An idea to capture kernel memory access

RS tinyshrimp at 163.com
Tue May 20 03:40:17 EDT 2014 

Hello
I have an idea, to add some changes to the kernel, like the kmemcheck, to help to check the kernel memory.


 I call it kernel_module_check_framework, it can check the memory buffer overflow errors and others.
The memory buffer is what the user want to monitor, not the whole system's memory. User can add/delete the memory buffers to the framework.
The framework provide four interface, register/unregister functions, add/delete functions. User can utilize the interface to do some works.


When user add/delete a memory buffer, the framework will store the memory information and set the all the pages which contains the memory buffer none-present .
Then, when an access to this page, the framework will check whether the access is in the monitored buffers. If it is hit, the framework will set the page present and execute the interface function(or the hook function), at last change the regs->flags to make the CPU to be the single step debugging mode. If not, let the kernel to handle it.
Cause the single step debugging  mode, kernel will step into the do_debug functions in the traps.c file, and make the page none-present again, at last restore the regs->flags.
There, the framework can catch the another access in the same page.
When unregister, the framework will recovery all the pages, and show something.


As mentioned above, the interface function(or the hook function), it is a function pointer, at first is NULL, when the user register to the framework, the pointer will change to the user's handler. So, the framework's main handler is implemented by users.


To implement the framework, I will change the fault.c, traps.c and will add new files. It sounds like the kmemcheck, but not the same, my framework intents to capture each access in the memory buffers that are dynamically added or deleted by users, and let user to handler it. For example, the user can write a module to monitor a process's specified memory buffers with the framework, can statistic the buffer write,read times and somethings. Or user can develop a module to check memory access overflow errors with it.


I don't know whether the design is feasible?  Any one can give some advises?


Thanks, 
HeChuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140520/222e538b/attachment.html

More information about the Kernelnewbies mailing list