<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Thank you!</p>
<p> </p>
<blockquote type="cite">
<div><span style="font-size:12.8px">* I've heard that </span><span
class="gmail-il" style="font-size:12.8px">MPX</span><span
style="font-size:12.8px"> is incompatible with ILP32 (64-bit
registers, 32-bit pointers), </span><br>
</div>
<div style="font-size:12.8px">but I don't know the details. </div>
</blockquote>
<p>Maybe there are some corner cases that I'm not aware of, but in
most cases it does support 32-bit mode. At some point, we even
tried running 32-bit version of RIPE and GCC-MPX successfully
detected 262 out of 417 attacks (155 were probably undetected
because of suboptimal default compilation flags).</p>
<p>
<blockquote type="cite">
<div style="font-size:12.8px"><span style="font-size:12.8px">*
Did you investigate a possibility of false positives in
cases where </span><span class="gmail-il"
style="font-size:12.8px">MPX</span><span
style="font-size:12.8px">-instrumented and non-instrumented
code is mixed? </span><br>
</div>
<div style="font-size:12.8px">Here are the examples from 3+
years ago:</div>
<div style="font-size:12.8px"><a moz-do-not-send="true"
href="https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions#false-positive-with-un-instrumented-code"
target="_blank">https://github.com/google/<wbr>sanitizers/wiki/<wbr>AddressSanitizerIntelMemoryPro<wbr>tectionExtensions#false-<wbr>positive-with-un-instrumented-<wbr>code</a><br>
</div>
<div style="font-size:12.8px">They might have been fixed
already, but the general problem may remain. </div>
</blockquote>
It is buried deep in the text, but we mention this issue. It's in
the end of 3.1.Hardware-Instruction set: "[...] the pointer
created/altered in legacy code is considered “boundless”: this<br>
allows for interoperability but also creates holes in Intel MPX
defense" + footnote on the same page. <br>
</p>
<p>Yet, you are right: (1) we've mentioned only false negatives, not
false positives and (2) we should make it more explicit because
it's an important issue which appears in real applications (e.g.,
x264 from PARSEC). <br>
</p>
We will add this notes to the updated version of the report.<br>
<br>
Best,<br>
Oleksii<br>
<br>
<br>
<div class="moz-cite-prefix">On 17.02.2017 20:17, Kostya Serebryany
wrote:<br>
</div>
<blockquote
cite="mid:CAN=P9pjdp=oLUWQZKy0zGQQ5k8KSUWNurCQQ-Gk+aSktCUYr_g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span style="font-size:12.8px">I LOVE this paper!</span><br>
</div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">From the comments I've sent
you earlier you did not address just two:</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div>
<div><span style="font-size:12.8px">* I've heard that </span><span
class="gmail-il" style="font-size:12.8px">MPX</span><span
style="font-size:12.8px"> is incompatible with ILP32
(64-bit registers, 32-bit pointers), </span><br>
</div>
<div>
<div style="font-size:12.8px">but I don't know the details. </div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px"><span style="font-size:12.8px">*
Did you investigate a possibility of false positives in
cases where </span><span class="gmail-il"
style="font-size:12.8px">MPX</span><span
style="font-size:12.8px">-instrumented and
non-instrumented code is mixed? </span><br>
</div>
<div style="font-size:12.8px">Here are the examples from 3+
years ago:</div>
<div style="font-size:12.8px"><a moz-do-not-send="true"
href="https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions#false-positive-with-un-instrumented-code"
target="_blank">https://github.com/google/<wbr>sanitizers/wiki/<wbr>AddressSanitizerIntelMemoryPro<wbr>tectionExtensions#false-<wbr>positive-with-un-instrumented-<wbr>code</a><br>
</div>
<div style="font-size:12.8px">They might have been fixed
already, but the general problem may remain. </div>
</div>
</div>
<div><br>
</div>
<div><span style="font-size:12.8px">Or did I miss these in the
final paper?</span><br>
</div>
<div><span style="font-size:12.8px">Anyway, these are two
additional subjects I'd like to see covered, and their
absence doesn't undermine the paper usefulness. </span></div>
<div><span style="font-size:12.8px">Thanks for the amazing
work! </span><br>
</div>
<div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">--kcc </div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Feb 17, 2017 at 2:04 AM,
Oleksii Oleksenko via llvm-dev <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> Hello,<br>
<br>
even though the study of Intel MPX took much longer than
expected, we have finally finished it. Currently, it is
published in two formats:<br>
<br>
* as a technical report: <a moz-do-not-send="true"
class="m_5245855359566005395moz-txt-link-freetext"
href="https://arxiv.org/abs/1702.00719"
target="_blank">https://arxiv.org/abs/1702.<wbr>00719</a><br>
* and as a webpage: <a moz-do-not-send="true"
class="m_5245855359566005395moz-txt-link-freetext"
href="https://intel-mpx.github.io/" target="_blank">https://intel-mpx.github.io/</a><br>
<br>
This work contains evaluation of MPX from perspectives
of performance (Phoenix, PARSEC, and SPEC benchmark
suites), security (RIPE and found bugs in benchmarks),
and usability (false positives and required changes in
applications). Additionally, we've analyzed various
implementation aspects of Intel MPX and tested it on
real-world applications. <br>
<br>
We would appreciate your feedback.</p>
<p><br>
</p>
Regards,<br>
Oleksii Oleksenko<br>
<br>
<pre style="white-space:pre-wrap;color:rgb(0,0,0);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px">On 02/09/2016 10:27 PM, Kostya Serebryany via llvm-dev wrote:
><i> On Tue, Feb 9, 2016 at 7:22 AM, Dmitrii Kuvaiskii <
</i>><i> <a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">Dmitrii.Kuvaiskii at tu-dresden.de</a>> wrote:
</i>><i>
</i>>><i> Thank you Sergey and Konstantin for useful suggestions. We are
</i>>><i> currently bootstrapping the infrastructure for our experiments. We
</i>>><i> would like to make a sufficiently comprehensive report, with not only
</i>>><i> the performance/memory overhead numbers, but also discussing and
</i>>><i> evaluating security guarantees. I will also examine the available
</i>>><i> source codes (ASan, gcc-mpx, SoftBound) and will spend some pages on a
</i>>><i> discussion of the different approaches (trying to do science, you see
</i>>><i> :)).
