Intel MPX
{{Short description|Set of extensions to the x86 instruction set architecture}}
{{Distinguish|Intel XMP}}
Intel MPX (Memory Protection Extensions) are a discontinued set of extensions to the x86 instruction set architecture. With compiler, runtime library and operating system support, Intel MPX claimed to enhance security to software by checking pointer references whose normal compile-time intentions are maliciously exploited at runtime due to buffer overflows. In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems. Intel has listed MPX as removed in 2019 and onward hardware in section 2.5 of its Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1.{{cite book
| title = Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture
| date = November 2020
| publisher = Intel
| url = https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-software-developers-manual-volume-1-basic-architecture.html
| access-date = 2021-03-03
}}
Extensions
Intel MPX introduces new bounds registers, and new instruction set extensions that operate on these registers. Additionally, there is a new set of "bound tables" that store bounds beyond what can fit in the bounds registers.{{cite web
| url = https://software.intel.com/en-us/isa-extensions
| title = Intel ISA Extensions
| access-date = 2013-11-04
| publisher = Intel
| url = https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
| title = Introduction to Intel Memory Protection Extensions
| date = 2013-07-16
| access-date = 2013-09-10
| publisher = Intel
| url = https://code.google.com/p/address-sanitizer/wiki/IntelMemoryProtectionExtensions
| title = Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer
| access-date = 2013-11-04
| website = code.google.com
| url = https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler
| title = Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler
| access-date = 2013-11-04
| website = gcc.gnu.org
| url = https://intel-mpx.github.io/design/#boundstore
| title = Intel MPX Explained: Storing bounds in memory
| access-date = 2017-02-06
| website = intel-mpx.github.io
}}
MPX uses four new 128-bit bounds registers, BND0 to BND3, each storing a pair of 64-bit lower bound (LB) and upper bound (UB) values of a buffer. The upper bound is stored in ones' complement form, with BNDMK (create bounds) and BNDCU (check upper bound) performing the conversion. The architecture includes two configuration registers BNDCFGx (BNDCFGU in user space and BNDCFGS in kernel mode), and a status register BNDSTATUS, which provides a memory address and error code in case of an exception.{{Cite web
| url = https://software.intel.com/en-us/intel-architecture-instruction-set-extensions-programming-reference
| title = Intel Architecture Instruction Set Extensions Programming Reference
| date = December 2013
| access-date = 2014-01-17
| publisher = Intel
| format = PDF
{{cite arXiv
| eprint=1702.00719
| title = Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches
| date = 2017
| last1 = Oleksenko
| first1 = Oleksii
| last2 = Kuvaiskii
| first2 = Dmitrii
| last3 = Bhatotia
| first3 = Pramod
| last4 = Felber
| first4 = Pascal
| last5 = Fetzer
| first5 = Christof
| class = cs.CR
}}
Two-level address translation is used for storing bounds in memory. The top layer consists of a Bounds Directory (BD) created on the application startup. Each BD entry is either empty or contains a pointer to a dynamically created Bounds Table (BT), which in turn contains a set of pointer bounds along with the linear addresses of the pointers. The bounds load (BNDLDX) and store (BNDSTX) instructions transparently perform the address translation and access bounds in the proper BT entry.
Intel MPX was introduced as part of the Skylake microarchitecture.{{cite web
| url = https://software.intel.com/en-us/articles/intel-software-development-emulator
| title = Intel Software Development Emulator
| date = 2012-06-15
| access-date = 2013-11-04
| publisher = Intel
}}
Intel Goldmont microarchitecture also supports Intel MPX.
Software support
- glibc removed support in version 2.35.
- GNU Compiler Collection (GCC) 5.0 added support for MPX. In 2018, support for these extensions waned due to maintenance burdens and Intel developers intermittently contributing patches, resulting in a proposal to drop support in GCC 9.0.{{Cite web
| url=https://www.phoronix.com/scan.php?page=news_item&px=GCC-Patch-To-Drop-MPX
| title=GCC 9 Looks Set To Remove Intel MPX Support
| publisher=Phoronix
| language=en
| access-date=2018-04-27}} Support was removed in GCC 9.1.{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=MPX-Removed-From-GCC9|title=Intel MPX Support Removed From GCC 9 - Phoronix|website=www.phoronix.com}}
- Intel C++ Compiler (icc) 15.0 added support for Intel MPX.{{cite web
| url=https://intel-mpx.github.io/design/
| title=Design of Intel MPX|publisher=Intel}}
- Kernel-level software support for Intel MPX was merged into the Linux kernel mainline in kernel version 3.19, which was released on February 8, 2015.{{cite web
| url = http://kernelnewbies.org/Linux_3.19
| title = Linux kernel 3.19, Section 1.2. Support for the Intel Memory Protection Extensions
| date = February 9, 2015
| access-date = February 9, 2015
| website = kernelnewbies.org}}{{cite web
| url = https://lwn.net/Articles/582712/
| title = Supporting Intel MPX in Linux
| date = January 29, 2014
| author = Jonathan Corbet
| publisher = LWN.net
| access-date = February 9, 2015}} In 2018, Thomas Gleixner proposed removing MPX support from Linux kernel 4.18.{{cite web
| url=https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-Weighing-Intel-MPX
| title=The Linux Kernel Might Drop Memory Protection Extensions Support
| publisher=Phoronix}} The pull request with its removal was posted in December 2018, during 4.20 development cycle,{{cite web
| url = http://lkml.iu.edu/hypermail/linux/kernel/1812.0/04478.html
| title = [GIT PULL] x86: remove Intel MPX}} but wasn't accepted. The second attempt was made in July 2019.{{cite web
| url=https://lkml.org/lkml/2019/7/5/587
| title=[PATCH 0/3] [RFC] x86: start the MPX removal process
}} MPX support was removed in 5.6.{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=Intel-MPX-Is-Dead|title=Intel MPX Support Is Dead With Linux 5.6 - Phoronix|website=www.phoronix.com}}
- QEMU supported MPX since version 2.6{{cite web
| url=https://wiki.qemu.org/ChangeLog/2.6
| title=ChangeLog/2.6
}} and dropped its support in 4.0 release.{{cite web
| url=https://www.theregister.co.uk/2019/04/25/qemu_4/
| title=QEMU 4 arrives with toys for Arm admirers, RISC-V revolutionaries, POWER patriots... you get the idea| website=The Register}}
- Microsoft Visual Studio 2015 Update 1 added experimental support for MPX.{{cite web
| url=https://blogs.msdn.microsoft.com/vcblog/2016/01/20/visual-studio-2015-update-1-new-experimental-feature-mpx/
| title=Visual Studio 2015 Update 1: New Experimental Feature – MPX
| publisher=Microsoft| date=2016-01-20
}}
Analysis
A study examined a detailed cross-layer dissection of the MPX system stack and comparison with three prominent software-based memory protection mechanisms (AddressSanitizer, SAFECode, and SoftBound) and presents the following conclusions.
