Always Up-to-date - Scalable Offline Patching of VM Images in a Compute Cloud

Patching is a critical security service to keep computer systems up to date and to defend against security threats. Existing patching systems all require running systems. With the increasing adoption of virtualization, there is a growing number of dormant virtual machine (VM) images. Such VM images cannot benefit from existing patching systems, and thus are often left vulnerable to emerging security threats. It is possible to bring VM images online, apply patches, and capture the VMs back to dormant images. However, such approaches suffer from performance challenges and high operation costs, particularly in large-scale compute clouds where there could be thousands of dormant VM images.

This paper presents a novel tool named Nüwa that enables efficient and scalable offline patching of dormant VM images. Nüwa analyzes patches and, when possible, converts them into patches that can be applied offline by removing operations that require a running system. Nüwa also leverages the VM image manipulation technologies offered by the Mirage image library to provide an efficient and scalable way to patch VM images in batch. Nüwa has been evaluated with real-world patches and on VM images configured with popular packages according to the Ubuntu popularity contest. Our implementation of Nüwa is based on the Debian package manager and our evaluation applies 406 patches to a fresh installation of Ubuntu-8.04. Nüwa successfully applies 402 out of the 406 patches, and speeds up the patching process by more than 4 times compared to the online approach. This can be further sped up by another 2–10 times when the tool is integrated with Mirage, making Nüwa an order of magnitude more efficient than the online approach.