Previous Next Contents

2. Overview

2.1 Functionality

MemGuard allows the kernel programmer to enable and disable MemGuard facility dynamically. This is useful to focus debugging on a particular section of the kernel.

MemGuard also provides a protect function to mark a piece of data memory as a quasi-invariant term. MemGuard will report error if there is any unexpected write to the piece of memory. Accordingly, there is a release function for notifying MemGuard not to protect a quasi-invariant term.

When a quasi-invariant term is unexpectedly updated, MemGuard reports an error to the system programmer. The programmer now can insert proper code to this place to make sure the correctness of the specialized system. However, even though the programmer may decide to insert nothing since the write will not violate the quasi-invariant, the update has to be finished somehow. MemGuard provides a write function allowing the kernel writes to a protected quasi-invariant term explicitly without MemGuard complaining.

2.2 Architecture

MemGuard is a kernel library. For portability, it is organized as two levels. The lower level is the Memory Protection level, which is MemGuard's architecture dependent part. The higher level is the MemGuard level, which is MemGuard's architecture independent part. The Memory Protection level maps the underlying architecture to an abstraction machine, which provides required memory protection functionality for MemGuard. The MemGuard level is implemented on this abstraction machine.

2.3 Algorithms

These algorithms are highly simplied here. Many details (especially synchronization details) are ignored.

Protect a quasi-invariant term:

  1. Save the physical page's original protection.
  2. Add the quasi-invariant term to the MemGuard data structures.
  3. Set the page's protection to read-only.

Release a quasi-invariant term:

  1. Remove the quasi-invariant term from the MemGuard data structures.
  2. If there is no quasi-invariant term left in the page, restore the original page protection.

Explicitly write to a quasi-invariant term:

  1. Restore the original page protection.
  2. Write to the quasi-invariant term.
  3. Set the page's protection to read-only.

When there is a write to a protected page, the write will trigger a page protection fault. If the fault is because of MemGuard protection, the MemGuard page protection fault handler will take over the control. If the write is to a quasi-invariant term, the handler will report an error. If the write is to another data structure which happens to be in the same physical page with a quasi-invariant term, the handler will try to finish the write transparently.

The MemGuard Page Protection Fault Handler:

  1. Report an error if the write is to a quasi-invariant term.
  2. Update stacked system flag register (set single-step mode upon returning from the handler).
  3. Restore the original page protection.

When the execution returns from the page protection fault handler, the physical page will be set back to read-write and the single-step mode will be set. The current instruction will be restarted automatically and finish its write. Since the system is running on single-step mode, the finishing of the faulting instruction will trigger a single-step trap. The MemGuard single-step trap handler will try to protect the current page again.

The MemGuard Single-Step Trap Handler:

  1. Protect the page again.
  2. Restore the stacked system flag register (clear single-step mode upon returning from the handler).


Previous Next Contents