I began the GILK project as part of my master's thesis here at Imperial. The project is all about dynamic instrumentation of the Linux Kernel. This means that a stock {i.e. without any source code modification} kernel can be instrumented whilst in execution! This is possible because the tool performs binary analysis [LB94][LS95][LZ97][SE94] on the kernel image to determine where it is safe to instrument. Furthermore, it makes use of the non-premtive property of the kernel to ensure that the instrumentation is safely updated. The tool employs a technique called dynamic code splicing [TM99] to add low overhead instrumentation. Essentially, this involves overwriting instructions at the instrumentation point with a branch instruction to the instrumentation patch. To maintain correct kernel behaviour, those instructions which were overwritten are relocated into the instrumentation patch. There are some challenges for this method which are particular to the Intel x86 architecture and which, we believe, were first addressed by GILK.

Since completing my master's thesis, some further work was done using GILK to measure IP packet arrival times. This lead to a paper published in the TOOLS 2002 conference.

The tool is driven through a GTK interface and uses a kernel module to perform the actual instrumentation. The binary analysis is made possible by a custom disassembler, which provides more information than can be obtained with libopcodes.

Requirements

GTK Library, Linux (Kernel) 2.0.X-2.2.X running on an Intel x86 processor. DaVinci 2.1 [optional]

GILK currently does not work on the 2.4.X kernel series, as the device driver component has not been updated for the newer module API. As GILK relies on the kernel being non-premtive to work safely, it is not really suitable for instrumenting SMP machines. However, it is believed that instrumentation in the presence of the various preemptive patches is safe, although this has not been tested.

Screenshots

Click on the thumbnails to view GILK in action:

Documentation

  • David J. Pearce, Paul H.J. Kelly, Tony Field and Uli Harder. GILK: A dynamic instrumentation tool for the Linux Kernel. In Proceedings of the 12th International Conference on Computer Performance Evalution, TOOLS 2002, LNCS 2324. [postscript / PDF / Powerpoint], extended version [postscript / PDF]

  • David J. Pearce. Instrumenting the Linux Kernel, Master's Thesis, Imperial College, July 2000. [MS Word]

Downloads

GUI and Binary Analyzer : gilk-100502-01.tgz
2.0-2.2 compatible device driver : ilk-rc0.9.tgz

References

[LB94]
James R. Larus and Thomas Ball. Rewriting executable files to measure program behavior. Software, Practice and Experience, 24(2):197-218, February 1994.

[LS95]
James R. Larus and Eric Schnarr. EEL: Machine-independent executable editing. In Proceedings of the ACM Conference on Programming Language Design and Implementation, pages 291-300, 1995.

[LZ97]
Han Bok Lee and Benjamin G. Zorn. BIT: A tool for instrumenting Java bytecodes. In Proceedings of the USENIX Symposium on Internet Technologies and Systems Proceedings, 1997, pages 73-82, 1997.

[SE94]
Amitabh Srivastava and Alan Eustace. ATOM-A system for building customized program analysis tools. In Proceedings of the ACM Conference on Programming Language Design and Implementation, pages 196-205, 1994.

[TM99]
Ariel Tamches and Barton P. Miller. Fine-grained dynamic instrumentation of commodity operating system kernels. In Proceedings of the 3rd Symposium on Operating Systans Design and Implementation, pages 117-130, 1999.