</i>>><i>
</i>>><i> Btw, I will target only deterministic memory-safety no-code-changes
</i>>><i> approaches that protect against spatial errors (I will probably
</i>>><i> include also ASan and SoftBoundCETS with temporal errors' protection
</i>>><i> in the results as well). The only technique (except Pointer Checker,
</i>>><i> ASan, and SoftBound) I know of is Baggy Bounds Checking from MSR, but
</i>>><i> it seems to be closed-source and Windows-oriented. If anyone can
</i>>><i> suggest some other technique that could be evaluated here, please
</i>>><i> inform me.
</i>>><i>
</i>><i>
</i>><i> There is also a family of tools originated from Electric Fence
</i>><i> <<a moz-do-not-send="true" href="http://elinux.org/Electric_Fence" target="_blank">http://elinux.org/Electric_<wbr>Fence</a>>,
</i>><i> they mostly have historical interest due to huge slowdown/memory
</i>><i> consumption.
</i>
I can assure you that they are still widely used for QA :)
><i> Are you looking for bug detection mechanisms, or also for production
</i>><i> hardening techniques?
</i>><i> ASan is a bug detection tool. ASan can
</i>><i> <<a moz-do-not-send="true" href="https://blog.torproject.org/blog/tor-browser-55a4-hardened-released" target="_blank">https://blog.torproject.org/<wbr>blog/tor-browser-55a4-<wbr>hardened-released</a>> be
</i>><i> used for hardening, but that's not it's primary purpose.
</i>><i> Same is true (IMHO) about Pointer Checker and SoftBound.
</i>><i>
</i>><i> Hardening is an entirely different subject, although there is a bit of
</i>><i> intersection,
</i>><i> e.g. I know that parts of UBSan (-fsanitize=signed-integer-<wbr>overflow) are
</i>><i> used for hardening.
</i>><i> In LLVM, also have a look at <a moz-do-not-send="true" href="http://clang.llvm.org/docs/ControlFlowIntegrity.html" target="_blank">clang.llvm.org/docs/<wbr>ControlFlowIntegrity.html</a>
</i>><i> and
</i>><i> <a moz-do-not-send="true" href="http://clang.llvm.org/docs/SafeStack.html" target="_blank">http://clang.llvm.org/docs/<wbr>SafeStack.html</a>
</i>><i>
</i>>><i>
</i>>><i> Anyway, before putting the techreport online, I will send the draft to
</i>>><i> everyone who took part in this conversation, just to be on the safe
</i>>><i> side and correct any bugs/wrong conclusions.
</i>>><i>
</i>><i>
</i>><i> I would appreciate this.
</i>><i>
</i>><i> --kcc
</i>><i>
</i>><i>
</i>>><i>
</i>>><i> On Tue, Feb 9, 2016 at 3:24 PM, Sergey Ostanevich <<a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">sergos.gnu at gmail.com</a>>
</i>>><i> wrote:
</i>>>><i> Dmitrii, all,
</i>>>><i>
</i>>>><i> Please note, that GCC 5.3 had a significant update to the MPX code
</i>>><i> quality -
</i>>>><i> please, use this version as reference.
</i>>>><i>
</i>>>><i> Regards,
</i>>>><i> Sergos
</i>>>><i>
</i>>>><i> On Tue, Feb 9, 2016 at 12:49 AM, Kostya Serebryany via llvm-dev
</i>>>><i> <<a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">llvm-dev at lists.llvm.org</a>> wrote:
</i>>>>><i>
</i>>>>><i>
</i>>>>><i>
</i>>>>><i> On Thu, Feb 4, 2016 at 10:40 AM, Kostya Serebryany <<a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">kcc at google.com</a>>
</i>>><i> wrote:
</i>>>>>><i>
</i>>>>>><i>
</i>>>>>><i>
</i>>>>>><i> On Thu, Feb 4, 2016 at 4:59 AM, Dmitrii Kuvaiskii
</i>>>>>><i> <<a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">Dmitrii.Kuvaiskii at tu-dresden.de</a>> wrote:
</i>>>>>>><i>
</i>>>>>>>>><i> Recently I played with MPX support on Intel C/C++ Compiler (icc).
