| Abstract | Recent years have seen significant advances in dynamic softwareupdating (DSU) systems, which allow programs to be patched on the fly.
Most DSU systems employ automatic safety checks to avoid applying a
patch if doing so may lead to incorrect behavior. This paper presents
what we believe is the first comprehensive empirical evaluation of the
two most significant DSU safety checks: activeness safety (AS), which
disallows patches that modify functions on the stack, and con-freeness
safety (CFS), which allows modifications to active functions, but only
when doing so will be type safe.
To measure the checks' effectiveness, we tested them against three
years of updates to Open-SSH and vsftpd. We performed this testing
using a novel DSU testing methodology that systematically applies
updates throughout the execution of a test suite. After testing
updates to both applications in this way, we tracked how often the
safety checks allow updates and which updates result in test failures.
We found that updating without safety checks produced many failures,
and that both AS and CFS dramatically reduced, but did not fully
eliminate, these failures. CFS yielded more failures than AS, but
AS was more restrictive than CFS, disallowing far more successful
updates. Our results suggest that neither AS nor CFS is likely
suitable for general-purpose DSU on its own. Indeed, we found that
selecting update points manually could avoid all failures while still
permitting sufficient updates. Our results present a challenge and
important insights for future work: to discover safe and sufficient
update points fully automatically.
|
