research-article

In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory Forensics

Authors:

Andrea Oliveri,

Davide BalzarottiAuthors Info & Claims

ACM Transactions on Privacy and Security, Volume 25, Issue 4

Article No.: 27, Pages 1 - 32

https://doi.org/10.1145/3528102

Published: 09 July 2022 Publication History

Get Access

Abstract

The first step required to perform any analysis of a physical memory image is the reconstruction of the virtual address spaces, which allows translating virtual addresses to their corresponding physical offsets. However, this phase is often overlooked, and the challenges related to it are rarely discussed in the literature. Practical tools solve the problem by using a set of custom heuristics tailored on a very small number of well-known operating systems (OSs) running on few architectures.

In this article, we look for the first time at all the different ways the virtual to physical translation can be operated in 10 different CPU architectures. In each case, we study the inviolable constraints imposed by the memory management unit that can be used to build signatures to recover the required data structures from memory without any knowledge about the running OS. We build a proof-of-concept tool to experiment with the extraction of virtual address spaces showing the challenges of performing an OS-agnostic virtual to physical address translation in real-world scenarios. We conduct experiments on a large set of 26 different OSs and a use case on a real hardware device. Finally, we show a possible usage of our technique to retrieve information about user space processes running on an unknown OS without any knowledge of its internals.

Appendices

A POWER ISA (64-bit)

The Power architecture is a RISC architecture introduced by IBM in the early 1990s. Starting from the original POWER ISA, many architectural variants have been developed over the past 30 years, including variants for gaming consoles. However, only two of those architectures are still currently developed and supported: PowerPC, already described in Section 5.1, and Power ISA.

A.1 MMU Internals

Power ISA is a server-class 64-bit bi-endian architecture focused on para-virtualization: a hypervisor OS manages all resources of the system, including MMU registers and in-memory tables, partitioning them between the para-virtualized machines (called logical partitions (LPARs)). An OS running inside an LPAR needs specific support for this environment to interface with the hypervisor. CPUs based on the latest Power ISA revision [41], like the IBM POWER9 family, use the PTCR register to point to an in-memory hypervisor-reserved table called the partition table, which contains pointers to relevant memory management structures of the hypervisor and every LPAR running on the system. Each entry of this table points to one of two different types of structures automatically used by the MMU to translate virtual addresses of the LPAR (or the hypervisor): an inverted page table (along with an optional segment table used instead of the segment registers) or the root of the radix tree of the kernel (with a related process table containing roots of process radix trees).

The inverted page resolution mode works in the same way as for PowerPC (without BAT registers) with, in addition, the support for 64-bit VASs and multiple page sizes. In this mode, all LPARs share the hash table with the hypervisor calling it to fill the hash table and the segment registers (the optional segment table is filled directly by the OS).

In radix tree mode, the translation of a virtual address to a physical one goes through a double translation: a radix tree, allocated by the guest OS, translates the virtual address to a pseudo-physical address. Then, a radix tree associated with the LPAR and maintained by the hypervisor translates the pseudo-physical address to a real physical one. Radix trees have a predefined number of levels, page sizes, and table entry format that permits to distinguish between directory and page tables.

A.2 Analysis

On a Power ISA machine, we can perform a physical memory dump in two different ways: a dump of the entire machine memory or a dump of a single LPAR. In the first case, we can recover the value contained in the PTCR register using code analysis or parsing for the partition table using rules derived from the ISA. If an LPAR or the hypervisor uses the radix tree MMU or the hash table with the segment table, it is possible to recover the entire V2P address mapping starting from the partition table. Instead, if they use the hash table MMU mode with the segment registers set, we can only reconstruct the segmented to physical translation, in the same ways as we described for PowerPC.

Finally, if we work with an LPAR memory dump, we can recover the structure of the guest radix trees, but if the LPAR uses the hash table mode, we cannot recover any information about the V2P address translation because the hash table resides in the hypervisor memory.

A.3 Limitations

We decided to not include Power ISA in Section 3 for four reasons. First of all, this architecture is strongly oriented to virtualization and the MMU operating modes are structured with this perspective, opening the problem of the privilege level to whom the memory dump is taken, which influences, in turn, the features recoverability. Second, QEMU does not support the emulation of a complete Power machine running an LPAR—making it impossible to test the reconstruction techniques in the case of a hypervisor memory dump. Third, Miasm does not support Power ISA, making it impossible to perform the code analysis phase. Last but not least, the only OS we could find that runs in hypervisor mode is Linux, and this lack of test cases would not allow to have any statistical significance on the obtained results.

