Minimal tool for measuring cost of mode switch

Related tags


CPU mode switch statistics

The mode-switch-stat tool measures the cost of CPU mode switch, the round trip between user and kernel mode. At present, this tool supports x86_64 and aarch64 (ARMv8) architectures, and it would be useful to understand the performance impact to defense against Meltdown and Spectre vulnerability.

Background: Meltdown and Spectre

In operating systems such as Linux, the kernel code/data is protected from direct access by user code with MMU access control mechanisms. Various attacks have been discovered exploiting kernel code bugs, leading to privilege escalation and system control. To carry out these attacks, the attacker would need to know two things:

  • what the vulnerability is; and
  • what the address of related kernel code and/or data is.

The kernel page-table isolation (KPTI) implementation was finally committed to the Linux kernel on Dec 29, 2017. Changes brought by KPTI can have a significant impact on performance. Early tests showed a 5% impact in most cases, with worst-case tests indicating a 50% performance hit.

Meltdown (CVE-2017-5754) allows an unprivileged user to access the complete kernel (and physical) memory of a computer. This attack is relatively simple to execute; to carry it out, attackers need to run their own program on the target system. This attack is particularly damaging to shared systems (such as cloud services), as an attacker with access to one virtual machine can use Meltdown to access other VMs on the same physical system. Meltdown is specific to Intel systems.

Spectre (CVE-2017-5753, CVE-2017-5715) is a broader vulnerability. Spectre relies on issues with speculative execution itself to be carried out. In its current form, the attack is more complicated as more prerequisites must be fulfilled. One of them is a code gadget, which must be found in a code shared by both victim and attacker. For some variants of this attack, a branch prediction CPU subsystem must be trained to redirect execution of a code to the selected gadget.

The real challenge with Spectre is its mitigation. Unlike Meltdown, Spectre requires changes to the hardware itself. As a workaround, some vulnerable code can be mitigated by inserting synchronization primitives (like the LFENCE instruction on Intel platforms) which effectively stops speculative execution. Another one is using return trampoline approach (Retpoline). This approach requires modification of compilers and careful selection of critical locations, which is non-trivial and cannot be easily done without human interaction; doing otherwise would impose a significant performance penalty.


This tool requires Linux kernel headers and NumPy. For Ubuntu/Debian, you can install these packages in advance.

$ sudo apt install linux-headers-$(uname-r)
$ sudo apt install python3-numpy


Build project:

$ git clone
$ cd mode-switch-stat
$ make


$ make testing

Reference output

Architecture: x86_64
Model name: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
Vulnerability Meltdown: Mitigation; PTI

Avg of mode switch takes 1921.45 cycles and standard deviation is 106.92


  1. ERROR: could not insert module msT.ko: Operation not permitted

    Solution: Disable SecureBoot (check by mokutil --sb-state)

  2. If kernel version lower than 5.7.0, please disable KALSR or modify macro KERNEL_VERSION to version lower than yours. It's also fine to comment it and force include systab.h and calculating syscall_table by adding offset to original system call table.

How to contribute

Add your output as comment in issue#1

  • Bug Fix: Use C locale for lscpu command

    Bug Fix: Use C locale for lscpu command

    The lscpu command is locale-dependent, since the script does not take this into account, parsing the output may fail.

    An example of this follows below:

    $ LC_ALL="fr_FR.UTF-8" lscpu
    Architecture :                          x86_64
    Mode(s) opératoire(s) des processeurs : 32-bit, 64-bit
    Boutisme :                              Little Endian
    Tailles des adresses:                   39 bits physical, 48 bits virtual
    Processeur(s) :                         4
    Liste de processeur(s) en ligne :       0-3
    Thread(s) par cœur :                    1
    Cœur(s) par socket :                    4
    Socket(s) :                             1
    Nœud(s) NUMA :                          1
    Identifiant constructeur :              GenuineIntel
    Famille de processeur :                 6
    Modèle :                                158
    Nom de modèle :                         Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz <- here
    -- snip --

    Fix this by invoking the command with the C locale.

    opened by Theldus 0
  • Bug Fix: Fix vulnerability report for older kernels

    Bug Fix: Fix vulnerability report for older kernels

    The script assumes that it will always run on a kernel that has the fixes for the vulnerabilities (even if disabled), that exports the vulnerabilities folder in: /sys/devices/system/cpu/vulnerabilities (used by lscpu) and that the Linux distribution has a version of lscpu that supports the above features.

    If this set of conditions is not met, the output of 'make testing' displays all the output from lscpu, which is not what is desired. Fix this by reporting 'Unknown' for old systems that do not have these fixes.

    An example of output for old kernels would be (v4.4.38):

    Model name: Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
    Vulnerability Meltdown: Unknown
    Avg of mode switch takes 248.76 cycles and standard deviation is 57.08


    • Please note that this is the simplest solution to the problem, as it does not inform the user if the system is affected or not.

