FortifyPatch: Towards Tamper-Resistant Live Patching in Linux-Based Hypervisor

Linux-based hypervisors in the cloud server su er from an increasing number of vulnerabilities in the Linux kernel. To address these vulnerabilities in a timely manner while avoiding the economic loss caused by unplanned shutdowns, live patching schemes have been developed. Unfortunately, existing live patching solutions have failed to protect patches from post-deployment attacks. In addition, patches that involve changes to global variables can lead to practical issues with existing solutions. To address these problems, we present FortifyPatch, a tamper-resistant live patching solution for Linux-based hypervisors in cloud environments. Speci cally, FortifyPatch employs multiple Granule Protection Tables from Arm Con dential Computing Architecture to protect the integrity of deployed patches. TrustZone Address Space Controller and Performance Monitor Unit are used to prevent the bypassing of the Patch via kernel code protection and timely page table veri cation. FortifyPatch is also able to patch global variables via well-designed data access traps. We prototype FortifyPatch and evaluate it using real-world CVE patches. The result shows that FortifyPatch is capable of deploying 81.5% of CVE patches. The performance evaluation indicates that FortifyPatch protects deployed patches with 0.98% and 3.1% overhead on average across indicative benchmarks and real-world applications, respectively. CCS CONCEPTS • Security and privacy → Systems security.