Xen 4.7 Includes Live Patching, Other Security Features

The critical open-source hypervisor used by major public cloud providers now enables live patching and incorporates other new features.

Xen 4.6 security features

The open-source Xen Project issued a major release of its namesake virtualization hypervisor on June 23, with the debut of Xen 4.7, which incorporates live patching and other security features.

Xen is the underlying hypervisor used to help enable the largest public cloud provider in the world, Amazon Web Services (AWS), as well as public clouds from Rackspace, IBM and others. Xen is also widely deployed in private cloud and enterprise production environments.

One of the biggest issues with any technology today is the constant need to patch for security vulnerabilities. Prior to the Xen 4.7 release, a Xen patch would have required a system restart, but that's no longer the case, thanks to the new live-patching feature.

The idea of live patching is not new in the open-source world. With a live patching system, rather than requiring a service to be stopped and restarted before the patch is active, a patch can be applied to a running system that doesn't need to be rebooted. The Linux kernel first introduced live patching technology as part of the Linux 4.0 update in April 2015.

"The live patching technology within the Xen Project itself is a completely independent implementation of live patching, but [is] based on ideas used in other implementations of live patching for Linux and input from the Xen Project community," James Bulpin, member of the Xen Project advisory board and senior director of technology and chief architect for XenServer at Citrix Systems, told eWEEK.

For Xen users, the live patching capability could have a very large impact. Back in October 2014, Amazon, Rackspace and IBM Softlayer all had to reboot their cloud servers to enable a critical patch. The critical issue turned out to be CVE-2014-7188, a memory-related security problem. While the security bug itself was kept private until the public cloud providers were able to patch, there was time involved and potentially service disruptions. With Xen 4.7 and future releases, live patching an issue such as CVE-2014-7188 will be significantly less troublesome for Xen users.

Most security vulnerabilities like CVE-2014-7188 should be straightforward for public clouds to patch and avoid rebooting, Bulpin said. "Now with live patching, the choice to reboot is in the hands of the cloud admins."

Xen 4.7 includes the ability to let users easily exclude capabilities they don't need with a tool called Kconfig. The basic idea behind the removal capability is that by only including features that a specific deployment needs, the potential attack surface can be reduced.

"Previously, to configure what components are enabled, users would need to edit a configuration file in a source tree by hand," Bulpin said. "Now they can just use the Kconfig infrastructure to have a better experience."

The default configuration of Xen contains components that upstream developers think average users would employ, and such configuration is fully supported by the upstream project, he said.

"The Xen Project is seeing growing use across a range of different use cases, including public cloud, traditional server virtualization, automotive, aviation and other embedded scenarios," Bulpin said. "Although these all use the core hypervisor functions, they don't all need the same set of drivers, schedulers and other components."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.