Enhanced Mitigation Experience Toolkit (EMET) memory speed analysis

Testing was performed with EMET 3.5.

 

Why RAMspeed?
I looked briefly yesterday for memory benchmarks, and chose RAMspeed because it is simple and the source is available for review. Passmark is a popular piece of software, but it isn’t free.

The (imperfect) test system:
I tested this on my workstation, an HP xw4400, immediately after reboot. This is suitable since we’re really concerned with the difference introduced by EMET, not concerned with comparing different systems, etc:

C:\>ramspeed-win32.exe -i
RAMspeed (Win32) v1.1.1 by Rhett M. Hollander and Paul V. Bolotoff, 2002-09

GenuineIntel family 6 model F stepping 6
Intel Core 2 Duo (Conroe) 65nm processor
BIOS name string: "Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz"
2x I-cache: 32Kb, 8-way, 64 bytes per line
2x D-cache: 32Kb, 8-way, 64 bytes per line
2x I-TLB (4Kb pages): 128 entries, 4-way
2x I-TLB (4Mb pages): 4 entries, 4-way
2x D-TLB (4Kb pages): 16 entries, 4-way
2x D-TLB (4Mb pages): 32 entries, 4-way
S-cache: 4096Kb, 16-way, 64 bytes per line
Scalar: FPU CMOV CX8 CX16 AMD64
Vector: MMX MMX+ SSE SSE2 SSE3
General: MSR FXSR CLFSH SENTER VMX SVM
Addressing: PSE PSE36 PAE PGE PAT MTRR
Monitoring: TSC TMSC TM TM2 MNTR
Other: VME DE MCE MCA APIC DS SS NX

The tests:
As described on the RAMspeed page:

No need to explain here in depth all the benchmarking algorithms implemented in RAMspeed, better look at the documentation supplied and the source code. In general, there are *mark benchmarks such as INTmark, FLOATmark, MMXmark and SSEmark. They operate with linear (sequential) data streams passed through ALU, FPU, MMX and SSE units respectively. They allocate certain memory space and start either writing to or reading from it using continuous blocks sized in power of 2 from 1Kb up to the array boundary. This simple algorithm allows to show how fast are both cache and memory subsystems.

There are also *mem benchmarks such as INTmem, FLOATmem, MMXmem and SSEmem. These are supposed to illustrate how fast is actual read\write memory performance. Each of them includes four subtests called Copy, Scale, Add and Triad. They're synthetic simulations, but correlate with many real world applications. You may have seen them already within STREAM and SiSoft Sandra. All *mem benchmarks support the BatchRun mode to enable high-precision memory performance measurement through multiple passes with averages calculated per pass and per run.

The results:
I produced three sets of results (no EMET, EMET not monitoring the app, EMET monitoring the app). I have run each test five times to produce a reasonable mean average.

For the *mark tests, which perform the test with 15 different size payloads, I created a mean average of all 15 results, then produced a mean average of the five test results.

The *mark tests indicate little to no difference:

The *mem tests do indicate some difference:

Or more proportionally:

Conclusion:
Although EMET does introduce some latency in the RAM I/O process, the increased cost of RAM I/O activity isn’t so much that they aren’t worth the gains of protections provided by EMET. EMET serves as a good complement to additional I/O filter drivers which can have a much greater I/O hit, such as FDE and anti-virus.

Source data package:
Here is the data I used to produce the above graphs.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: