9

I was reading a old blog post on OpenRCE that mentions MSR tracing in the context of binary only profiling and coverage. The only Google hits for this term are a few emails on the Xen mailing list that I am not able to understand. What is MSR tracing?

user2142
  • 1,537
  • 2
  • 14
  • 17
  • I suspect Rolf will be along shortly to give a detailed answer, but in the meantime I found this post on OpenRCE to be quite helpful: http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers – Brendan Dolan-Gavitt Jun 02 '13 at 19:20

1 Answers1

14

MSR tracing generally refers to using the Intel Model-Specific Registers (MSRs) to obtain trace information from the CPU. Because modern (post-Pentium 4, generally) processors have hardware support for debugging, this can be faster than software-only solutions. There are a few ways this can be done:

  • As described in a post by Pedram Amini, one can speed up single-step execution by setting the MSR_DEBUGCTLA MSR and enabling the BTF (single-step on branches) flag. This gives better performance than pure single-stepping, which raises a debug exception on every instruction.

  • One can use the "Branch Trace Store (BTS)" facility to log all branches into a buffer in memory; furthermore, the processor can be configured to raise an interrupt whenever this buffer is filled, so you can flush it to disk (or whatever you like). On some models there are also options for tracing only user-mode (CPL > 0) or only kernel-mode (CPL = 0) code. Sections 17.4.5-6 and 17.4.9 of the Intel Software Developer's Manual Volume 3B are required reading if you go this route.

    In Linux, there is some kernel support for this, though as far as I can tell none of it has made it into the stock kernel. In 2011 there was a proposed patch by Akihiro Nagai to the perf tool to add a perf branch trace command which would use the Intel BTS system; a presentation on this is also available. Also, in 2007, there was a patch proposed to ptrace to expose the BTS facility.

    I don't know of anything off-the-shelf that can do this in Windows.

  • Finally, If you only care about a fairly small (4-16) number of branches, you can use the Last Branch Recording (LBR) feature. This has the advantage of having basically no overhead, but the fairly major downside that it will only give you the last N branches, where N varies depending on the processor (from as few as 4 to as many as 16). Details on this can be found in Section 17.4.8 of the Intel developer's manual.

    One interesting note is that Haswell (Intel's just-released processor architecture) has a version of this that will keep track of calls and returns, effectively giving you a small shadow call stack, which can be quite useful in some scenarios.

    LBR has also been used in at least one security system to verify that a function is only being called from a trusted source, but this is getting a bit off-topic for the question.

So, to sum up, MSR tracing is a way of doing tracing faster using hardware support in Intel processors. It's very appealing theoretically, but there isn't (yet) a lot of support for it in commonly available tools.

Sources:

Community
  • 1
Brendan Dolan-Gavitt
  • 2,888
  • 2
  • 19
  • 37
  • Good answer. I'd add this article as a source for perusal: http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing – Rolf Rolles Jun 03 '13 at 00:23