to necessary source or infrastructure modifications.

With Luci, we present a lightweight linker/loader technique to unobtrusively and automatically update shared libraries during runtime by exploiting the indirection mechanisms of position-independent code, hence avoiding severe runtime overhead. Luci further adds no additional requirements, such as adjusting the source or interfering with the build chain, as it fully adapts to today's build and package-update mechanisms of common Linux distributions. We demonstrate our approach on popular libraries (like Expat and libxcrypt) using off-the-shelf (i.e., unmodified) binaries from Debian and Ubuntu packages, being able to update the majority of releases without the necessity of a process restart.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

This content is available to:

BibTeX
@inproceedings {288819,
author = {Bernhard Heinloth and Peter W{\"a}gemann and Wolfgang Schr{\"o}der-Preikschat},
title = {Luci: Loader-based Dynamic Software Updates for Off-the-shelf Shared Objects},
booktitle = {2023 USENIX Annual Technical Conference (USENIX ATC 23)},
year = {2023},
isbn = {978-1-939133-35-9},
address = {Boston, MA},
pages = {241--256},
url = {https://www.usenix.org/conference/atc23/presentation/heinloth},
publisher = {USENIX Association},
month = jul
}