Abstract
The last few decades have seen several hardware-level features to enhance security, but due to security, performance, and/or usability issues these features have attracted steady criticism. One such feature is the Intel Memory Protection Extensions (MPX), an instruction set architecture extension promising spatial memory safety at a lower performance cost due to hardware-accelerated bounds checking. However, recent investigations into MPX have found that is neither as performant, accurate, nor precise as software-based spatial memory safety. Given its ubiquity, we argue that it provides an under-utilized hardware resource that can be salvaged for security purposes. We propose Simplex, an open-sourced library that re-purposes MPX registers as general purpose registers. Using Simplex, we demonstrate securely storing sensitive information directly on the hardware (e.g. encryption keys). We evaluate for performance, and find that deployment is feasible in all but the most performance-intensive code, with amortized performance overhead as low as about 1%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Browne, S., Dongarra, J., Garner, N., London, K., Mucci, P.: A scalable cross-platform infrastructure for application performance tuning using hardware counters. In: Proceedings of the 2000 ACM/IEEE Conference on Supercomputing, SC 2000 (2000). https://doi.org/10.1109/SC.2000.10029
Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization, CGO 2003, pp. 265–275. IEEE Computer Society (2003)
Burow, N., Mckee, D., Carr, S.A., Payer, M.: CFIXX: object type integrity for C++. In: Network and Distributed Systems Security Symposium 2018 (2018). https://doi.org/10.14722/ndss.2018.23279
Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 249–266 (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/canella
Carr, S.A., Payer, M.: DataShield: configurable data confidentiality and integrity. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security - ASIA CCS 2017 (2017). https://doi.org/10.1145/3052973.3052983
Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming (2015). https://doi.org/10.14722/ndss.2015.23262
Dekel, K.: BoundHook: exception based, kernel-controlled user-mode hooking (2017). https://www.cyberark.com/threat-research-blog/boundhook-exception-based-kernel-controlled-usermode-hooking/
Evans, I., et al.: Missing the point(er): on the effectiveness of code pointer integrity. In: 2015 IEEE Symposium on Security and Privacy, pp. 781–796 (2015). https://doi.org/10.1109/SP.2015.53
Ganesh, K.: Pointer checker: easily catch out-of-bounds memory accesses (2012). https://software.intel.com/sites/products/parallelmag/singlearticles/issue11/7080_2_IN_ParallelMag_Issue11_Pointer_Checker.pdf
Göktas, E., et al.: Undermining information hiding (and what to do about it). In: Proceedings of the 25th USENIX Conference on Security Symposium, pp. 105–119 (2016)
Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: KASLR is dead: long live KASLR. In: Engineering Secure Software and Systems, pp. 161–176 (2017). https://doi.org/10.1007/978-3-319-62105-0_11
Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). https://doi.org/10.1145/1506409.1506429
Hargreaves, C., Chivers, H.: Recovery of encryption keys from memory using a linear scan. In: 2008 Third International Conference on Availability, Reliability and Security (2008). https://doi.org/10.1109/ARES.2008.109
Intel Corporation: Introduction to Intel Memory Protection Extensions (2013). https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
Intel Corporation: Control-flow Enforcement Technology Specification, May 2019. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
Kazim, A., Almaeeni, F., Ali, S.A., Iqbal, F., Al-Hussaeni, K.: Memory forensics: recovering chat messages and encryption master key. In: 2019 10th International Conference on Information and Communication Systems (ICICS), pp. 58–64 (2019). https://doi.org/10.1109/IACS.2019.8809179
Koning, K., Chen, X., Bos, H., Giuffrida, C., Athanasopoulos, E.: No need to hide: protecting safe regions on commodity hardware. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 437–452 (2017). https://doi.org/10.1145/3064176.3064217
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI 2014, pp. 147–163. USENIX Association (2014). https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsov
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-guard: stopping address space leakage for code reuse attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 280–291 (2015). https://doi.org/10.1145/2810103.2813694
Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K.W., Franz, M.: Opaque control-flow integrity. In: Network and Distributed Systems Security Symposium 2015 (2015). https://doi.org/10.14722/ndss.2015.23271
Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011 (2011). https://doi.org/10.5555/2028067.2028084
Oikonomopoulos, A., Athanasopoulos, E., Bos, H., Giuffrida, C.: Poking holes in information hiding. In: 25th USENIX Security Symposium, Austin, TX, pp. 121–138 (2016)
Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: an empirical study of Intel MPX and software-based bounds checking approaches (2017). https://doi.org/10.48550/ARXIV.1702.00719
Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Fetzer, C., Felber, P.: Efficient fault tolerance using Intel MPX and TSX. In: Fast Abstract in the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Toulouse, France (2016)
Ooi, J.G., Kam, K.H.: A proof of concept on defending cold boot attack. In: 2009 1st Asia Symposium on Quality Electronic Design (2009). https://doi.org/10.1109/ASQED.2009.5206245
Otterstad, C.W.: A brief evaluation of Intel MPX. In: 2015 Annual IEEE Systems Conference Proceedings, pp. 1–7. IEEE (2015). https://doi.org/10.1109/SYSCON.2015.7116720
Pomonis, M., Petsios, T., Keromytis, A.D., Polychronakis, M., Kemerlis, V.P.: kR\(\hat{\,}\)X: comprehensive kernel protection against just-in-time code reuse. In: Proceedings of the Twelfth European Conference on Computer Systems, EuroSys 2017 (2017). https://doi.org/10.1145/3064176.3064216
Ramakesavan, S., Rodriguez, J.: Intel memory protection extensions enabling guide (2016). https://software.intel.com/en-us/articles/intel-memory-protection-extensions-enabling-guide
Sartakov, V.A., O’Keeffe, D., Eyers, D., Vilanova, L., Pietzuch, P.: Spons & shields: practical isolation for trusted execution. In: Proceedings of the 17th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2021). https://doi.org/10.1145/3453933.3454024
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: A fast address sanity checker. In: 2012 USENIX Annual Technical Conference. pp. 309–318 (2012)
Serebryany, K.: Address sanitizer Intel memory protection extensions (2016). https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions
Yun, M.H., Zhong, L.: Ginseng: keeping secrets in registers when you distrust the operating system. In: Network and Distributed Systems Security Symposium 2019 (2019). https://doi.org/10.14722/ndss.2019.23327
Zhang, M., Sekar, R.: Control flow and code integrity for COTS binaries: an effective defense against real-world ROP attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 91–100 (2015). https://doi.org/10.1145/2818000.2818016
Zhang, T., Lee, D., Jung, C.: BOGO: buy spatial memory safety, get temporal memory safety (almost) free. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, New York, NY, USA, pp. 631–644. Association for Computing Machinery (2019). https://doi.org/10.1145/3297858.3304017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cole, M., Prakash, A. (2022). Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-22295-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22294-8
Online ISBN: 978-3-031-22295-5
eBook Packages: Computer ScienceComputer Science (R0)