Conventional tracing technology allows users to analyze the operation of computer programs. For example, users may want to read data values at various execution times to identify a state of a computer program, write data values to particular memory locations, identify functions that are called, insert breakpoints to halt operation at particular code locations, and otherwise analyze the operation of a computer program. Tracing is useful for many activities, such as debugging. Debugging is a conventional activity that is performed using tracing technology to locate bugs/issues in computer programs and repair those bugs/issues.
Tracing technology allows tracing to be performed at the kernel level. For example, breakpoint instructions and function calls may be added and removed at various locations in kernel memory to allow analysis of the operation of the kernel. Users may, for example, identify events that are triggered in the kernel at various execution times, and otherwise trace the operation of the kernel.
Other conventional technologies that are used at the kernel level include kernel protection mechanisms. Kernel protection mechanisms allow enforcement of kernel protection measures that prevent the kernel from being modified. These mechanisms are useful for thwarting at least some malware and/or otherwise helping to safeguard the integrity of the kernel.
One issue that has arisen is that these kernel protection mechanisms are not compatible with tracing technology. That is, by preventing the kernel from being modified, the kernel protection mechanisms do not allow the kernel tracing features to be implemented in the kernel. For example, the tracing technology may be unable to insert and/or remove tracing mechanisms such as breakpoints and/or other tracing function calls into the kernel. Accordingly, while the kernel protection mechanisms may be helpful in some ways, they may also counter useful features that allow users to perform beneficial activities such as debugging.
It would be advantageous to allow tracing to be performed on the kernel, while at the same time allowing kernel protection mechanisms to be implemented. The techniques provided herein offer kernel tracing in a protected kernel environment.