</i>>>>>>>>><i> This
</i>>>>>>>>><i> implementation looks *much* better, with the following example
</i>>>>>>>>><i> overheads: 1.2X on "raytrace", 1.25X on "bodytrack", 1.08X on
</i>>>>>>>>><i> "streamcluster". So the common overheads are in the range of
</i>>><i> 15%-25%!
</i>>>>>>>><i> That's interesting.
</i>>>>>>>><i> Are you sure you are instrumenting both reads and writes with icc?
</i>>>>>>><i>
</i>>>>>>><i> Yes, here are the exact flags I add to the usual build configuration:
</i>>>>>>><i> -xHOST -check-pointers-mpx:rw
</i>>>>>><i>
</i>>>>>><i>
</i>>>>>><i> Interesting, looking forward to reading your report!
</i>>>>>>><i>
</i>>>>>>><i>
</i>>>>>>><i> Note "rw" which stands for protecting read and write accesses. In the
</i>>>>>>><i> future, I will analyze how different flags affect ASan / SoftBoundCETS
</i>>>>>>><i> / gcc-mpx / icc-mpx.
</i>>>>>>><i> I will also use a set of microbenchmarks/benchmarks (e.g., RIPE) to
</i>>>>>>><i> test the protection provided.
</i>>>>>>><i>
</i>>>>>>>><i> SPEC2006 is well know so it could be useful. Especially
</i>>><i> 483.xalancbmk
</i>>>>>>>><i> Besides, maybe you could take something that is not strictly a
</i>>>>>>>><i> benchmark.
</i>>>>>>>><i> E.g. take pdfium_test (<a moz-do-not-send="true" href="https://pdfium.googlesource.com/pdfium/" target="_blank">https://pdfium.googlesource.<wbr>com/pdfium/</a>) and
</i>>>>>>>><i> feed
</i>>>>>>>><i> several large pdf files to it.
</i>>>>>>><i>
</i>>>>>>><i> Thanks, I will report the SPEC2006 numbers as well.
</i>>>>>>><i>
</i>>>>>><i>
</i>>>>>><i> Note that SPEC2006 has several know bugs that trigger under asan.
</i>>>>>><i>
</i>>>>>><i>
</i>>><i> <a moz-do-not-send="true" href="https://github.com/google/sanitizers/wiki/AddressSanitizerRunningSpecBenchmarks" target="_blank">https://github.com/google/<wbr>sanitizers/wiki/<wbr>AddressSanitizerRunningSpecBen<wbr>chmarks</a>
</i>>>>>><i> has a patch that makes SPEC2006 pass with asan.
</i>>>>>><i> Some of these bugs and maybe others may also trigger with an MPX
</i>>><i> checker.
</i>>>>><i>
</i>>>>><i>
</i>>>>><i> Another note: please also try to document the memory footprint.
</i>>>>><i> One of unfortunate features of MPX is its large metadata storage which
</i>>><i> may
</i>>>>><i> in
</i>>>>><i> theory consume as much as 4x more RAM than the application itself.
</i>>>>><i>
</i>>>>><i> --kcc
</i>>>>><i>
</i>>>>>><i>
</i>>>>>><i>
</i>>>>>><i> --kcc
</i>>>>>><i>
</i>>>>>>><i> --
</i>>>>>>><i> Yours sincerely,
</i>>>>>>><i> Dmitrii Kuvaiskii
</i>>>>>><i>
</i>>>>>><i>
</i>>>>><i>
</i>>>>><i>
</i>>>>><i> ______________________________<wbr>_________________
</i>>>>><i> LLVM Developers mailing list
</i>>>>><i> <a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">llvm-dev at lists.llvm.org</a>
</i>>>>><i> <a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-dev</a>
</i>>>>><i>
</i>>>><span class="HOEnZb"><font color="#888888"><i>
</i>>><i>
</i>>><i> --
</i>>><i> Yours sincerely,
</i>>><i> Dmitrii Kuvaiskii
</i>>><i>
</i>><i>
</i>><i>
</i>><i>
</i>><i> ______________________________<wbr>_________________
</i>><i> LLVM Developers mailing list
</i>><i> <a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">llvm-dev at lists.llvm.org</a>
</i>><i> <a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-dev</a>
</i>></font></span></pre><span class="HOEnZb"><font color="#888888">
<pre class="m_5245855359566005395moz-signature" cols="72">--
Best Regards,
Oleksii Oleksenko
TU Dresden
Faculty of Computer Science
Chair of Systems Engineering</pre>
</font></span></div>
______________________________<wbr>_________________
LLVM Developers mailing list
<a moz-do-not-send="true" href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>
<a moz-do-not-send="true" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-dev</a>
</blockquote></div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards,
Oleksii Oleksenko
TU Dresden
Faculty of Computer Science
Chair of Systems Engineering</pre></body></html>