Abstract
Memory-safety violations are the primary cause of security and reliability issues in software systems written in unsafe languages. Given the limited adoption of decades-long research in software-based memory safety approaches, as an alternative, Intel released Memory Protection Extensions (MPX)---a hardware-assisted technique to achieve memory safety. In this work, we perform an exhaustive study of Intel MPX architecture along three dimensions: (a) performance overheads, (b) security guarantees, and (c) usability issues. We present the first detailed root cause analysis of problems in the Intel MPX architecture through a cross-layer dissection of the entire system stack, involving the hardware, operating system, compilers, and applications. To put our findings into perspective, we also present an in-depth comparison of Intel MPX with three prominent types of software-based memory safety approaches. Lastly, based on our investigation, we propose directions for potential changes to the Intel MPX architecture to aid the design space exploration of future hardware extensions for memory safety.
- Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-compatible Defense Against Out-of-bounds Errors. In Proceedings of the 18th Conference on USENIX Security Symposium (Sec). Google Scholar
Digital Library
- Andrew Alexeev. 2016. nginx: The Architecture of Open Source Applications. http://www.aosabook.org/en/nginx.html. Online; accessed August, 2017.Google Scholar
- Arthur Azevedo de Amorim, Maxime Dénès, Nick Giannarakis, Catalin Hritcu, Benjamin C. Pierce, Antal SpectorZabusky, and Andrew Tolmach. 2015. Micro-Policies: Formally Verified, Tag-Based Security Monitors. In 36th IEEE Symposium on Security and Privacy (Oakland S&P). Google Scholar
Digital Library
- Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th Conference on Programming Language Design and Implementation (PLDI). Google Scholar
Digital Library
- Christian Bienia and Kai Li. 2009. PARSEC 2.0: A New Benchmark Suite for Chip-Multiprocessors. In Proceedings of the 5th Annual Workshop on Modeling, Benchmarking and Simulation (MoBS).Google Scholar
- The Tor Blog. 2017. Tor Browser 5.5a4-hardened is released. https://blog.torproject.org/blog/tor-browser-55a4- hardened-released. Online; accessed August, 2017.Google Scholar
- Scott A. Carr and Mathias Payer. 2017. DataShield: Configurable Data Confidentiality and Integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS). Google Scholar
Digital Library
- David Chisnall, Colin Rothwell, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Michael Roe, Brooks Davis, and Peter G. Neumann. 2015. Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine. In Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Google Scholar
Digital Library
- CVE details. 2011. Memcached bug: CVE-2011--4971. http://www.cvedetails.com/cve/cve-2011--4971. Online; accessed August, 2017.Google Scholar
- Udit Dhawan, Catalin Hritcu, Raphael Rubin, Nikos Vasilakis, Silviu Chiricescu, Jonathan M Smith, Thomas F Knight Jr, Benjamin C Pierce, and Andre DeHon. 2015. Architectural support for software-defined metadata processing. ACM SIGARCH Computer Architecture News (2015). Google Scholar
Digital Library
- Dinakar Dhurjati and Vikram Adve. 2006. Backwards-compatible array bounds checking for C with very low overhead. In Proceeding of the 28th international conference on Software engineering (ICSE). Google Scholar
Digital Library
- Dinakar Dhurjati, Sumant Kowshik, and Vikram Adve. 2006. SAFECode: enforcing alias analysis for weakly typed languages. In Proceedings of the 27th Conference on Programming Language Design and Implementation (PLDI). Google Scholar
Digital Library
- Clang 7 documentation. 2018. Hardware-assisted AddressSanitizer Design Documentation. https://clang.llvm.org/ docs/HardwareAssistedAddressSanitizerDesign.html. Online; accessed May, 2018.Google Scholar
- Gregory J. Duck and Roland H. C. Yap. 2016. Heap bounds protection with Low Fat Pointers. In Proceedings of the 25th International Conference on Compiler Construction (CC'16). Google Scholar
Digital Library
- Gregory J. Duck, Roland H. C. Yap, and Lorenzo Cavallaro. 2017. Stack Bounds Protection with Low Fat Pointers. In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS '17).Google Scholar
- Frank Eigler. 2016. Mudflap: pointer use checking for C/C++. https://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging. Online; accessed August, 2017.Google Scholar
- Ilya Enkovich. 2016. Intel(R) Memory Protection Extensions (Intel MPX) support in the GCC compiler. https: //gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler. Online; accessed August, 2017.Google Scholar
- Brad Fitzpatrick. 2004. Distributed Caching with Memcached. In Linux Journal. Google Scholar
Digital Library
- Niranjan Hasabnis, Ashish Misra, and R. Sekar. 2012. Light-weight Bounds Checking. In Proceedings of the 2012 International Symposium on Code Generation and Optimization (CGO). Google Scholar
Digital Library
- Reed Hastings and Bob Joyce. 1991. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference.Google Scholar
- John L. Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News (2006). Google Scholar
Digital Library
- Intel Corporation. 2013. Introduction to Intel(R) Memory Protection Extensions. https://software.intel.com/en-us/ Articles/introduction-to-intel-memory-protection-extensions. Online; accessed August, 2017.Google Scholar
- Intel Corporation. 2016. Intel(R) Memory Protection Extensions Enabling Guide. https://software.intel.com/en-us/ Articles/intel-memory-protection-extensions-enabling-guide. Online; accessed August, 2017.Google Scholar
- Intel Corporation. 2016. Intel® 64 and IA-32 Architectures Software Developer's Manual.Google Scholar
- Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the 2002 Annual Technical Conference (ATC). Google Scholar
Digital Library
- Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopoulos. 2017. No Need to Hide: Protecting Safe Regions on Commodity Hardware. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- Dmitrii Kuvaiskii, Rasha Faqeh, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2016. HAFT: Hardware-assisted Fault Tolerance. In Proceedings of the Eleventh European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBounds: Memory Safety for Shielded Execution. In Proceedings of the 2017 ACM European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight, Jr., and Andre DeHon. 2013. Low-fat Pointers: Compact Encoding and Efficient Gate-level Implementation of Fat Pointers for Spatial Safety and Capability-based Security. In Proceedings of the 2013 Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Kayvan Memarian, Justus Matthiesen, James Lingard, Kyndylan Nienhuis, David Chisnall, Robert N. M. Watson, and Peter Sewell. 2016. Into the Depths of C: Elaborating the De Facto Standards. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Google Scholar
