DynSec: On-the-fly Code Rewriting and Repair

Security patches protect an application from discovered vulnerabilities and should be applied as fast as possible. On the other hand, patching the application reduces the availability of the service due to the necessary restart. System administrators need to balance system availability with a potential compromise of system integrity. A dynamic software update mechanism applies security updates on the fly but does not protect from unknown vulnerabilities. Software-based fault isolation on the other hand uses a sandbox to protect the integrity of a system by detecting unpatched vulnerabilities but provides no mechanism to repair any vulnerabilities. This paper presents DynSec, a mechanism for on-thefly code rewriting and repair that dynamically applies security patches for unmodified binary applications. A sandbox protects the integrity of the system while the dynamic update mechanism increases the availability of the application. A prototype implementation that needs no a-priori cooperation from the application incurs a combined overhead of 11% on the SPEC CPU2006 benchmarks for the sandbox and the dynamic update mechanism.