Intel MPX

Last updated

Intel MPX (Memory Protection Extensions) are discontinued set of extensions to the x86 instruction set architecture. With compiler, runtime library and operating system support, Intel MPX claimed to enhance security to software by checking pointer references whose normal compile-time intentions are maliciously exploited at runtime due to buffer overflows. In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems. Intel has listed MPX as removed in 2019 and onward hardware in section 2.5 of its Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1. [1]

Contents

Extensions

Intel MPX introduces new bounds registers, and new instruction set extensions that operate on these registers. Additionally, there is a new set of "bound tables" that store bounds beyond what can fit in the bounds registers. [2] [3] [4] [5] [6]

MPX uses four new 128-bit bounds registers, BND0 to BND3, each storing a pair of 64-bit lower bound (LB) and upper bound (UB) values of a buffer. The upper bound is stored in ones' complement form, with BNDMK (create bounds) and BNDCU (check upper bound) performing the conversion. The architecture includes two configuration registers BNDCFGx (BNDCFGU in user space and BNDCFGS in kernel mode), and a status register BNDSTATUS, which provides a memory address and error code in case of an exception. [7] [8]

Two-level address translation is used for storing bounds in memory. The top layer consists of a Bounds Directory (BD) created on the application startup. Each BD entry is either empty or contains a pointer to a dynamically created Bounds Table (BT), which in turn contains a set of pointer bounds along with the linear addresses of the pointers. The bounds load (BNDLDX) and store (BNDSTX) instructions transparently perform the address translation and access bounds in the proper BT entry. [7] [8]

Intel MPX was introduced as part of the Skylake microarchitecture. [9]

Intel Goldmont microarchitecture also supports Intel MPX. [9]

Software support

Analysis of Intel MPX

A study examined a detailed cross-layer dissection of the MPX system stack and comparison with three prominent software-based memory protection mechanisms (AddressSanitizer, SAFECode, and SoftBound) and presents the following conclusions. [8]

In addition, a review concluded MPX was not production ready, and AddressSanitizer was a better option. [8] A review by Kostya Serebryany at Google, AddressSanitizer's developer, [22] had similar findings. [23]

Meltdown

Another study [24] exploring the scope of Spectre and Meltdown security vulnerabilities discovered that Meltdown can be used to bypass Intel MPX, using the Bound Range Exceeded (#BR) hardware exception. According to their publication, the researchers were able to leak information through a Flush+Reload covert channel from an out-of-bound access on an array safeguarded by the MPX system. Their Proof Of Concept has not been publicly disclosed.

See also

Related Research Articles

x86 Family of instruction set architectures

x86 is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introduced in 1978 as a fully 16-bit extension of Intel's 8-bit 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486 processors. Colloquially, their names were "186", "286", "386" and "486".

<span class="mw-page-title-main">Single instruction, multiple data</span> Type of parallel processing

Single instruction, multiple data (SIMD) is a type of parallel processing in Flynn's taxonomy. SIMD can be internal and it can be directly accessible through an instruction set architecture (ISA), but it should not be confused with an ISA. SIMD describes computers with multiple processing elements that perform the same operation on multiple data points simultaneously.

In computer architecture, 64-bit integers, memory addresses, or other data units are those that are 64 bits wide. Also, 64-bit central processing units (CPU) and arithmetic logic units (ALU) are those that are based on processor registers, address buses, or data buses of that size. A computer that uses such a processor is a 64-bit computer.

x86 memory segmentation refers to the implementation of memory segmentation in the Intel x86 computer instruction set architecture. Segmentation was introduced on the Intel 8086 in 1978 as a way to allow programs to address more than 64 KB (65,536 bytes) of memory. The Intel 80286 introduced a second version of segmentation in 1982 that added support for virtual memory and memory protection. At this point the original mode was renamed to real mode, and the new version was named protected mode. The x86-64 architecture, introduced in 2003, has largely dropped support for segmentation in 64-bit mode.

x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.

x86-64 64-bit version of x86 architecture

x86-64 is a 64-bit version of the x86 instruction set, first announced in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode.

In computing, Physical Address Extension (PAE), sometimes referred to as Page Address Extension, is a memory management feature for the x86 architecture. PAE was first introduced by Intel in the Pentium Pro, and later by AMD in the Athlon processor. It defines a page table hierarchy of three levels (instead of two), with table entries of 64 bits each instead of 32, allowing these CPUs to directly access a physical address space larger than 4 gigabytes (232 bytes).

In computer programming, bounds checking is any method of detecting whether a variable is within some bounds before it is used. It is usually used to ensure that a number fits into a given type, or that a variable being used as an array index is within the bounds of the array. A failed bounds check usually results in the generation of some sort of exception signal.

Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.

<span class="mw-page-title-main">Blackfin</span> Family of 16-/32-bit microprocessors

The Blackfin is a family of 16-/32-bit microprocessors developed, manufactured and marketed by Analog Devices. The processors have built-in, fixed-point digital signal processor (DSP) functionality performed by 16-bit multiply–accumulates (MACs), accompanied on-chip by a microcontroller. It was designed for a unified low-power processor architecture that can run operating systems while simultaneously handling complex numeric tasks such as real-time H.264 video encoding.

