IAI to Continue Development of a Versatile Live Patching System for the Army

Patch management is a key technology used for maintaining the security of IT systems. Applying patches often requires a higher level of privilege, increasing the risk that the patching operation itself becomes a potential target of exploitation. Updates or patches could also be accompanied by undesirable and extensive system downtime, or system reboots. It is desirable to have the patch or update applied by a trusted, privileged entity that is free from tampering or exploitation, especially in a virtualized hosting environment where virtual machines (VMs) run on top of a hypervisor. To address these issues, IAI will further develop the Versatile Live Patching System (VLPS), a framework of tools that matches mission patching requirements with a stealthy yet privileged patch deployment approach. The VLPS updates a target system with new code or data for its software, and provides patching services from a hypervisor to a guest VM without special support from the guest VM. The VLPS can patch at two levels of execution: guest kernel, and guest applications running in the guest VMs. This versatile system performs both kernel-level and user-level patching by dynamically selecting the most suited of three novel patching mechanisms, based on the access level required for the patch and on the criticality of the mission. VLPS is a discreet and scalable system, with no inherent limitation on the number of guests that can be patched.