Menu
Intel MPX, described in the following document for those who are new to it: https://software.intel.com/sites/default/files/managed/68/8b/319433-019.pdf
I'm not sure I understand how BNDLDX and BNDSTX work. Take for instance BNDSTX.
From the document (page 855):
BNDSTX is used to store the bounds associated with a buffer and the “pointer value” of the pointer to that buffer onto a bound table entry via address translation using a two-level structure, see Section 9.3.8. For example, the software has a buffer with bounds stored in BND0, the pointer to the buffer is in ESI, the following sequence will store the “pointer value” (the buffer) and the bounds into a configured bound table entry using address translation from the linear address associated with the base of a SIB-addressing form consisting of a base register and a index register:
MOV ECX, Dword ptr [ESI] ; store the pointer value in the index register ECX MOV EAX, ESI ; store the pointer in the base register EAX BNDSTX Dword ptr [EAX+ECX], BND0 ; perform address translation from the linear address of the base EAX and store bounds and pointer value ECX onto a bound table entry.
The example states that ESI contains some pointer, if so, then the first instruction mov ecx, dword ptr [esi] does a simple mov by indirect addressing and fetches a dword of whatever esi is pointing to into ecx, this is what I assume they mean by pointer value, or do they mean something else? What is the purpose of this, and how does this relate to the address translation that BNDSTX performs?
The second instruction seems intuitive enough, it simply wants to store this pointer to the buffer and makes a copy of it. However why this is strictly needed is also a bit strange. Does not BND0 already contain the start of the buffer? Does it not simply duplicate the lower bound pointer? And again, exactly what purpose this pointer value serves is not clear to me.
932
Intel® Memory Protection Extensions (Intel® MPX) is a set of processor features which, with compiler, runtime library, and OS support, brings increased robustness to software. It checks pointer references whose compile time normal intentions are usurped at runtime due to buffer overflow.
MPX Microsoft Project Exchange File Format, a Microsoft Project file format.
The libmpx library is responsible for MPX initialization at program startup: it enables hardware and OS support and configures MPX runtime options (passed through environment variables). Most of these options concern debugging and logging, but two of them define security guarantees.
Intel's example is very poorly worded. ESI initially holds a pointer to a pointer to buf. The "pointer value" is checked because non-MPX code could have possibly modified the pointer value without modifying the bounds. If this happens, the bounds are nullified by the BNDLNX instruction:
From https://software.intel.com/sites/default/files/managed/0d/53/319433-022.pdf:
BNDLDX uses the linear address constructed from the base register and displacement of the SIB-addressing form of the memory operand (mib) to perform address translation to access a bound table entry and conditionally load the bounds in the BTE to the destination. The destination register is updated with the bounds in the BTE, if the content of the index register of mib matches the pointer value stored in the BTE.
If the pointer value comparison fails, the destination is updated with INIT bounds (lb = 0x0, ub = 0x0) (note: as articulated earlier, the upper bound is represented using 1's complement, therefore, the 0x0 value of upper bound allows for access to full memory).
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