B Structure Signatures and Validation Rules

Table 7.

AArch64 (64-bit) Long MMU Mode
Object	Type	Rule
PTL0/PTL1/PTL2/PTL3 entry	○	Size(Entry) = 8 bytes
Empty PTL0/PTL1/PTL2/PTL3 entry	○	Entry[0] = 0
PTL3 reserved entry 4/16/64-Kib granule	○	Entry[0] = 1 \(\wedge\) Entry[1] = 0
PTL3 entry 4/64-KiB granule	○	Entry[0,1] = 1 \(\wedge\) Entry[SH] \(\ne\) 1
PTL3 entry 16-KiB granule	○	Entry[0,1] = 1 \(\wedge\) Entry[SH] \(\ne\) 1 \(\wedge\) Entry[12,13] = 0
Block PTL2 entry 4-KiB granule	○	Entry[0] = 1 \(\wedge\) Entry[1] = 1 \(\wedge\) Entry[12 \(\ldots\) 15] = 0 \(\wedge\) Entry[SH] \(\ne\) 1 \(\wedge\) Entry[17 \(\ldots\) 20] = 0
Block PTL2 entry 16-KiB granule	○	Entry[0] = 1 \(\wedge\) Entry[1] = 1 \(\wedge\) Entry[12 \(\ldots\) 15] = 0 \(\wedge\) Entry[SH] \(\ne\) 1 \(\wedge\) Entry[17 \(\ldots\) 24] = 0
Block PTL2 entry 64-KiB granule	○	Entry[0] = 1 \(\wedge\) Entry[1] = 1 \(\wedge\) Entry[12 \(\ldots\) 15] = 0 \(\wedge\) Entry[SH] \(\ne\) 1 \(\wedge\) Entry[17 \(\ldots\) 28] = 0
Block PTL1 entry 4-KiB granule	○	Entry[0] = 1 \(\wedge\) Entry[1] = 1 \(\wedge\) Entry[12 \(\ldots\) 15] = 0 \(\wedge\) Entry[SH] \(\ne\) 1 \(\wedge\) Entry[17 \(\ldots\) 29] = 0
PTL0/PTL1/PTL2 pointer 4-KiB granule	○	Entry[0,1] = 1 \(\wedge\) Entry[Address] \(\in\) RAM
PTL0/PTL1/PTL2 pointer 16-KiB granule	○	Entry[0,1] = 1 \(\wedge\) Entry[12,13] = 0 \(\wedge\) Entry[Address] \(\in\) RAM
PTL0/PTL1/PTL2 pointer 64-KiB granule	○	Entry[0,1] = 1 \(\wedge\) Entry[12 \(\ldots\) 15] = 0 \(\wedge\) Entry[Address] \(\in\) RAM
Kernel radix tree	●	\(\exists\) DataPage \(\|\) ReadOpcode(ESR_EL1, FAR_EL1, ELR_EL1) \(\in\) DataPage \(\wedge\) \(\exists\) DataPage \(\|\) WriteOpcode(TTBR0_EL1, TCR_EL1) \(\in\) DataPage \(\wedge\) \(\exists\) DataPage \(\|\) ExecOpcode(ERET) \(\in\) DataPage
Kernel radix tree	● \({^{{1}}}\)	\(\exists\) Entry \(\in\) {Tables of RadixT} \(\|\) Entry[AP[0,1]] = 0 \(\Rightarrow\) RadixT \(\in\) {Accepted Kernel radix trees}
User radix tree	●	\(\exists\) DataPage \(\|\) ExecOpcode(RET) \(\in\) DataPage \(\wedge\) \(\exists\) DataPage \(\|\) ExecOpcode(BLR) \(\in\) DataPage
User radix tree	● \({^{{2}}}\)	\(\exists\) Entry \(\in\) {Tables of RadixT} \(\|\) Entry[AP[1]] = 1 \(\Rightarrow\) RadixT \(\in\) {Accepted User radix trees}
PTL0/PTL1/PTL2/PTL3	○	Address(Table) alignment and Size(Table) compatible with TCR_EL1 fields. See documentation by ARM Holdings [40] for more details.
TCR_EL1	○	TCR_EL1[6, 35, 59 \(\dots\) 63] = 0

Table 7. Structure Signatures (○) and Validation Rules (●) for Each MMU Mode Implemented in MMUShell

Size(X) = The size of the object X.