<span class="mw-page-title-main">QEMU</span> Free virtualization and emulation software

QEMU is a free and open-source emulator. It emulates a computer's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems. It can interoperate with Kernel-based Virtual Machine (KVM) to run virtual machines at near-native speed. QEMU can also do emulation for user-level processes, allowing applications compiled for one architecture to run on another.

Intel oneAPI DPC++/C++ Compiler and Intel C++ Compiler Classic are Intel’s C, C++, SYCL, and Data Parallel C++ (DPC++) compilers for Intel processor-based systems, available for Windows, Linux, and macOS operating systems.

Advanced Vector Extensions are SIMD extensions to the x86 instruction set architecture for microprocessors from Intel and Advanced Micro Devices (AMD). They were proposed by Intel in March 2008 and first supported by Intel with the Sandy Bridge processor shipping in Q1 2011 and later by AMD with the Bulldozer processor shipping in Q3 2011. AVX provides new features, new instructions, and a new coding scheme.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

Transactional Synchronization Extensions (TSX), also called Transactional Synchronization Extensions New Instructions (TSX-NI), is an extension to the x86 instruction set architecture (ISA) that adds hardware transactional memory support, speeding up execution of multi-threaded software through lock elision. According to different benchmarks, TSX/TSX-NI can provide around 40% faster applications execution in specific workloads, and 4–5 times more database transactions per second (TPS).

Supervisor Mode Access Prevention (SMAP) is a feature of some CPU implementations such as the Intel Broadwell microarchitecture that allows supervisor mode programs to optionally set user-space memory mappings so that access to those mappings from supervisor mode will cause a trap. This makes it harder for malicious programs to "trick" the kernel into using instructions or data from a user-space program.

<span class="mw-page-title-main">AArch64</span> 64-bit extension of the ARM architecture

AArch64 or ARM64 is the 64-bit extension of the ARM architecture family.

A code sanitizer is a programming tool that detects bugs in the form of undefined or suspicious behavior by a compiler inserting instrumentation code at runtime. The class of tools was first introduced by Google's AddressSanitizer of 2012, which uses directly mapped shadow memory to detect memory corruption such as buffer overflows or accesses to a dangling pointer (use-after-free).

Advanced Matrix Extensions (AMX), also known as Intel Advanced Matrix Extensions, are extensions to the x86 instruction set architecture (ISA) for microprocessors from Intel designed to work on matrices to accelerate artificial intelligence (AI) and machine learning (ML) workloads.

References

  1. Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture. Intel. November 2020. Retrieved 2021-03-03.
  2. "Intel ISA Extensions". Intel . Retrieved 2013-11-04.
  3. "Introduction to Intel Memory Protection Extensions". Intel. 2013-07-16. Retrieved 2013-09-10.
  4. "Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer". code.google.com. Retrieved 2013-11-04.
  5. "Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler". gcc.gnu.org. Retrieved 2013-11-04.
  6. "Intel MPX Explained: Storing bounds in memory". intel-mpx.github.io. Retrieved 2017-02-06.
  7. 1 2 "Intel Architecture Instruction Set Extensions Programming Reference" (PDF). Intel. December 2013. Retrieved 2014-01-17.
  8. 1 2 3 4 Oleksenko, Oleksii; Kuvaiskii, Dmitrii; Bhatotia, Pramod; Felber, Pascal; Fetzer, Christof (2017). "Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches". arXiv: 1702.00719 [cs.CR].
  9. 1 2 "Intel Software Development Emulator". Intel. 2012-06-15. Retrieved 2013-11-04.
  10. 1 2 "Design of Intel MPX". Intel.
  11. "GCC 9 Looks Set To Remove Intel MPX Support". Phoronix . Retrieved 2018-04-27.
  12. "Intel MPX Support Removed From GCC 9 - Phoronix". www.phoronix.com.
  13. "Linux kernel 3.19, Section 1.2. Support for the Intel Memory Protection Extensions". kernelnewbies.org. February 9, 2015. Retrieved February 9, 2015.
  14. Jonathan Corbet (January 29, 2014). "Supporting Intel MPX in Linux". LWN.net . Retrieved February 9, 2015.
  15. "The Linux Kernel Might Drop Memory Protection Extensions Support". Phoronix.
  16. "[GIT PULL] x86: remove Intel MPX".
  17. "[PATCH 0/3][RFC] x86: start the MPX removal process".
  18. "Intel MPX Support Is Dead With Linux 5.6 - Phoronix". www.phoronix.com.
  19. "ChangeLog/2.6".
  20. "QEMU 4 arrives with toys for Arm admirers, RISC-V revolutionaries, POWER patriots... you get the idea". The Register .
  21. "Visual Studio 2015 Update 1: New Experimental Feature – MPX". Microsoft. 2016-01-20.
  22. "Konstantin Serebryany - Research at Google". research.google.com.
  23. "Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer". GitHub . Retrieved 2013-11-04.
  24. Canella, Claudio; Van Bulck, Jo; Schwarz, Michael; Lipp, Moritz; von Berg, Benjamin; Ortner, Philipp; Piessens, Frank; Evtyushkin, Dmitry; Gruss, Daniel (2018). "A Systematic Evaluation of Transient Execution Attacks and Defenses". arXiv: 1811.05441 [cs.CR].
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.