GCC's -fmpx in clang?

Are there any plans to implement -fmpx
(https://en.wikipedia.org/wiki/Intel_MPX)?

Not that I know of. So far as I know, ASan is superior to any MIX based instrumentation. The only class of false negatives I know of is arrays in structs, which there are plans for.

* Reid Kleckner <rnk@google.com> [2014-09-13 18:37:57 -0700]:

Not that I know of. So far as I know, ASan is superior to any MIX based
instrumentation. The only class of false negatives I know of is arrays in
structs, which there are plans for.

mpx is new to me, but looking at the docs it solves a different
problem than asan

asan must not be used in production code, it's not a hardening
solution, but a debugging one (it actually increases the attack
surface by all its instrumentations, its own set of reliance on
ub and strong interdependency on libc internals)

mpx is for hardening deployed code with bounds check instructions

gcc: http://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler

glibc:
https://sourceware.org/ml/libc-alpha/2014-03/msg00491.html
https://sourceware.org/ml/libc-alpha/2014-03/msg00543.html
https://sourceware.org/ml/libc-alpha/2014-03/msg00605.html

Linux kernel: https://lkml.org/lkml/2014/9/11/182

Using MPX requires:

- Code that has a stricter memory model than implied by the C standard. For example, casting from a pointer to a field to a pointer to the enclosing structure (as done by the containerof() macro in Linux, inherited from the CONTAINER macro in 4BSD) will not work.

- No threads (the bounds and pointer are not updated atomically, unless the compiler decides to use RTM to wrap every single pointer store to heap memory in a transaction).

The primary goal of MPX appears to be the ability to add a tick in a marketing checkbox. As a debugging aid, it allows you to do something that you can already do in software, only in a less flexible way (and probably without much speedup, as on Intel chips you already get a relatively high degree of ILP out of the software implementations). As a security tool, it's a joke (we pondered writing a paper about all of the ways to break MPX, but eventually decided that it was so fragile that no security venue would regard it as a serious project).

David

* Reid Kleckner <rnk@google.com> [2014-09-13 18:37:57 -0700]:
> Not that I know of. So far as I know, ASan is superior to any MIX based
> instrumentation. The only class of false negatives I know of is arrays in
> structs, which there are plans for.
>

mpx is new to me, but looking at the docs it solves a different
problem than asan

asan must not be used in production code, it's not a hardening
solution, but a debugging one

We prefer to say "asan is for testing" instead of "for debugging".
You are right, asan is not a way to protect your code from attackers in
production.
There is NaCl for that.

(it actually increases the attack
surface by all its instrumentations, its own set of reliance on
ub and strong interdependency on libc internals)

mpx is for hardening deployed code with bounds check instructions

[Note: I have a very biased opinion on MPX...]
Here is my impression from MPX (last updated 10 months ago)
https://code.google.com/p/address-sanitizer/wiki/IntelMemoryProtectionExtensions

"mpx is for hardening deployed code" is an overstatement imho.
MPX is going to incur a huge memory cost for most of the programs.
And until I see the numbers on the real hardware I am also unconvinced that
MPX will be fast enough "for hardening deployed code".

Unless you instrument *all* the code with MPX, this is a very lousy
sandbox.
And even then, it doesn't protect you from heap-use-after-free and
stack-use-after-return.

As Reid mentioned, MPX is good for detecting intra-object buffer overflows,
which today's asan can't make.
We have a plan for attack, but MPX's approach is still better for this
particular class of bugs,
so I want to see MPX in LLVM, but I am not ready to invest much time in it
(including doing the code reviews).
Another problem is that implementing MPX in a compiler is a major disruption
(see how long it takes to add MPX support in GCC, and it's not there yet
after more than a year of work).

--kcc