Skip to main content
SpringerLink
Log in

Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13700))

Included in the following conference series:

  • 622 Accesses

Abstract

The last few decades have seen several hardware-level features to enhance security, but due to security, performance, and/or usability issues these features have attracted steady criticism. One such feature is the Intel Memory Protection Extensions (MPX), an instruction set architecture extension promising spatial memory safety at a lower performance cost due to hardware-accelerated bounds checking. However, recent investigations into MPX have found that is neither as performant, accurate, nor precise as software-based spatial memory safety. Given its ubiquity, we argue that it provides an under-utilized hardware resource that can be salvaged for security purposes. We propose Simplex, an open-sourced library that re-purposes MPX registers as general purpose registers. Using Simplex, we demonstrate securely storing sensitive information directly on the hardware (e.g. encryption keys). We evaluate for performance, and find that deployment is feasible in all but the most performance-intensive code, with amortized performance overhead as low as about 1%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Browne, S., Dongarra, J., Garner, N., London, K., Mucci, P.: A scalable cross-platform infrastructure for application performance tuning using hardware counters. In: Proceedings of the 2000 ACM/IEEE Conference on Supercomputing, SC 2000 (2000). https://doi.org/10.1109/SC.2000.10029

  2. Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization, CGO 2003, pp. 265–275. IEEE Computer Society (2003)

    Google Scholar 

  3. Burow, N., Mckee, D., Carr, S.A., Payer, M.: CFIXX: object type integrity for C++. In: Network and Distributed Systems Security Symposium 2018 (2018). https://doi.org/10.14722/ndss.2018.23279

  4. Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 249–266 (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/canella

  5. Carr, S.A., Payer, M.: DataShield: configurable data confidentiality and integrity. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security - ASIA CCS 2017 (2017). https://doi.org/10.1145/3052973.3052983

  6. Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming (2015). https://doi.org/10.14722/ndss.2015.23262

  7. Dekel, K.: BoundHook: exception based, kernel-controlled user-mode hooking (2017). https://www.cyberark.com/threat-research-blog/boundhook-exception-based-kernel-controlled-usermode-hooking/

  8. Evans, I., et al.: Missing the point(er): on the effectiveness of code pointer integrity. In: 2015 IEEE Symposium on Security and Privacy, pp. 781–796 (2015). https://doi.org/10.1109/SP.2015.53

  9. Ganesh, K.: Pointer checker: easily catch out-of-bounds memory accesses (2012). https://software.intel.com/sites/products/parallelmag/singlearticles/issue11/7080_2_IN_ParallelMag_Issue11_Pointer_Checker.pdf

  10. Göktas, E., et al.: Undermining information hiding (and what to do about it). In: Proceedings of the 25th USENIX Conference on Security Symposium, pp. 105–119 (2016)

    Google Scholar 

  11. Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Engineering Secure Software and Systems, pp. 161–176 (2017). https://doi.org/10.1007/978-3-319-62105-0_11

  12. Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). https://doi.org/10.1145/1506409.1506429

    Article  Google Scholar 

  13. Hargreaves, C., Chivers, H.: Recovery of encryption keys from memory using a linear scan. In: 2008 Third International Conference on Availability, Reliability and Security (2008). https://doi.org/10.1109/ARES.2008.109

  14. Intel Corporation: Introduction to Intel Memory Protection Extensions (2013). https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions

  15. Intel Corporation: Control-flow Enforcement Technology Specification, May 2019. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

  16. Kazim, A., Almaeeni, F., Ali, S.A., Iqbal, F., Al-Hussaeni, K.: Memory forensics: recovering chat messages and encryption master key. In: 2019 10th International Conference on Information and Communication Systems (ICICS), pp. 58–64 (2019). https://doi.org/10.1109/IACS.2019.8809179

  17. Koning, K., Chen, X., Bos, H., Giuffrida, C., Athanasopoulos, E.: No need to hide: protecting safe regions on commodity hardware. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 437–452 (2017). https://doi.org/10.1145/3064176.3064217

  18. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI 2014, pp. 147–163. USENIX Association (2014). https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsov

  19. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/lipp

  20. Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-guard: stopping address space leakage for code reuse attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 280–291 (2015). https://doi.org/10.1145/2810103.2813694

  21. Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: Network and Distributed Systems Security Symposium 2015 (2015). https://doi.org/10.14722/ndss.2015.23271

  22. Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011 (2011). https://doi.org/10.5555/2028067.2028084

  23. Oikonomopoulos, A., Athanasopoulos, E., Bos, H., Giuffrida, C.: Poking holes in information hiding. In: 25th USENIX Security Symposium, Austin, TX, pp. 121–138 (2016)

    Google Scholar 

  24. Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: an empirical study of Intel MPX and software-based bounds checking approaches (2017). https://doi.org/10.48550/ARXIV.1702.00719

  25. Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Fetzer, C., Felber, P.: Efficient fault tolerance using Intel MPX and TSX. In: Fast Abstract in the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Toulouse, France (2016)

    Google Scholar 

  26. Ooi, J.G., Kam, K.H.: A proof of concept on defending cold boot attack. In: 2009 1st Asia Symposium on Quality Electronic Design (2009). https://doi.org/10.1109/ASQED.2009.5206245

  27. Otterstad, C.W.: A brief evaluation of Intel MPX. In: 2015 Annual IEEE Systems Conference Proceedings, pp. 1–7. IEEE (2015). https://doi.org/10.1109/SYSCON.2015.7116720

  28. Pomonis, M., Petsios, T., Keromytis, A.D., Polychronakis, M., Kemerlis, V.P.: kR\(\hat{\,}\)X: comprehensive kernel protection against just-in-time code reuse. In: Proceedings of the Twelfth European Conference on Computer Systems, EuroSys 2017 (2017). https://doi.org/10.1145/3064176.3064216

  29. Ramakesavan, S., Rodriguez, J.: Intel memory protection extensions enabling guide (2016). https://software.intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide

  30. Sartakov, V.A., O’Keeffe, D., Eyers, D., Vilanova, L., Pietzuch, P.: Spons & shields: practical isolation for trusted execution. In: Proceedings of the 17th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2021). https://doi.org/10.1145/3453933.3454024

  31. Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: A fast address sanity checker. In: 2012 USENIX Annual Technical Conference. pp. 309–318 (2012)

    Google Scholar 

  32. Serebryany, K.: Address sanitizer Intel memory protection extensions (2016). https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions

  33. Yun, M.H., Zhong, L.: Ginseng: keeping secrets in registers when you distrust the operating system. In: Network and Distributed Systems Security Symposium 2019 (2019). https://doi.org/10.14722/ndss.2019.23327

  34. Zhang, M., Sekar, R.: Control flow and code integrity for COTS binaries: an effective defense against real-world ROP attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 91–100 (2015). https://doi.org/10.1145/2818000.2818016

  35. Zhang, T., Lee, D., Jung, C.: BOGO: buy spatial memory safety, get temporal memory safety (almost) free. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, New York, NY, USA, pp. 631–644. Association for Computing Machinery (2019). https://doi.org/10.1145/3297858.3304017

Download references

Author information

Authors and Affiliations

  1. Binghamton University, Binghamton, USA

    Matthew Cole & Aravind Prakash

Authors
  1. Matthew Cole
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aravind Prakash
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthew Cole .

Editor information

Editors and Affiliations

  1. Reykjavik University, Reykjavik, Iceland

    Hans P. Reiser

  2. Reykjavik University, Reykjavik, Iceland

    Marcel Kyas

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cole, M., Prakash, A. (2022). Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22295-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22294-8

  • Online ISBN: 978-3-031-22295-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation