The C and C++ languages provide for memory access via pointers, however, these languages do not ensure the safe use of pointers. Left undetected, the unsafe use of pointers puts an application at risk of data corruption or malicious attack via buffer overruns and overflows.
Intel is always looking to enhance systems so they run more securely. The launch of Intel® Parallel Studio XE 2013 brought with it a new feature called Pointer Checker to help address identifying buffer overrun and overflow conditions (see Pointer Checker). Today, following Intel’s hardware-assisted approach to security, much of Pointer Checker’s functionality is being embedded into the hardware in order to provide more robust, vulnerability-resistant platforms. By adding extensions to the underlying architecture, Intel® Memory Protection Extensions (Intel® MPX) achieves improved performance over Pointer Checker’s software based solutions allowing for practical memory access protection during deployment.1
Intel MPX is a set of processor features which, with compiler, runtime library and OS support, brings increased robustness to software by checking pointer references whose compile time normal intentions are usurped at runtime due to buffer overflow.
Throughout the development of Intel MPX, two primary goals were to provide this capability at low performance overhead for newly compiled code and to maintain compatibility with legacy2 software components.
Intel® MPX is designed to allow a system3 to run both Intel MPX enabled software and legacy software together. When executing software containing a mix of Intel MPX code and legacy code, the legacy code does not benefit from Intel MPX, but it also does not experience any change in functionality or performance. Performance of Intel MPX enabled code running on processors that do not support Intel MPX is similar to embedding NOPs in the instruction stream. Intel MPX is designed such that enabled applications can link with, call into, or be called from legacy software (libraries, etc.) while maintaining existing application binary interfaces (ABIs).
Intel® MPX Programming Model
For developers familiar with the capabilities of Pointer Checker in the Intel compiler, moving to Intel MPX will be an easy progression as there is only one new compiler switch, a handful of new intrinsics and an Intel MPX enabled C runtime library. For those unfamiliar with Pointer Checker, enabling Intel MPX can be as simple as adding a compiler switch. For those not using Intel’s compiler, Intel is also working with other compiler vendors to support Intel MPX.
Intel MPX introduces new registers and new instructions that operate on these registers. Some of the registers added are bounds registers which store a pointer’s lower bound and upper bound limits. Whenever the pointer is used, the requested reference is checked against the pointer’s associated bounds, thereby preventing out-of-bound memory access (such as buffer overflows and overruns). Out-of-bounds memory references initiate a #BR exception which can then be handled in an appropriate manner.
Intel MPX allows for support of user mode (Ring 3 or CPL 3) software as well as kernel mode (Ring 0 or CPL 0, 1 and 2) software; Intel® MPX for user mode and kernel mode are controlled independently.
Intel MPX protection is not an all-or-nothing proposition; a software developer can choose to adopt Intel MPX in some modules to realize Intel MPX’s protection in key areas, while deferring integration of Intel MPX’s benefits to another time for other modules. This property is intended to give software developers more granular control on providing protection to higher priority or more attack-prone software first.
The improper use of C/C++ pointers can lead to unstable and insecure software. Buffer overflows account for a significant portion of bugs which commonly result in an exploitable threat vector. This can be extremely costly for both a software vendor and their customers. Intel’s hardware-assisted approach to security is bringing bounds management to the underling architecture. Intel MPX can help identify errant pointer usage prior to release as well as mitigate exposure at runtime.
For details about the Intel MPX instructions, see the Intel® Architectures Software Developer Manuals
1 The initial release of Intel MPX does not include support for Pointer Checker’s “Dangling Pointer” option.
2 Here, legacy software is defined as software written for processors without Intel MPX.
3 Here, a system is defined as the logical processor(s) and the OS software.