Talk:Translation lookaside buffer
|WikiProject Computing||(Rated Start-class, High-importance)|
The section about computer security seems misleading to me. How can a rootkit use the TLB in order to hide a program?
For hardware loaded TLBs, the CPU fills the TLB on its own as it is accessing the pagetable (PT). From a programmers point of view, there is no way to alter the content of the TLB as it is not directly accessable (besides from a complete TLB flush).
For software loaded TLBs, the TLB miss handler of the OS is loading PT entries into the TLB. I'm not sure if a rootkit could alter this section of OS code. But even if this was the case and therefore could alter the TLB directly, what would you gain? The process' data structure in the kernel (Process Control Block) is still there and can be read out by a lot of applications (like "top" in linux).
The point here is that hiding a page (or several pages) does not make the process invisible.
- I was going to say I agreed with GloomY on this, because using the TLB to hide something seemed an unusual claim, but I found an hypothetical rootkit that diverts certain reads on the TLB to different (inaccurate) frames. The theory is that when a program reads memory (via TLB) for comparison against a fingerprint (or whatever method of detection is used), a different page frame is returned, making the rootkit invisible to this detection mechanism.
- This information found in this Blackhat presentation.
- -- Pyrofysh 06:14, 4 June 2006 (UTC)
Ambiguity in overview
In the first paragraph, the sentence "The buffer is typically a content-addressable memory (CAM) in which the search key is the virtual address and the search result is a real or physical address (which is often not the same thing)" could confuse a newcomer since there are 2 possible interpretations:
- A) (the correct interpretation) virtual addresses and physical addresses are almost never the same
- B) (incorrect interpretation) "physical" addresses and "real" addresses are not the same thing.
To correct this, it could just say, "...and the search result is a physical address (which is often not the same thing."
Clock Cycle Statistics
At the end of the article, the equation that gives the average number of cycles on a TLB access seems flawed. I feel it should be the following, since even a TLB miss will require a TLB access (hence will take 1 + 30 cycles):-
- Nowhere in that section did it say that a TLB access takes 1 clock cycle. It said "If a TLB hit takes 1 clock cycle, a miss takes 30 clock cycles...", so a TLB hit takes 1 clock cycle and a TLB miss takes 30, not 31, cycles. Maybe a TLB access takes 1 clock cycle regardless of whether it gets a hit or a miss, and handling the miss takes an additional 29 clock cycles. Guy Harris (talk) 23:44, 26 July 2011 (UTC)
- IIRC in the x86/x86-64 for example, in cr3 is stored physical address hence no TLB access is needed. I am not sure why could it stored virtual address as to resolve any address it would need to look up the page table. But to find page table it would need to find page table which would end in non-terminating loop. Uzytkownik (talk) 20:36, 26 July 2011 (UTC)
"It was the first cache introduced in processors."
There is a note that citation is needed. In "Intel386 TM DX MICROPROCESSOR 32-BIT CHMOS MICROPROCESSOR WITH INTEGRATED MEMORY MANAGEMENT" (www.digchip.com/datasheets/parts/datasheet/227/386DX-pdf.php chapter "4.5.4 Translation Lookaside Buffer" page 55) there is a little bit about it: TLB is the one and only internal cache memory. I don't know if that's enought so can someone verify it ?
!!! This is total bullshit. Many years before i386 there was motorola MC68010 with instruction cache. --dramenbejs
- And before that there were, e.g., the 8-word associative TLB cache on the IBM System/360 Model 67 and a CPU cache on the IBM System/360#models|System/360 Model 85. Shmuel (Seymour J.) Metz Username:Chatul (talk) 22:08, 11 December 2013 (UTC)
ITLB and DTLB
Can somebody explain what they are and the differences between them?