操作系统

• 新提交
• 替换

查看 最近的 文章

显示 2025年08月07日， 星期四 新的列表

新提交 (展示 1 之 1 条目 )

[1] arXiv:2508.04417 [中文pdf, pdf, html, 其他]

标题： ARMS：自适应且鲁棒的内存分层系统 显示英文标题

标题： ARMS: Adaptive and Robust Memory Tiering System

Sujay Yadalam, Konstantinos Kanellis, Michael Swift, Shivaram Venkataraman

主题： 操作系统 (cs.OS)

内存分层系统通过添加多个内存层级来实现成本效益的内存扩展。 为了获得最大性能，频繁访问（热）数据必须放置在主机附近的快速层级，而很少访问（冷）数据可以放置在更远的较慢内存层级。 现有的分层解决方案，如 HeMem、Memtis 和 TPP，使用带有预配置阈值的固定策略来进行数据放置和迁移决策。 我们对阈值选择进行了全面评估，并表明没有一组阈值能在所有工作负载和配置中表现良好，而且调整可以提供显著的加速。 我们的评估确定了调整有助于的三个主要原因：更好的热/冷页面识别、减少无用的迁移以及更及时的迁移。 基于这项研究，我们设计了 ARMS - 自适应且稳健的内存分层系统，以在无需可调阈值的情况下提供高性能。 我们开发了一种新颖的热/冷页面识别机制，依赖于短期和长期移动平均，一种基于成本/收益分析的自适应迁移策略，以及一种带宽感知的批量迁移调度器。 这些方法结合在一起，在无需调整的情况下，性能与之前系统的最佳调整性能相差不超过 3%，并且比之前系统在未调整的情况下高出 1.26 倍到 2.3 倍。 显示英文摘要

Memory tiering systems seek cost-effective memory scaling by adding multiple tiers of memory. For maximum performance, frequently accessed (hot) data must be placed close to the host in faster tiers and infrequently accessed (cold) data can be placed in farther slower memory tiers. Existing tiering solutions such as HeMem, Memtis, and TPP use rigid policies with pre-configured thresholds to make data placement and migration decisions. We perform a thorough evaluation of the threshold choices and show that there is no single set of thresholds that perform well for all workloads and configurations, and that tuning can provide substantial speedups. Our evaluation identified three primary reasons why tuning helps: better hot/cold page identification, reduced wasteful migrations, and more timely migrations. Based on this study, we designed ARMS - Adaptive and Robust Memory tiering System - to provide high performance without tunable thresholds. We develop a novel hot/cold page identification mechanism relying on short-term and long-term moving averages, an adaptive migration policy based on cost/benefit analysis, and a bandwidth-aware batched migration scheduler. Combined, these approaches provide out-of-the-box performance within 3% the best tuned performance of prior systems, and between 1.26x-2.3x better than prior systems without tuning.

替换提交 (展示 1 之 1 条目 )

[2] arXiv:2508.03879 (替换) [中文pdf, pdf, html, 其他]

标题： RX-INT：实时检测和分析内存中威胁的内核引擎 显示英文标题

标题： RX-INT: A Kernel Engine for Real-Time Detection and Analysis of In-Memory Threats

Arjun Juneja

评论： 10页，8图，1表。介绍了RX-INT，这是一种用于实时检测无文件恶意软件的内核模式系统，采用事件驱动的VAD扫描和自动导入解析。展示了在高级逃避技术（包括模块覆盖和无头手动映射）方面优于PE-sieve的检测能力。

主题： 密码学与安全 (cs.CR) ; 操作系统 (cs.OS)

恶意软件和作弊开发者使用无文件执行技术来规避传统的基于签名的安全产品。 这些方法包括各种手动映射、模块覆盖和无线程注入，它们完全在合法进程的地址空间内运行，由于合法与非法之间的模糊性，给检测带来了挑战。 现有工具通常存在弱点，例如依赖可移植可执行文件（PE）结构，或者容易受到检查时间到使用时间（TOCTOU）竞争条件的攻击，其中对手会在定期扫描发生之前清理现场。 为解决这一差距，我们提出了RX-INT，这是一种基于内核的系统，其架构能够抵御TOCTOU攻击。 RX-INT引入了一个检测引擎，该引擎结合了实时线程创建监控器、带有状态虚拟地址描述符（VAD）扫描器以及各种启发式方法。 该引擎对私有和图像支持的内存区域进行快照，并使用实时内存哈希来检测非法修改，如模块覆盖。 关键的是，通过与PE-sieve——一种常用且强大的内存取证工具——的直接比较，我们证明了这种方法在某些基准测试中具有更高的检测率。 在我们的评估中，RX-INT成功检测到了一个未被PE-sieve识别的手动映射区域。 我们随后得出结论，我们的架构在无文件威胁的检测中代表了一种实质性的差异，并在反作弊和内存安全领域有直接的应用。 显示英文摘要

Malware and cheat developers use fileless execution techniques to evade traditional, signature-based security products. These methods include various types of manual mapping, module stomping, and threadless injection which work entirely within the address space of a legitimate process, presenting a challenge for detection due to ambiguity between what is legitimate and what isn't. Existing tools often have weaknesses, such as a dependency on Portable Executable (PE) structures or a vulnerability to time-of-check-to-time-of-use (TOCTOU) race conditions where an adversary cleans up before a periodic scan has the chance to occur. To address this gap, we present RX-INT, a kernel-assisted system featuring an architecture that provides resilience against TOCTOU attacks. RX-INT introduces a detection engine that combines a real-time thread creation monitor with a stateful Virtual Address Descriptor (VAD) scanner alongside various heuristics within. This engine snapshots both private and image-backed memory regions, using real-time memory hashing to detect illicit modifications like module stomping. Critically, we demonstrate a higher detection rate in certain benchmarks of this approach through a direct comparison with PE-sieve, a commonly used and powerful memory forensics tool. In our evaluation, RX-INT successfully detected a manually mapped region that was not identified by PE-sieve. We then conclude that our architecture represents a tangible difference in the detection of fileless threats, with direct applications in the fields of anti-cheat and memory security.