Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Patch Integration Engine (PIE) alpha release

From: Ben Hawkes <ben.hawkes () paradise net nz>
Date: Mon, 18 Oct 2004 22:13:41 +1300
The Patch Integration Engine (PIE) is a system for the insertion of
patches into a runtime process, allowing for the immediate correction of
security vulnerabilities. This is an announcement of the public alpha
release of PIE, version 0.2, which currently supports i386 Linux.

PIE was created from a personal research interest, the potential uses
for runtime code insertion. The abstract goal of the project was to
offer a platform by which a vulnerable service may be patched without
any substantial downtime. For more information regarding the project
see:

http://pie.sourceforge.net/documentation.html

PIE 0.2 can be attained from:

http://prdownloads.sourceforge.net/pie/pie-0.2.tar.gz?download

Bugs can be reported at the PIE bug tracking system:

http://sourceforge.net/tracker/?atid=644382&group_id=106501&func=browse

I have to stress that this is an ALPHA release and should NOT be used on
a production server. In its current state PIE is primarily a research
interest in the sense that it does not fully solve the proposed problem,
but merely presents a possible solution.

The primary reason that PIE cannot claim to reach the goal mentioned
above is due to the unknown reliability of PIE itself. As I see it, the
common reason that a service remains unpatched is the risk that the
newly introduced changes will break some existing functionality. Just as
a patch needs to be tested before deployment, so too does a PIE
prepatch.

If there is sufficient interest, testing and feedback then it is likely
that the development of PIE should continue, with focus on the
following:

- Stronger function fingerprinting. At this stage the fingerprinting
  techniques used by PIE are not technically reliable. The first step in
  improving this is to give PIE "opcode awareness" and then the 
  integration of Halvar Flake's method of function signatures (or a 
  similar method).
- The development of prepatches for publicly released vulnerabilities.
- Extension of the prepatch development library.
- Alternative prepatch insertion methods.

A note should be given to OpenSSH and Sendmail which reload a process
image from disk when a HUP signal is delivered. In this situation PIE is
not necessary for the immediate patching of a vulnerability. I
personally found Sendmail's implementation of HUP reexecution to be
excessively flakey. Most other common internet services have no HUP
reexcution at all. 

I hope to get some of these ideas in to a FAQ in the recent future, but
for the moment it would be great to get some feedback on the list on
whether PIE might have a use beyond research experimentation.

-- 
Ben Hawkes
(fiver)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: