DoubleScan: A RAM Compression-Detection Utility
- Building and Managing an IT Security Operations Program
- How Network Traffic Analysis Makes the CIS Controls Easier
We have designed and implemented a program called "DoubleScan" that detects RAM compression. The program consists of a Windows program and a VxD (Virtual Device Driver). The Windows program allocates a buffer equal to the size of the physical memory that the program is running on. It then fills the memory with a user-configurable 8-byte string. Because Windows itself takes up a significant amount of physical memory, accessing the buffer will always cause paging. The VxD monitors all data that Windows sends to the paging file and counts the number of times the string appears in the data. Once the program has completely filled the buffer, the program pauses for a user-specifiable period, and then the VxD scans physical memory looking for the string. Syncronys has claimed that SoftRAM only compresses memory at idle time, so setting an idle period allows ample opportunity for it to do so.
In the absence of RAM compression, DoubleScan will find each instance of the string either in the data being sent to the disk, or in the memory it scans at completion. When RAM compression is occurring, DoubleScan will lose track of the strings that were sent to the paging file since compression will alter the string data.
When you execute DoubleScan, if the total number of pages DoubleScan finds with the signature equals the number of pages it allocated, then no compression was in effect. Table 1 shows the results of DoubleScan's execution under several different memory-enhancement tools.
Compression Time Windows 3.1: Temporary Paging File Native no 31 SoftRAM no 34 RAM Doubler yes 14 MagnaRAM2 yes 15 Windows 3.1: Permanent Paging File Native no 25 SoftRAM no 27 RAM Doubler yes 14 MagnaRAM2 yes 12 Windows 95 Native no 18 SoftRAM no 18 MagnaRAM2 yes 12
Table 1: Sample DoubleScan results.
Because it might be claimed that RAM compression is only triggered on certain machines, the results listed were verified by running DoubleScan on a wide range of hardware platforms with varying memory sizes. It should be emphasized that DoubleScan is intended solely to detect compression and is not intended to be a performance benchmark. It is only because DoubleScan exercises RAM compressors with extremely unrealistic parameters that RAM compression appears to provide a benefit.
Statements from Syncronys
In fairness to Syncronys, we'll address the major challenges they have made to the analysis and experiments that have been presented. Synconys states:
"...the compression code is well hidden." Every component of SoftRAM has been thoroughly examined via disassembly and walked through with a system debugger.
"...the tools that have been used are 16-bit tools whereas SoftRAM is made up of 32-bit code." The tools that have been used in the study are all state-of-the-art. Both the debugger, NuMega Technologies' Soft-ICE/W, and the disassembler, V Communications' Sourcer, that were used are equally adept at 16- and 32-bit code.
The SoftRAM story is a fascinating study in how software can rocket to the top of the software retail charts. Fortunately, what we see in this case is generally only possible when a software product works behind the scenes. It is much more difficult to market a word-processing package that doesn't format text, for example, since this is something that will be immediately evident to the casual observer.
More information, including many of the newspaper and magazine articles that have covered SoftRAM, can be found at Andrew Schulman's SoftRAM Web site at: ftp://ftp.ora.com/pub/examples/windows/win95.update/softram.html.
The authors would like to thank Ingo Storm of c't Magazine, Richard Smith of Phar Lap Software, and Larry Seltzer of PC Magazine for their helpful discussions and insights.