Always Up-to-date - Scalable Offline Patching of VM Images in a Compute Cloud

Patching is a critical security service to keep computer systems up to date and to defend against security threats. Existing patching systems all require running systems. With the increasing adoption of virtualization, there is a growing number of dormant virtual machine (VM) images. Such VM images cannot benefit from existing patching systems, and thus are often left vulnerable to emerging security threats. It is possible to bring VM images online, apply patches, and capture the VMs back to dormant images. However, such approaches suffer from performance challenges and high operation costs, particularly in large-scale compute clouds where there could be thousands of dormant VM images.

This paper presents a novel tool named Nüwa that enables efficient and scalable offline patching of dormant VM images. Nüwa analyzes patches and, when possible, converts them into patches that can be applied offline by removing operations that require a running system. Nüwa also leverages the VM image manipulation technologies offered by the Mirage image library to provide an efficient and scalable way to patch VM images in batch. Nüwa has been evaluated with real-world patches and on VM images configured with popular packages according to the Ubuntu popularity contest. Our implementation of Nüwa is based on the Debian package manager and our evaluation applies 406 patches to a fresh installation of Ubuntu-8.04. Nüwa successfully applies 402 out of the 406 patches, and speeds up the patching process by more than 4 times compared to the online approach. This can be further sped up by another 2–10 times when the tool is integrated with Mirage, making Nüwa an order of magnitude more efficient than the online approach.

By: Wu Zhou; Peng Ning; Xiaolan Zhang; Glenn Ammons; Ruowen Wang; Vasanth Bala

Published in: RC24956 in 2010


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .