Reference1
Instructions:
BNDMK: saving bound pair for bounds register
BNDCL: checking lower bound with bounds register value and operands
BNDCU, BNDCN: checking upper bound with bounds register upper value and operands.
BNDMOV: accessing bound register.
BNDLDX: loading bounds reigister from memory.
BNDSTX: saving bounds register to memory.
Registers:
Bound paging: Bound Directory —–> Bound Table ——> Bound Table Entry
VM_MPX flag to VM page attributes.Q&A How to determine the size of object? How to store the bound info in MPX? How to do bound checking? How to choose the instrumentation point? A Map from instruction to the pointer it want to access? Reference 1 Overview A module pass: class llmpx: public ModulePass runOnModule(Module &) Methods: mpxPass(Module &) harden_cfi(Module &) create_global_constants(Module &) collect_safe_access(Module &) transform_functions(Module &) transform_global(Module &)
Reference 1 LLVM MPX (BOGO) Q&A How to determine the size of object? How to store the bound info in MPX? How to do bound checking? How to choose the instrumentation point? A Map from instruction to the pointer it want to access? Reference 1 Overview A module pass: class llmpx: public ModulePass runOnModule(Module &) Methods: mpxPass(Module &) harden_cfi(Module &) create_global_constants(Module &) collect_safe_access(Module &) transform_functions(Module &) transform_global(Module &)
References: Vahldiek-Oberwagner, Anjo, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. “ERIM: Secure, efficient in-process isolation with protection keys (MPK).” In 28th USENIX Security Symposium (USENIX Security 19), pp. 1221-1238. 2019. Background Intel MPK: 4-bits permission bits in page table entry; 16 disjoint domains. PKRU: 32-bit registers; 2-bits perms for each region. 11-260 cycles to update PKRU. 0.07 to 1.0% overhead per 100,000 switches/s on a 2.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?