Talk:Translation lookaside buffer

From Wikipedia, the free encyclopedia

[edit] Security issue

The section about computer security seems misleading to me. How can a rootkit use the TLB in order to hide a program?

For hardware loaded TLBs, the CPU fills the TLB on its own as it is accessing the pagetable (PT). From a programmers point of view, there is no way to alter the content of the TLB as it is not directly accessable (besides from a complete TLB flush).

For software loaded TLBs, the TLB miss handler of the OS is loading PT entries into the TLB. I'm not sure if a rootkit could alter this section of OS code. But even if this was the case and therefore could alter the TLB directly, what would you gain? The process' data structure in the kernel (Process Control Block) is still there and can be read out by a lot of applications (like "top" in linux).

The point here is that hiding a page (or several pages) does not make the process invisible.

GloomY


I was going to say I agreed with GloomY on this, because using the TLB to hide something seemed an unusual claim, but I found an hypothetical rootkit that diverts certain reads on the TLB to different (inaccurate) frames. The theory is that when a program reads memory (via TLB) for comparison against a fingerprint (or whatever method of detection is used), a different page frame is returned, making the rootkit invisible to this detection mechanism.
This information found in this Blackhat presentation.
-- Pyrofysh 06:14, 4 June 2006 (UTC)


[edit] Ambiguity in overview

In the first paragraph, the sentence "The buffer is typically a content-addressable memory (CAM) in which the search key is the virtual address and the search result is a real or physical address (which is often not the same thing)" could confuse a newcomer since there are 2 possible interpretations:

  • A) (the correct interpretation) virtual addresses and physical addresses are almost never the same
  • B) (incorrect interpretation) "physical" addresses and "real" addresses are not the same thing.

To correct this, it could just say, "...and the search result is a physical address (which is often not the same thing."

[edit] Clock Cycle Statistics

At the end of the article, the equation that gives the average number of cycles on a TLB access seems flawed. I feel it should be the following, since even a TLB miss will require a TLB access (hence will take 1 + 30 cycles):-

1 \times 0.99 + (30 + 1) \times 0.01 = 1.30

-Anjul Patney