Transfer Rate Meter

Systems Programming

Assignment 2

Angelo Dias

Nº 11709

1. Abstract

The objective of this assignment was to develop a kernel extension that periodically updates an entry created in the procfs, with the value of the current filesystem transfer rate.

This kernel extension requires the address of the syscall table, which is obtained from the /boot/System.map and passed to it as a parameter. The update period in seconds is also passed as a parameter.

2. Introduction

Systems calls are how a program requests a service from the Kernel [1]. These services can be file management operations, process control operations, scheduling and timers and others (the Linux 64 bit kernel currently had more than 300 system calls) [2].

For this assignment we will be intercepting the read and write system calls, in order to be able to count the number of bytes being transfer and, using this, calculate the transfer rate for a given time interval.

This requires modifying the system call table, inserting modified read and write functions, that bypass the original ones only to add an additional line of code which increments our counters (system call hooking) [3].

A timer is created to periodically calculate the transfer rate from the counters and reset them, and a virtual file put in the procfs containing a line of text that displays the most recently calculated transfer rates.

Regarding the other question asked (how to detect/prevent modifications to the system call table), a good way would be to compare the system call table against the System.map, which is a file generated when the kernel is compiled, containing a map of all the kernel symbols and their respective addresses [4] [5]. There are some tools available to do this check, like kern_check.c and samhain. A tool like this could be executed periodically, and if modifications were detected, the system call table would be reset. To prevent the system call table from being modified in the first place, perhaps the...