Object[W,X,Y \(\ldots\) Z] = Bit W,X and all the bits in [Y,Z] of Object.

Object[NAME] = Field ‘NAME’ of Object. See documentation for the exact location of the field in the object.

RAM = Physical address used to access to a system memory location (no MMIO, ROMs, device memory etc.).

ReadOpcode(X,Y), WriteOpcode(X,Y) = Physical address of an opcode that reads/writes on register X or Y.

ExecOpcode(X) = Physical address of X opcode.

Address(X) = Physical address of the object X.

\(^1\) i.e., It exists at least a page writable in kernel mode and not writable in user mode.

\(^2\) i.e., It exists at least a page readable or writable in user mode.

Note: See ISA’s documentation [34, 39, 40, 42, 65] for more details.

AMD64 (64-bit) Four-Level MMU Mode
Object	Type	Rule
IDT entry	●	Size(IDTEntry) = 16 bytes
IDT entry	●	Address(IDT) % 4 = 0
Empty IDT entry	●	IDTEntry[P] = 0
Used IDT entry	●	IDTEntry[P] = 1 \(\wedge\) IDTEntry[35 \(\ldots\) 39,44,95:127] = 0 \(\wedge\) IDTEntry[TYPE] \(\in\) {14,15} \(\wedge\) IDTEntry[DPL] \(\in\) {0,3}
IDT table	●	Address(IDT) % 8 = 0 \(\wedge\) Size(IDT) = 4,096 bytes
IDT table	●	\(\forall\) i \(\in\) {0 \(\ldots 8,10\ldots 14,16\ldots\) 19} IDT[i][P] = 1 \(\wedge\) IDT[i][47 \(\ldots\) 64] = 1
IDT table	● \({^{{1}}}\)	IDT[3][DPL] = 3 \(\wedge\) IDT[0,2,6,7,8,10 \(\ldots\) 14][DPL] = 0
PT/PD/PDPT/PML4 entry	○	Size(Entry) = 8 bytes
Empty PT/PD/PDPT/PML4 entry	○	Entry[P] = 0
PT entry	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:51] = 0
PD 2-MiB entry	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:51] = 0 \(\wedge\) Entry[7] = 1
PDPT 1-GiB entry	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:51] = 0 \(\wedge\) Entry[7] = 1 \(\wedge\) Entry[21:29] = 0
PT/PD/PDPT pointer	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:51] = 0 \(\wedge\) Entry[7] = 0 \(\wedge\) Entry[Address] \(\ll\) 12 \(\in\) RAM
PD/PT/PDPT/PML4	○	Address(Table) % 4,096 = 0 \(\wedge\) Size(Table) = 4,096 bytes
Radix tree	●	\(\forall\) InterruptHandler \(\in\) {Found IDT} Resolve(RadixTree, InterruptHandler[Address]) = True

IDT[X][Y] = Field Y of the record X in the interrupt table.

MAXPHYADDR = See documentation from Intel [42] for more details.

Resolve(R,V) = Resolve virtual address V using radix tree R returning True for success and False otherwise.

\(^1\) The DPL field of IDT entries defines the minimum CPU privilege mode (0 for kernel mode, 3 for user mode) that is allowed to execute the code pointed by the entry. We force the DPL field of some entries to be 0 because the entries are associated with interrupts that can be managed only by the kernel (NMI, invalid opcode, double fault, etc.). Instead, we force the code pointed by the entry associated with breakpoint exception to have DPL \(=\) 3 because, in general, a user space process is allowed to debug other user space processes.

