TY - GEN
T1 - Fast (Trapless) Kernel Probes Everywhere
AU - Jia, Jinghao
AU - Le, Michael V.
AU - Ahmed, Salman
AU - Williams, Dan
AU - Jamjoom, Hani
AU - Xu, Tianyin
N1 - We thank the anonymous reviewers for their useful feedback. We especially thank Linux kprobe maintainer Masami Hiramatsu for his feedback on our original nop-based probing idea, his explanation and clarification on the design choices of the current Linux kprobe, as well as his help for reviewing and signing-off our kernel patches for kprobe improvements. This work was funded in part by NSF CNS-1956007, NSF CNS-2236966, an IBM-Illinois Discovery Accelerator Institute (IIDAI) grant, and a grant from Boeing Co.
PY - 2024
Y1 - 2024
N2 - The ability to efficiently probe and instrument a running operating system (OS) kernel is critical for debugging, system security, and performance monitoring. While efforts to optimize the widely used kprobes in Linux over the past two decades have greatly improved its performance, many fundamental gaps remain that prevent it from being completely efficient. Specifically, we find that kprobe is only optimized for ~80% of kernel instructions, leaving the remaining probe-able kernel code to suffer the severe penalties of double traps needed by the kprobe implementation. In this paper, we focus on the design and implementation of an efficient and general trapless kernel probing mechanism (no hardware exceptions) that can be applied to almost all code in Linux. We discover that the main limitation of current probe optimization efforts comes from not being able to assume or change certain properties/layouts of the target kernel code. Our main insight is that by introducing strategically placed nops, thus slightly changing the code layout, we can overcome this main limitation. We implement our mechanism on Linux kprobe, which is transparent to the users. Our evaluation shows a 10x improvement of probe performance over standard kprobe while providing this level of performance for 96% of kernel code.
AB - The ability to efficiently probe and instrument a running operating system (OS) kernel is critical for debugging, system security, and performance monitoring. While efforts to optimize the widely used kprobes in Linux over the past two decades have greatly improved its performance, many fundamental gaps remain that prevent it from being completely efficient. Specifically, we find that kprobe is only optimized for ~80% of kernel instructions, leaving the remaining probe-able kernel code to suffer the severe penalties of double traps needed by the kprobe implementation. In this paper, we focus on the design and implementation of an efficient and general trapless kernel probing mechanism (no hardware exceptions) that can be applied to almost all code in Linux. We discover that the main limitation of current probe optimization efforts comes from not being able to assume or change certain properties/layouts of the target kernel code. Our main insight is that by introducing strategically placed nops, thus slightly changing the code layout, we can overcome this main limitation. We implement our mechanism on Linux kprobe, which is transparent to the users. Our evaluation shows a 10x improvement of probe performance over standard kprobe while providing this level of performance for 96% of kernel code.
UR - http://www.scopus.com/inward/record.url?scp=85201183343&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85201183343&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85201183343
T3 - Proceedings of the 2024 USENIX Annual Technical Conference, ATC 2024
SP - 379
EP - 386
BT - Proceedings of the 2024 USENIX Annual Technical Conference, ATC 2024
PB - USENIX Association
T2 - 2024 USENIX Annual Technical Conference, ATC 2024
Y2 - 10 July 2024 through 12 July 2024
ER -