Chapter 26 Further Reading: Interrupts, Exceptions, and Kernel Mode

Open Assembly Language Project

Chapter 26 Further Reading: Interrupts, Exceptions, and Kernel Mode

Primary References

Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3A: System Programming Guide https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html Chapters 6 (Interrupt and Exception Handling) and 7 (Task Management) are the hardware specifications for everything in this chapter. Chapter 6.14 covers the exception summary table with error code format, vector descriptions, and handler requirements. Chapter 7 covers the TSS and IST mechanism in precise detail.

OSDev Wiki — Interrupt Descriptor Table https://wiki.osdev.org/IDT The most-referenced practical guide to IDT setup, with annotated C and assembly code for 32-bit and 64-bit modes. Includes common mistakes, the exact bit layout of gate descriptors, and sample interrupt stubs. The OSDev Wiki is the definitive community reference for x86 bare-metal programming.

OSDev Wiki — 8259A PIC https://wiki.osdev.org/PIC Complete documentation for the 8259A Programmable Interrupt Controller: initialization command words (ICW1–ICW4), masking, EOI, and cascading. Includes the remapping code that every OS must execute before enabling interrupts.

Deep Dives

"Linux Kernel Interrupt Handling" — arch/x86/entry/entry_64.S https://elixir.bootlin.com/linux/latest/source/arch/x86/entry/entry_64.S The actual Linux kernel interrupt and exception entry points. idtentry macro generates the stubs for each exception. error_entry and error_exit handle the common register save/restore around exception handlers. Reading this code with the chapter as background shows exactly how a production kernel implements the concepts covered here.

"Linux Kernel Interrupt Subsystem" — Documentation https://www.kernel.org/doc/html/latest/core-api/genericirq.html The Linux kernel's IRQ abstraction layer documentation. Linux abstracts hardware interrupt controllers (8259A, APIC, GIC for ARM) behind a common interface. Understanding this abstraction helps when working with drivers that use the kernel IRQ API.

"How ptrace Works" — eli.thegreenplace.net https://eli.thegreenplace.net/2011/01/23/how-debuggers-work-part-1 A three-part series on how debuggers use ptrace. Part 1 covers process control (fork/ptrace/wait), Part 2 covers software breakpoints (POKETEXT, the 0xCC trick, resuming), Part 3 covers debug symbols and source-level debugging. One of the best practical explanations of debugger implementation available.

Tools and Utilities

GDB Internals Manual https://sourceware.org/gdb/wiki/Internals How GDB handles breakpoints, watchpoints, single-stepping, and register access. The breakpoint manager section explains the complete lifecycle: insert (POKETEXT with 0xCC), hit (SIGTRAP → save state → present to user), resume (POKETEXT to restore, SETREGS to decrement RIP, SINGLESTEP, re-insert).

x86 Exception Condition Codes — OSDev https://wiki.osdev.org/Exceptions Comprehensive exception reference with exact conditions, error code formats, and handler requirements for all 32 CPU-defined exception vectors. More readable than the Intel manual for quick lookup.

Security Applications

"Anatomy of a Debugger" — Phrack Magazine http://www.phrack.org/archives/issues/67/8.txt (Phrack #67) Assembly-level analysis of debugger internals, anti-debugging techniques, and how malware detects debugger presence. Covers ptrace detection via /proc/self/status, timing attacks to detect single-step mode, and the TF flag manipulation used in anti-analysis. Essential reading for security researchers.

seccomp-bpf — Secure Computing with Filters https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html The Linux mechanism for restricting system calls at the kernel level, used by Chrome, Docker, systemd, and others. Understanding the IDT and syscall handler mechanism is prerequisite for understanding how seccomp intercepts calls before the syscall table dispatch.