ARM (32-bit) Short MMU Mode
Object	Type	Rule
PTL1/PTL2 entry	○	Size(Entry) = 4 bytes
Empty PTL1/PTL2 entry	○	Entry[0,1] = 0
Small PTL2 page entry	○	Entry[1] = 1 \(\wedge\) (Entry[TEX] \(\ne\) 1 \(\vee\) Entry[B] = 1 \(\vee\) Entry[C] = 0)
Large PTL2 page entry	○	Entry[0] = 1 \(\wedge\) Entry[1] = 0 \(\wedge\) Entry[6 \(\ldots\) 8] = 0 \(\wedge\) (Entry[TEX] \(\ne\) 1 \(\vee\) Entry[B] = 1 \(\vee\) Entry[C] = 0)
Large PTL2 page entries group	○	if \(\exists\) LPEntry in Table \(\Rightarrow\) \(\exists\) LPEntry_j \(\|\) Address(LPEntry_j+1) = Address(LPEntry_j+ 4) \(\wedge\) Address(LPEntry₀) % 16 = 0) j \(\in\) {0 \(\ldots\) 15}
Section PTL1 entry	○	Entry[1] = 1 \(\wedge\) Entry[9,18] = 0 \(\wedge\) (Entry[TEX] \(\ne\) 1 \(\vee\) Entry[B] = 1 \(\vee\) Entry[C] = 0)
Supersection PTL1 entry	○	Entry[1,18] = 1 \(\wedge\) Entry[9] = 0 \(\wedge\) (Entry[TEX] \(\ne\) 1 \(\vee\) Entry[B] = 1 \(\vee\) Entry[C] = 0)
Supersection PTL1 entries group	○	if \(\exists\) SSEntry in Table \(\Rightarrow\) \(\exists\) SSEntry_j \(\|\) Address(SSEntry_j+1) = Address(SSEntry_j+ 4) \(\wedge\) Address(SSEntry₀) % 16 = 0) j \(\in\) {0 \(\ldots\) 15}
PTL2 pointer entry	○	Entry[0] = 1 \(\wedge\) Entry[1] = 0 \(\wedge\) Entry[9] = 0
PTL1 table	○	Address(Table) alignment and Size(Table) compatible with TTBCR fields. See documentation by Intel [42] for more details.
PTL2 table	○	Address(Table) % 1,024 = 0 \(\wedge\) Size(Table) = 1,024 bytes
Kernel radix tree	●	\(\exists\) DataPage \(\|\) ReadOpcodes(DFSR, IFSR) \(\in\) DataPage \(\wedge\) \(\exists\) DataPage \(\|\) WriteOpcodes(TTBR0, TTBCR) \(\in\) DataPage
Kernel radix tree	● \({^{{1}}}\)	\(\exists\) Entry \(\in\) {Tables of RadixT} \(\|\) Entry[PNX] = 0 \(\Rightarrow\) RadixT \(\in\) {Accepted Kernel radix trees}
User radix tree	● \({^{{1}}}\)	\(\exists\) Entry \(\in\) {Tables of RadixT} \(\|\) Entry[NX] = 0 \(\Rightarrow\) RadixT \(\in\) {Accepted User radix trees}
User radix tree	● \({^{{2}}}\)	\(\exists\) Entry \(\in\) {Tables of RadixT} \(\|\) Entry[AP[1]] = 1 \(\Rightarrow\) RadixT \(\in\) {Accepted User radix trees}
TTBCR	○	TTBCR[3] = 1 \(\wedge\) TTBCR[6, 31] = 0

\(^1\) It exist at least a table entry executable (i.e., it exist at least a page that contains code).

\(^2\) It exist at least a table entry writable (i.e., it exist at least a page that contains data).

MIPS32 (32-bit) TLB and Radix Tree MMU Modes
Object	Type	Rule
Config	○	Config[4 \(\ldots\) 6] = 0 \(\wedge\) Config[31] = 1
Config5	○	Config5[1,12,14 \(\ldots\) 26] = 0
PageGrain	○	PageGrain[5 \(\ldots 7,13\ldots\) 25] = 0
PageMask	○	PageMask[0 \(\ldots 10,29\ldots\) 31] = 0
PWCtl	○	PWCtl[8 \(\ldots\) 30] = 0
PWField	○	PWField[30 \(\ldots\) 31] = 0 \(\wedge\) (if Config[10 \(\ldots\) 12] \(\ge\) 2 \(\Rightarrow\) \(\forall\) i \(\in\) {GDI, UDI, MDI, PTI}PWField[i] < 12)
PWSize	○	PWSize[30 \(\ldots\) 31] = 0 \(\wedge\) (if Config[10 \(\ldots\) 12] \(\ge\) 2 \(\Rightarrow\) PWSize[PTW] \(\ne\) 1)
Wired	○	Wired[0 \(\ldots\) 15] < Wired[16 \(\ldots\) 31]

PowerPC (32-bit) SDR1+BAT MMU Mode
Object	Type	Rule
Hash table entry	○	Size(Entry) = 8 bytes
Empty hash table entry	○	Entry[V] = 0
Used hash table entry	○	Entry[V] = 1 \(\wedge\) Entry[RPN] \(\ll\) 12 \(\in\) RAM \(\wedge\) (Entry[R] = 1 \(\vee\) Entry[C] = 0)
Hash table entries group	○	HT[i][j] \(\ne\) HT[i][k] i \(\in\) {0 \(\ldots\) Size(HT)/64 - 1} j,k \(\in\) {0 \(\ldots\) 7} \(\wedge\) j \(\ne\) k
Hash table	○	Address(HT) % 16 = 0 \(\wedge\) Size(HT) \(\in\) {64Kib 128Kib 256KiB 512KiB 1MiB 2MiB 4Mib 8MiB 16MiB 32MiB}
Hash table	○	\(\forall\) Entry \(\in\) HT \(\|\) Entry[V] = 1 \(\Rightarrow\) Address(Entry)[16 \(\ldots\) 31] = Address(HT)[25 \(\ldots\) 31] \(\mathbin \Vert\) Hash(Entry[VSID][10 \(\ldots\) 18] \(\oplus\) Entry[API]) \(\wedge\) (1 \(\ll\) (Log(Size(HT) - 16) -1) \(\vee\) (Address(HT) \(\gg\) 16)[0 \(\ldots\) 8]
Hash table	● \({^{{1}}}\)	\(\exists\) Entry \(\in\) HT \(\|\) Entry[V] = 1
Hash table	● \({^{{2}}}\)	\(\exists\) Entry₁ and Entry₂ \(\in\) HT \(\|\) Entry₁[V] = Entry₂[V] = 1 \(\wedge\) Entry₁[VSID] \(\ne\) Entry₂[VSID]
Hash table	● \({^{{3}}}\)	\(\exists\) Entry₁ and Entry₂ \(\in\) HT Entry₁[V] = Entry₂[V] = 1 \(\wedge\) Entry₁[RPN] \(\ne\) Entry₂[RPN]
Parsed hash tables	● \({^{{4}}}\)	\(\forall\) j \(\in\) {Parsed HTs} \(\| H_{j} = H(\text{HT}_{j}) = -\sum P(\text{RPN}_{i}) \log _2 P(\text{RPN}_{i})\) ; \(H_{\text{max}}\) = Max( \(H_j\) ); if \(H_j \gt 0.8 H_{\text{max}}\) \(\Rightarrow\) j \(\in\) {Accepted HTs}

HT[X][Y] = Field Y of the record X in the hash table.

\(^1\) It exists at least one not empty entry in the table.

\(^2\) It exists entries associated with at least two different segments.

\(^3\) The hash table maps for at least two different physical pages.

\(^4\) The kernel, spreading data among a wide range of physical pages in RAM, increases the entropy of the distribution of the physical addresses of the pages in the real hash table. We filter the set of hash table candidates, discarding tables that have entropy less than 80% of the maximum entropy in the set.