Digital Library
- Microsoft Research. 2016. Checked C. https://www.microsoft.com/en-us/research/project/checked-c/. Online; accessed August, 2017.Google Scholar
- Vishwath Mohan, Per Larsen, Stefan Brunthaler, Kevin W. Hamlen, and Michael Franz. 2015. Opaque Control-Flow Integrity. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
Cross Ref
- Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2015. Everything You Want to Know About PointerBased Checking. In Proceedings of the 1st Summit on Advances in Programming Languages (SNAPL).Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the 30th Conference on Programming Language Design and Implementation (PLDI). Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In Proceedings of the 2010 International Symposium on Memory Management (ISMM). Google Scholar
Digital Library
- George C. Necula, Scott McPeak, Westley Weimer, George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured. In Proceedings of the 29th Symposium on Principles of Programming Languages (POPL).Google Scholar
- Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 2007 Conference on Programming language design and implementation (PLDI). Google Scholar
Digital Library
- Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2016. Efficient Fault Tolerance using Intel MPX and TSX. In Proceedings of 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).Google Scholar
- Oracle. 2017. Introduction to SPARC M7 and Silicon Secured Memory (SSM). https://swisdev.oracle.com/_files/WhatIs-SSM.html. Online; accessed August, 2017.Google Scholar
- GCC Patches. 2018. Remove MPX support. https://gcc.gnu.org/ml/gcc-patches/2018-04/msg01225.html. Online; accessed May, 2018.Google Scholar
- Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR xor X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- C. Ranger, R. Raghuraman, A. Penmetsa, G. Bradski, and C. Kozyrakis. 2007. Evaluating MapReduce for multi-core and multiprocessor systems. In Proceedings of the 13th International Symposium on High Performance Computer Architecture (HPCA). Google Scholar
Digital Library
- Olatunji Ruwase and Monica S. Lam. 2004. A Practical Dynamic Buffer Overflow Detector. In Proceeding of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Konstantin Serebryany. 2016. Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer. https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions. Online; accessed August, 2017.Google Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 Annual Technical Conference (ATC). Google Scholar
Digital Library
- Matthew S. Simpson and Rajeev K. Barua. 2013. MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime. Software Ð Practice and Experience (2013). Google Scholar
Digital Library
- The Apache software foundation. 2016. Apache HTTP Server Project. http://httpd.apache.org/. Online; accessed August, 2017.Google Scholar
- Synopsys. 2016. The Heartbleed Bug. http://heartbleed.com/. Online; accessed August, 2017.Google Scholar
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In Proceedings of the Symposium on Security and Privacy (SP). Google Scholar
Digital Library
- Ted Unangst. 2014. Heartbleed vs malloc.conf. http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf. Online; accessed August, 2017.Google Scholar
- The Register. 2014. Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug. http://www.theregister.co. uk/2014/04/09/heartbleed_explained/. Online; accessed August, 2017.Google Scholar
- Victor van der Veen, Nitish Dutt Sharma, Lorenzo Cavallaro, and Herbert Bos. 2012. Memory Errors: The Past, the Present, and the Future. In Proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Google Scholar
Digital Library
- VN Security. 2013. Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013--2028). http: //www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013--2028.html. Online; accessed August, 2017.Google Scholar
- Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder. 2015. High System-Code Security with Low Overhead. In Proceedings of the 2015 Symposium on Security and Privacy (SP). Google Scholar
Digital Library
- John Wilander, Nick Nikiforakis, Yves Younan, Mariam Kamkar, and Wouter Joosen. 2011. RIPE: Runtime Intrusion Prevention Evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC) Google Scholar
Digital Library
- Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In Proceeding of the 41st Annual International Symposium on Computer Architecture (ISCA). Google Scholar
Digital Library
- Yichen Xie, Andy Chou, and Dawson Engler. 2003. ARCHER : Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors. ACM SIGSOFT Software Engineering Notes (2003). Google Scholar
Digital Library
- Junfeng Yang, Ang Cui, Sal Stolfo, and Simha Sethumadhavan. 2012. Concurrency Attacks. In Proceedings of the 4th Conference on Hot Topics in Parallelism (HotPar). Google Scholar
Digital Library
Index Terms
Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack
Recommendations
BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free
ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating SystemsA memory safety violation occurs when a program has an out-of-bound (spatial safety) or use-after-free (temporal safety) memory access. Given its importance as a security vulnerability, recent Intel processors support hardware-accelerated bound checks, ...
Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack
SIGMETRICS '18Memory-safety violations are the primary cause of security and reliability issues in software systems written in unsafe languages. Given the limited adoption of decades-long research in software-based memory safety approaches, as an alternative, Intel ...
Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack
SIGMETRICS '18: Abstracts of the 2018 ACM International Conference on Measurement and Modeling of Computer SystemsMemory-safety violations are the primary cause of security and reliability issues in software systems written in unsafe languages. Given the limited adoption of decades-long research in software-based memory safety approaches, as an alternative, Intel ...






Comments