Simplex: Repurposing Intel Memory Protection Extensions for Information Hiding


Abstract in English

With the rapid increase in software exploits, the last few decades have seen several hardware-level features to enhance security (e.g., Intel MPX, ARM TrustZone, Intel SGX, Intel CET). Due to security, performance and/or usability issues these features have attracted steady criticism. One such feature is the Intel Memory Protection Extensions (MPX), an instruction set architecture extension promising spatial memory safety at a lower performance cost due to hardware-accelerated bounds checking. However, recent investigations into MPX have found that is neither as performant, accurate, nor precise as cutting-edge software-based spatial memory safety. As a direct consequence, compiler and operating system support for MPX is dying, and Intel has begun to manufacture desktop CPUs without MPX. Nonetheless, given how ubiquitous MPX is, it provides an excellent yet under-utilized hardware resource that can be aptly salvaged for security purposes. In this paper, we propose Simplex, a library framework that re-purposes MPX registers as general purpose registers. Using Simplex, we demonstrate how MPX registers can be used to store sensitive information (e.g., encryption keys) directly on the hardware. We evaluate Simplex for performance and find that its overhead is small enough to permit its deployment in all but the most performance-intensive code. We refactored the string.h buffer manipulation functions and found a geometric mean 0.9% performance overhead. We also modified the deepsjeng and lbm SPEC CPU2017 benchmarks to use Simplex and found a 1% and 0.98% performance overhead respectively. Finally, we investigate the behavior of the MPX context with regards to multi-process and multi-thread programs.

Download