Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches

TL;DR

This paper provides an exhaustive empirical analysis of Intel MPX, a hardware-assisted memory safety extension, comparing its performance, security, and usability against software-based bounds checking approaches, and highlighting its current limitations.

Contribution

It offers a comprehensive evaluation of Intel MPX's advantages and caveats, including performance overheads, security guarantees, and usability issues, filling a gap in understanding its practicality.

Findings

Intel MPX has high performance overhead (~50%)

Intel MPX has bugs causing compilation/runtime errors

Intel MPX cannot detect temporal errors and has limitations in multithreaded code

Abstract

Memory-safety violations are a prevalent cause of both reliability and security vulnerabilities in systems software written in unsafe languages like C/C++. Unfortunately, all the existing software-based solutions to this problem exhibit high performance overheads preventing them from wide adoption in production runs. To address this issue, Intel recently released a new ISA extension - Memory Protection Extensions (Intel MPX), a hardware-assisted full-stack solution to protect against memory safety violations. In this work, we perform an exhaustive study of the Intel MPX architecture to understand its advantages and caveats. We base our study along three dimensions: (a) performance overheads, (b) security guarantees, and (c) usability issues. To put our results in perspective, we compare Intel MPX with three prominent software-based approaches: (1) trip-wire - AddressSanitizer, (2) object-based - SAFECode, and (3) pointer-based - SoftBound. Our main conclusion is that Intel MPX is a promising technique that is not yet practical for widespread adoption. Intel MPX's performance overheads are still high (roughly 50% on average), and the supporting infrastructure has bugs which may cause compilation or runtime errors. Moreover, we showcase the design limitations of Intel MPX: it cannot detect temporal errors, may have false positives and false negatives in multithreaded code, and its restrictions on memory layout require substantial code changes for some programs.