      • For this, a more sophisticated solution would be necessary, perhaps similar to what Linux does, checking the vendor, family, etc. of the processor. (I can work on it if you want...)
    • Also note that even without informing whether the system is affected or not, the project is still very useful for analyzing time regressions in mode switching between different versions of the Linux kernel.

      • Thinking about regressions, it would be interesting if the output showed the kernel version running, possibly via the output of uname -r.
    opened by Theldus 0
  • Not portable to ARM

    Not portable to ARM

    In current implementation, it can't work on ARM.

    opened by eecheng87 0
  • Result list

    Result list

    This is permanent issue for recording the cost of mode switch from different model. It's welcome to append your result in this chain.

    EDIT: Before fennecJ 's post (including), the result are done on x86_64 and needed multiply 0.83 because bug fixing in b939863. Also, due to #7 , aarch64 was supported.

    opened by eecheng87 15
Steven Cheng
Write Wrote Written
Steven Cheng
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 1k Apr 26, 2021
A C/C++ minor mode for Emacs powered by libclang

Irony-Mode A C/C++ minor mode powered by libclang irony-mode is an Emacs minor-mode that aims at improving the editing experience for the C, C++ and O

Guillaume Papin 851 Mar 6, 2021
This is a tool for software engineers to view,record and analyse data(sensor data and module data) In the process of software development.

![Contributors][Huang Jianyu] Statement 由于工具源码在网上公开,除使用部分开源项目代码外,其余代码均来自我个人,工具本身不包含公司的知识产权,所有与公司有关的内容均从软件包中移除,软件发布遵循Apache协议,任何人均可下载进行修改使用,如使用过程中出现任何问

HuangJianyu 25 Apr 16, 2021
A reflective enum implementation for C++

wise_enum Because reflection makes you wise, not smart wise_enum is a standalone smart enum library for C++11/14/17. It supports all of the standard f

Nir Friedman 221 Mar 2, 2021
Espressif ESP32 implementation of ANSI-ESTA E1.11 DMX-512A

This library allows for transmitting and receiving ANSI-ESTA E1.11 DMX-512A using an Espressif ESP32. It provides control and analysis of the packet configuration and allows the user to read synchronously or asynchronously from the DMX bus. This library also includes tools for data error-checking to safely process DMX commands.

null 11 Feb 9, 2021
C++ font-lock for Emacs

Syntax highlighting support for "Modern C++" - until C++20 and Technical Specification. This package aims to provide a simple highlight of the C++ lan

Ludwig PACIFICI 159 Mar 1, 2021
RemixDB: A read- and write-optimized concurrent KV store. Fast point and range queries. Extremely low write-amplification.

REMIX and RemixDB The REMIX data structure was introduced in paper "REMIX: Efficient Range Query for LSM-trees", FAST'21. This repository maintains a

Xingbo Wu 20 Mar 29, 2021
Cross-platform C++11 header-only library for memory mapped file IO

mio An easy to use header-only cross-platform C++11 memory mapping library with an MIT license. mio has been created with the goal to be easily includ

null 1.1k Feb 19, 2021
A push-button control panel for Zoom

Zoom Control Panel A push-button control panel for Zoom This repo contains files for building a push-button control panel for Zoom.

Elena Long 42 Feb 22, 2021
A programming environment for Lua for the Raspberry Pi Pico microcontroller

picolua A programming environment for Lua for the Raspberry Pi Pico microcontroller. Version 0.3, April 2021 What is this? picolua is a proof-of-conce

Kevin Boone 10 Apr 16, 2021
🪴💧 A Bluetooth Low Energy (BLE) soil moisture sensor.

b-parasite b-parasite is an open source Bluetooth Low Energy (BLE) soil moisture and ambient temperature/humidity sensor. Features Soil moisture senso

null 55 Apr 3, 2021
Lotus 1-2-3 R4D Display Driver for DOSEMU

Lotus 1-2-3 R4D Display Driver for DOSEMU2 This is a WIP display driver for Lotus 1-2-3 R4D to enable support for arbitrary text resolutions in DOSEMU

Tavis Ormandy 59 Mar 6, 2021
stb single-file public domain libraries for C/C++

stb single-file public domain (or MIT licensed) libraries for C/C++ Noteworthy: image loader: stb_image.h image writer: stb_image_write.h image resize

Sean Barrett 14.9k Feb 19, 2021
A perfect blend of C, Java, and Python tailored for those who desire a simple yet powerful programming language.

Fastcode A perfect blend of C, Java, and Python tailored for those who desire a simple yet powerful programming language. FastCode is a procedural/str

null 10 Apr 10, 2021