RISC-V SV32 and SV48 MMU Modes
Object	Type	Rule
PTL0/PTL1 entry (SV32)	○	Size(Entry) = 4 bytes
PTL0/PTL1/PTL2 entry (SV48)	○	Size(Entry) = 8 bytes
Empty PTL0/PTL1(/PTL2) entry	○	Entry[V] = 0
PTL0 entry (SV32)	○	Entry[V] = 1
PTL0 entry (SV39)	○	Entry[V] = 1 \(\wedge\) Entry[54,63] = 0
PTL1 4-MiB entry (SV32)	○	Entry[V] = 1 \(\wedge\) Entry[10:19] = 0
PTL1 2-MiB entry (SV39)	○	Entry[V] = 1 \(\wedge\) Entry[54,63] = 0 \(\wedge\) Entry[10:18] = 0
PTL2 1-GiB entry (SV39)	○	Entry[V] = 1 \(\wedge\) Entry[54,63] = 0 \(\wedge\) Entry[10:28] = 0
PTL0 pointer (SV32)	○	Entry[V] = 1 \(\wedge\) Entry[R,W,X,D,A,U] = 0 \(\wedge\) Entry[Address] \(\ll\) 12 \(\in\) RAM
PTL0/PTL1 pointer (SV39)	○	Entry[V] = 1 \(\wedge\) Entry[R,W,X,D,A,U] = 0 \(\wedge\) Entry[54,63] = 0 \(\wedge\) Entry[Address] \(\ll\) 12 \(\in\) RAM
PTL0/PTL1(/PTL2)	○	Address(Table) % 4,096 = 0 \(\wedge\) Size(Table) = 4,096 bytes

Intel x86 IA32 and PAE MMU Modes
Object	Type	Rule
IDT entry	●	Size(IDTEntry) = 8 bytes
Empty IDT entry	●	IDTEntry[P] = 0
Used IDT entry	●	IDTEntry[P] = 1 \(\wedge\) IDTEntry[32:39,44] = 0 \(\wedge\) IDTEntry[42] = 1 \(\wedge\) IDTEntry[DPL] \(\in\) {0,3}
IDT	●	Address(IDT) % 4 = 0 \(\wedge\) Size(IDT) = 2,048 bytes
IDT	●	IDT[0 \(\ldots 8,10\ldots\) 14][P] = 1
IDT	● \({^{{1}}}\)	IDT[0,2,6 \(\ldots 8,10\ldots\) 14][DPL] = 0 \(\wedge\) IDT[3][DPL] = 3
PT/PD entry (IA32)	○	Size(Entry) = 4 bytes
PT/PD/PDPT entry (PAE)	○	Size(Entry) = 8 bytes
Empty PT/PD(/PDPT) entry	○	Entry[P] = 0
PT entry (IA32)	○	Entry[P] = 1
PT entry (PAE)	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:62] = 0 \(\wedge\) Entry[7] = 0
PD 4-MiB entry (IA32)	○	Entry[P] = 1 \(\wedge\) Entry[7] = 1 \(\wedge\) Entry[MAXPHYADDR \(\ldots\) 19, 21] = 0
PD 2-MiB entry (PAE)	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:62] = 0 \(\wedge\) Entry[7] = 1 \(\wedge\) Entry[13:20] = 0
PT pointer (IA32)	○	Entry[P] = 1 \(\wedge\) Entry[7] = 0 \(\wedge\) Entry[Address] \(\ll\) 12 \(\in\) RAM
PT pointer (PAE)	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:62] = 0 \(\wedge\) Entry[7] = 0 \(\wedge\) newline Entry[Address] \(\ll\) 12 \(\in\) RAM
PD pointer (PAE)	○	Entry[P] = 1 \(\wedge\) Entry[MAXPHYADDR:62] = 0 \(\wedge\) Entry[7] = 0 \(\wedge\) newline Entry[1,2,5,6,8,63] = 0 \(\wedge\) Entry[Address] \(\ll\) 12 \(\in\) RAM
PD/PT	○	Address(Table) % 4,096 = 0 \(\wedge\) Size(Table) = 4,096 bytes
PDPT (PAE)	○	Address(Table) % 32 = 0 \(\wedge\) Size(Table) = 32 bytes
Radix tree	●	\(\forall\) InterruptHandler \(\in\) {Found IDT} Resolve(RadixTree, Address(InterruptHandler))

\(^1\) See note 1 of AMD64 architecture.

References

[1]

Ali Reza Arasteh and Mourad Debbabi. 2007. Forensic memory analysis: From stack and code to execution history. Digital Investigation 4 (2007), 114–125.

Abstract

A POWER ISA (64-bit)

A.1 MMU Internals

A.2 Analysis

A.3 Limitations

B Structure Signatures and Validation Rules

References

Cited By

Index Terms

Recommendations

Write-aware memory management for hybrid SLC-MLC PCM memory systems

Cooperating Write Buffer Cache and Virtual Memory Management for Flash Memory Based Systems

Cooperating virtual memory and write buffer management for flash-based storage systems

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Full Text

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations