

# Intel MPX Explained

A Cross-layer Analysis of the Intel MPX System Stack

[intel-mpx.github.io](https://intel-mpx.github.io)

---

Pascal Felber



Oleksii Oleksenko,  
Dmitrii Kuvaiskii, Christof Fetzer



Pramod Bhatotia



THE UNIVERSITY of EDINBURGH

Memory error:  
an access to an unintended memory region

Spatial errors

Unintended address

E.g., buffer overflow, stack overflow

Temporal errors

Unintended time

E.g., double free, dangling pointers

# Memory errors: a major threat



Felix Wilhelm  
 @\_fel1x

Follow

ISC patched two interesting bugs in their DHCP codebase: A global buffer overflow triggerable over DHCPv6 and a refcount overflow -> use-after-free bug in their option parsing: [lists.isc.org/pipermail/dhcp...](https://lists.isc.org/pipermail/dhcp...) and [lists.isc.org/pipermail/dhcp...](https://lists.isc.org/pipermail/dhcp...)



nixCraft  
 @nixcraft

Follow

ALL versions of Exim MTA affected by buffer overflow vulnerability that allows an attacker to run code remotely (CVE-2018-6789). Patch your Linux/Unix server ASAP.



hanno  
 @hanno

Follow

Stack buffer overflow in WolfSSL before 3.13.0 [blog.fuzzing-project.org/63-Stack-buffe...](https://blog.fuzzing-project.org/63-Stack-buffe...)

3:49 PM · 24 Mar 2018



#cloudbleed

# Memory errors: a major threat



Felix Wilhelm  
 @\_fel1x

ISC patched two i  
DHCP codebase:  
triggerable over D  
overflow -> use-a  
parsing: lists.isc.o  
lists.isc.org/piperr

## NATIONAL VULNERABILITY DATABASE

VULNERABILITIES

SEARCH AND STATISTICS

### Q Search Results (Refine Search)

#### Search Parameters:

- Results Type: Overview
- Search Type: Search All
- Category (CWE): CWE-119 - Buffer Errors
- Published Start Date: 01/01/2017
- Published End Date: 12/31/2017

There are **2,530** matching records.  
Displaying matches **1** through **20**.



Patch your Linux/Unix server ASAP.

Follow

/wolfSSL before  
t.org/63-Stack-

# Memory errors: a major threat



Felix Wilhelm  
 @\_fel1x

ISC patched two i  
DHCP codebase:  
triggerable over D  
overflow -> use-a-f  
parsing: lists.isc.o  
lists.isc.org/piperr

## NATIONAL VULNERABILITY DATABASE

VULNERABILITIES

SEARCH AND STATISTICS

### Q Search Results (Refine Search)

#### Search Parameters:

- Results Type: Overview
- Search Type: Search All
- Category (CWE): CWE 119 - Buffer Errors
- Published Start Date: 01/01/2017
- Published End Date: 12/31/2017

There are **2,530** matching records.  
Displaying matches **1** through **20**.

/wolfSSL before  
t.org/63-Stack-



Patch your Linux/Unix server ASAP.

# Intel MPX

## Hardware-assisted memory protection



# Intel MPX

## Hardware-assisted memory protection



# Intel MPX

## Hardware-assisted memory protection



# Intel MPX

## Hardware-assisted memory protection

- 
- Add the new instructions
  - Runtime support
- Manage memory and handle errors
- New instructions: check safety
  - New registers: store metadata

# Intel MPX

- A ready solution
  - Available in recent CPUs
  - Supported by major compilers (GCC, ICC)
- And yet, not adopted in practice

Our study:  
**What went wrong?**

What caused the issues?  
What can we learn from it?

# A brief overview



Details: <http://intel-mpx.github.io>

# Performance

| Approach                    | Average Slowdown |       |         |
|-----------------------------|------------------|-------|---------|
|                             | PARSEC           | SPEC  | Phoenix |
| <b>MPX</b><br>(ICC version) | 25 %             | 61 %  | 56 %    |
| AddressSanitizer            | 43 %             | 62 %  | 60 %    |
| SAFECode                    | 182 %            | 129 % | 5 %     |
| SoftBound                   | 183 %            | 103 % | 168 %   |

# Performance

| Approach                    | Average Slowdown |       |         |
|-----------------------------|------------------|-------|---------|
|                             | PARSEC           | SPEC  | Phoenix |
| <b>MPX</b><br>(ICC version) | 25 %             | 61 %  | 56 %    |
| AddressSanitizer            | 43 %             | 62 %  | 60 %    |
| SAFECode                    | 182 %            | 129 % | 5 %     |
| SoftBound                   | 183 %            | 103 % | 168 %   |

Not significantly better than SW solutions

# Security

- Comparable / better security guarantees
- A few issues
  - multithreading support
  - temporal errors
  - could be fixed in future generations

# Usability

- Applications may need modifications
  - Non-standard idioms
  - Ad-hoc memory management

# Usability

- Applications may need modifications
  - Non-standard idioms
  - Ad-hoc memory management

Our experience:



Phoenix



PARSEC



SPEC

- No changes required
- Minor changes
- Mem. model violation

# Obstacles to Adoption

- Performance
  - High runtime cost
- Usability
  - Necessary modifications

**Not security**

(at least, not to a large extent)

# Lessons Learned

1. It is cheaper not to save on hardware
  - Parallel checks ⇒ improved performance
  - Bounds cache ⇒ reduced cache contention

# Lessons Learned

1. It is cheaper not to save on hardware
  - Parallel checks ⇒ improved performance
  - Bounds cache ⇒ reduced cache contention
2. Protection should be transparent
  - Embedded checks ⇒ fewer application changes
  - Atomic checks ⇒ no multithreading issues

# Lessons Learned

1. It is cheaper not to save on hardware
  - Parallel checks ⇒ improved performance
  - Bounds cache ⇒ reduced cache contention
2. Protection should be transparent
  - Embedded checks ⇒ fewer application changes
  - Atomic checks ⇒ no multithreading issues
3. Defence should be complete
  - Temporal protection ⇒ complete security solution

# Summary

- MPX: an evolutionary improvement
  - Compromises hindered adoption
- Security is not enough
  - Strive for transparent and low-cost protection
- Realistic solution requires radical redesign

# Summary

- MPX: an evolutionary improvement
  - Compromises hindered adoption
- Security is not enough
  - Strive for transparent and low-cost protection
- Realistic solution requires radical redesign



<https://intel-mpx.github.io/>



[https://github.com/tudinfse/  
intel\\_mpx\\_explained](https://github.com/tudinfse/intel_mpx_explained)

# Summary

- MPX: an evolutionary improvement
  - Compromises hindered adoption
- Security is not enough
  - Strive for transparent and low-cost protection
- Realistic solution requires radical redesign



<https://intel-mpx.github.io/>



[https://github.com/tudinfse/  
intel\\_mpx\\_explained](https://github.com/tudinfse/intel_mpx_explained)

Thanks!

oleksii.oleksenko@tu-dresden.de

Twitter: @oleksii\_o



# Backup

# SW approaches

(a) Trip-wire:  
AddressSanitizer



(b) Object-based:  
SAFECode



(c) Pointer-based:  
SoftBound



# Bound address translation



# BT allocation



# Execution ports

① bndmk ② bndcl/bndcu ③ bndmov ④ bndidx ⑤ bndstx

---



# Bounds checking bottleneck

(a) Only load



(b) Direct bounds checks and load



(c) Relative bounds checks and load



# Runtime overhead



# Cache effects



# Instruction overheads



# IPC



# Memory overheads



# MPX instructions



# MPX features



# Multithreading



# Performance (Haswell)



# Case studies: Apache, Memcached, Nginx



# Usability

