Intel MPX (Memory Protection Extensions) are discontinued set of extensions to the x86 instruction set architecture. With compiler, runtime library and operating system support, Intel MPX claimed to enhance security to software by checking pointer references whose normal compile-time intentions are maliciously exploited at runtime due to buffer overflows. In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems. Intel has listed MPX as removed in 2019 and onward hardware in section 2.5 of its Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1.[1]

Extensions

Intel MPX introduces new bounds registers, and new instruction set extensions that operate on these registers. Additionally, there is a new set of "bound tables" that store bounds beyond what can fit in the bounds registers.[2][3][4][5][6]

MPX uses four new 128-bit bounds registers, BND0 to BND3, each storing a pair of 64-bit lower bound (LB) and upper bound (UB) values of a buffer. The upper bound is stored in ones' complement form, with BNDMK (create bounds) and BNDCU (check upper bound) performing the conversion. The architecture includes two configuration registers BNDCFGx (BNDCFGU in user space and BNDCFGS in kernel mode), and a status register BNDSTATUS, which provides a memory address and error code in case of an exception.[7][8]

Two-level address translation is used for storing bounds in memory. The top layer consists of a Bounds Directory (BD) created on the application startup. Each BD entry is either empty or contains a pointer to a dynamically created Bounds Table (BT), which in turn contains a set of pointer bounds along with the linear addresses of the pointers. The bounds load (BNDLDX) and store (BNDSTX) instructions transparently perform the address translation and access bounds in the proper BT entry.[7][8]

Intel MPX was introduced as part of the Skylake microarchitecture.[9]

Intel Goldmont microarchitecture also supports Intel MPX.[9]

Software support

Analysis of Intel MPX

A study examined a detailed cross-layer dissection of the MPX system stack and comparison with three prominent software-based memory protection mechanisms (AddressSanitizer, SAFECode, and SoftBound) and presents the following conclusions.[8]

In addition, a review concluded MPX was not production ready, and AddressSanitizer was a better option.[8] A review by Kostya Serebryany at Google, AddressSanitizer's developer,[22] had similar findings.[23]

Meltdown

Another study[24] exploring the scope of Spectre and Meltdown security vulnerabilities discovered that Meltdown can be used to bypass Intel MPX, using the Bound Range Exceeded (#BR) hardware exception. According to their publication, the researchers were able to leak information through a Flush+Reload covert channel from an out-of-bound access on an array safeguarded by the MPX system. Their Proof Of Concept has not been publicly disclosed.

See also

References

  1. ^ Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture. Intel. November 2020. Retrieved 2021-03-03.
  2. ^ "Intel ISA Extensions". Intel. Retrieved 2013-11-04.
  3. ^ "Introduction to Intel Memory Protection Extensions". Intel. 2013-07-16. Retrieved 2013-09-10.
  4. ^ "Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer". code.google.com. Retrieved 2013-11-04.
  5. ^ "Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler". gcc.gnu.org. Retrieved 2013-11-04.
  6. ^ "Intel MPX Explained: Storing bounds in memory". intel-mpx.github.io. Retrieved 2017-02-06.
  7. ^ a b "Intel Architecture Instruction Set Extensions Programming Reference" (PDF). Intel. December 2013. Retrieved 2014-01-17.
  8. ^ a b c d Oleksenko, Oleksii; Kuvaiskii, Dmitrii; Bhatotia, Pramod; Felber, Pascal; Fetzer, Christof (2017). "Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches". arXiv:1702.00719 [cs.CR].
  9. ^ a b "Intel Software Development Emulator". Intel. 2012-06-15. Retrieved 2013-11-04.
  10. ^ a b "Design of Intel MPX". Intel.
  11. ^ "GCC 9 Looks Set To Remove Intel MPX Support". Phoronix. Retrieved 2018-04-27.
  12. ^ "Intel MPX Support Removed From GCC 9 - Phoronix". www.phoronix.com.
  13. ^ "Linux kernel 3.19, Section 1.2. Support for the Intel Memory Protection Extensions". kernelnewbies.org. February 9, 2015. Retrieved February 9, 2015.
  14. ^ Jonathan Corbet (January 29, 2014). "Supporting Intel MPX in Linux". LWN.net. Retrieved February 9, 2015.
  15. ^ "The Linux Kernel Might Drop Memory Protection Extensions Support". Phoronix.
  16. ^ "[GIT PULL] x86: remove Intel MPX".
  17. ^ "[PATCH 0/3] [RFC] x86: start the MPX removal process".
  18. ^ "Intel MPX Support Is Dead With Linux 5.6 - Phoronix". www.phoronix.com.
  19. ^ "ChangeLog/2.6".
  20. ^ "QEMU 4 arrives with toys for Arm admirers, RISC-V revolutionaries, POWER patriots... you get the idea". The Register.
  21. ^ "Visual Studio 2015 Update 1: New Experimental Feature – MPX". Microsoft. 2016-01-20.
  22. ^ "Konstantin Serebryany - Research at Google". research.google.com.
  23. ^ "Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer". GitHub. Retrieved 2013-11-04.
  24. ^ Canella, Claudio; Van Bulck, Jo; Schwarz, Michael; Lipp, Moritz; von Berg, Benjamin; Ortner, Philipp; Piessens, Frank; Evtyushkin, Dmitry; Gruss, Daniel (2018). "A Systematic Evaluation of Transient Execution Attacks and Defenses". arXiv:1811.05441 [cs.CR].