- Even though Intel MPX is a specially designed hardware-assisted approach with its own added set of hardware registers, it is not faster than any of the software-based approaches. New Intel MPX instructions can cause up to 4× slowdown in the worst case, although compiler optimizations amortize it and lead to runtime overheads of ~50% on average.
- In contrast to the other software-based solutions, Intel MPX provides no protection against temporal memory safety errors.
- Reading and writing from the doubly-indirected bounds tables is not thread-safe.
- MPX does not support several common C/C++ programming idioms, such as flexible array members, referencing one field as an offset from another, etc.
- MPX conflicts with some other ISA extensions, resulting in performance and security issues. More specifically, these issues arise when Intel MPX is used in combination with other hardware-based protection mechanisms, such as Intel TSX and Intel SGX.
- MPX instructions incur a significant performance penalty (15+%) even on Intel CPUs without MPX support.
In addition, a review concluded MPX was not production ready, and AddressSanitizer was a better option. A review by Kostya Serebryany at Google, AddressSanitizer's developer,{{Cite web |last=Serebryany |first=Konstantin |title=Konstantin Serebryany |url=https://research.google.com/pubs/KonstantinSerebryany |url-status=dead |archive-url=https://web.archive.org/web/20230727153419/https://research.google/people/KonstantinSerebryany/ |archive-date=2023-07-27 |access-date=2024-07-18 |website=Google Research |language=en}} had similar findings.{{Cite web|title=Address Sanitizer Intel Memory Protection Extensions |url=https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions |url-status=live |archive-url=https://web.archive.org/web/20240718183709/https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions |archive-date=2024-07-18 |access-date=2013-11-04 |website=GitHub |language=en}}
=Meltdown=
Another study{{Cite arXiv|title=A Systematic Evaluation of Transient Execution Attacks and Defenses |eprint = 1811.05441|last1 = Canella|first1 = Claudio|last2 = Van Bulck|first2 = Jo|last3 = Schwarz|first3 = Michael|last4 = Lipp|first4 = Moritz|last5 = von Berg|first5 = Benjamin|last6 = Ortner|first6 = Philipp|last7 = Piessens|first7 = Frank|last8 = Evtyushkin|first8 = Dmitry|last9 = Gruss|first9 = Daniel|class = cs.CR|year = 2018}} exploring the scope of Spectre and Meltdown security vulnerabilities discovered that Meltdown can be used to bypass Intel MPX, using the Bound Range Exceeded (#BR) hardware exception. According to their publication, the researchers were able to leak information through a Flush+Reload covert channel from an out-of-bound access on an array safeguarded by the MPX system. Their Proof Of Concept has not been publicly disclosed.
See also
References
{{Reflist}}
External links
- {{cite book
| title = Intel Architecture Instruction Set Extensions Programming Reference
| date = July 2013
| publisher = Intel
| url = https://software.intel.com/sites/default/files/managed/07/b7/319433-023.pdf
| access-date = 2016-01-10
}}
- {{cite arXiv
| title = Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches
| last1 = Oleksenko
| first1 = Oleksii
| last2 = Kuvaiskii
| first2 = Dmitrii
| last3 = Bhatotia
| first3 = Pramod
| last4 = Felber
| first4 = Pascal
| last5 = Fetzer
| first5 = Christof
| date = 2017
| eprint = 1702.00719
| class = cs.CR
}} Online supplementary material at https://intel-mpx.github.io.
- {{cite web
| title = Introduction to Intel Memory Protection Extensions
| date = 2013-07-16
| publisher = Intel
| access-date = 2013-09-10
| url = https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
}}
- {{cite web
| url = https://software.intel.com/en-us/isa-extensions
| title = Intel ISA Extensions
| access-date = 2013-11-04
| publisher = Intel
}}
- {{cite web
| url = https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler
| title = Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler
| access-date = 2013-11-04
| website = gcc.gnu.org
}}
- {{cite web
| url = https://01.org/blogs/2016/intel-mpx-linux
| title = Intel® Memory Protection Extensions (Intel® MPX) for Linux
| first = Dave
| last = Hansen
| date = 2016-03-16
| access-date= 2018-05-17}}
{{CPU technologies}}
{{Multimedia extensions}}