To protect computer systems from security attacks one critical service is patching. Systems such as VMs on which existing patching can’t be applied are vulnerable to new security attacks. Patching can be applied on VM images online, and then capture VM images back to dormant images. However, in Cloud computing where the number of dormant VM images is very large applying online patching to VMs can result is performance overhead and high operational costs.
To create new VM image files existing VM images can be easily copied which results in VM image sprawl problem, in which a large number of VMs created by customers may left unnoticed. VM image sprawl results in large management issues of VMs including includes the security patches.
Investigation of VM images on Cloud (EC2, VCL) has shown that if patches are not applied VM images are more vulnerable to attacks, and they may also not fulfill organizations security policy. Secondly, some VM images are mostly offline and to patch these images they will have to be started. This will add to the computation cost of Cloud provider.
Microsoft offline VM servicing tool applies patches by taking the image online and then places it back as a dormant image. Online patching may also become less predictable by running VM code that is not related to patching.
Nuwa is a tool designed to apply efficient patching to VM images in Cloud. By analyzing patches, Nuwa rewrites the patching scripts so that they can be applied offline. As a result, the installation scripts for online patching can be applied to images when they are offline.