Live Library Upgrades via CRIU: A Novel Approach to Patch Security Vulnerabilities in Running Processes

Ensuring the security and reliability of long running software without service interruption is a persistent challenge. This thesis introduces a technique for live library upgrades that replaces vulnerable or outdated shared libraries in a running process without terminating it. Using Checkpoint/Restore in Userspace (CRIU), we freeze a process, modify its state, and resume execution with the patched code seamlessly integrated. The approach combines metadata edits, address translation, and memory dump rewriting. By patching file backed mappings and leveraging ELF internals, we inject the new library while the dynamic loader transparently re resolves references. A synthetic execution captures memory resident data—such as the Global Offset Table (GOT)—from the updated library, and custom scripts adjust memory so the solution works under full Address Space Layout Randomization (ASLR). Evaluation relies solely on publicly available open source software: we download multiple library versions, apply live upgrades, and run functional tests—no other datasets are used. Most notably, we live patch the compression library of a running SSH server with minimal downtime, after which the service continues operating correctly.