Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May


The ability to analyze the memory access behavior of an application at runtime can provide additional insight into how an application works. This insight might include learning more about how data propagates, deducing the code-level isolation of memory references, identifying potential thread safety issues, and so on. This paper has described three strategies that can be used to intercept memory accesses within an application at runtime.

The first approach relies on Dynamic Binary Instruction (DBI) to inject instrumentation code before instructions that access memory locations. This instrumentation code is then capable of obtaining information about the address being referenced when instructions are executed.

The second approach relies on hardware paging features supported by the x86 and x64 architecture to intercept memory accesses. This works by restricting access to a virtual address range to kernel-mode access. When an application attempts to reference a virtual address that has been marked as such, an exception is generated that is then passed to the user-mode exception dispatcher. A custom exception handler can then inspect the exception and take the steps necessary to allow execution to continue gracefully after having tracked the memory access.

The third approach uses the segmentation feature of the x86 architecture to intercept memory accesses. It does this by loading the DS and ES segment registers with the null selector. This has the effect of causing instructions which implicitly use these registers to generate a general protection fault when referencing memory. This fault results in an access violation exception being generated that can be handled in much the same way as the hardware paging approach.

It is hoped that these strategies might be useful to future research which could benefit from collecting memory access information.