# Intel MPX

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Intel_MPX
> Markdown URL: https://mediated.wiki/source/Intel_MPX.md
> Source: https://en.wikipedia.org/wiki/Intel_MPX
> Source revision: 1305156751
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Set of extensions to the x86 instruction set architecture

Not to be confused with [Intel XMP](/source/Intel_XMP).

**Intel MPX** (**Memory Protection Extensions**) are a discontinued set of extensions to the [x86](/source/X86) [instruction set architecture](/source/Instruction_set_architecture). With [compiler](/source/Compiler), [runtime library](/source/Runtime_library) and [operating system](/source/Operating_system) support, Intel MPX claimed to enhance security to [software](/source/Software) by checking [pointer references](/source/Pointer_(computer_programming)) whose normal compile-time intentions are maliciously exploited at runtime due to [buffer overflows](/source/Buffer_overflow). In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems. [Intel](/source/Intel) has listed MPX as removed in 2019 and onward hardware in section 2.5 of its Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1.[1]

## Extensions

Intel MPX introduces new bounds [registers](/source/Processor_register), and new [instruction set](/source/Instruction_set) extensions that operate on these registers. Additionally, there is a new set of "bound tables" that store bounds beyond what can fit in the bounds registers.[2][3][4][5][6]

MPX uses four new 128-bit bounds registers, BND0 to BND3, each storing a pair of 64-bit lower bound (LB) and upper bound (UB) values of a buffer. The upper bound is stored in [ones' complement](/source/Ones'_complement) form, with BNDMK (create bounds) and BNDCU (check upper bound) performing the conversion. The architecture includes two configuration registers BNDCFGx (BNDCFGU in user space and BNDCFGS in kernel mode), and a status register BNDSTATUS, which provides a memory address and error code in case of an exception.[7][8]

Two-level address translation is used for storing bounds in memory. The top layer consists of a Bounds Directory (BD) created on the application startup. Each BD entry is either empty or contains a pointer to a dynamically created Bounds Table (BT), which in turn contains a set of pointer bounds along with the linear addresses of the pointers. The bounds load (BNDLDX) and store (BNDSTX) instructions transparently perform the address translation and access bounds in the proper BT entry.[7][8]

Intel MPX was introduced as part of the [Skylake](/source/Skylake_(microarchitecture)) microarchitecture.[9]

Intel [Goldmont](/source/Goldmont) microarchitecture also supports Intel MPX.[9]

## Software support

- [glibc](/source/Glibc) removed support in version 2.35.

- [GNU Compiler Collection](/source/GNU_Compiler_Collection) (GCC) 5.0 added support for MPX.[10] In 2018, support for these extensions waned due to maintenance burdens and [Intel](/source/Intel) developers intermittently contributing patches, resulting in a proposal to drop support in GCC 9.0.[11] Support was removed in GCC 9.1.[12]

- [Intel C++ Compiler](/source/Intel_C%2B%2B_Compiler) (icc) 15.0 added support for Intel MPX.[10]

- [Kernel](/source/Kernel_(operating_system))-level software support for Intel MPX was merged into the [Linux kernel mainline](/source/Linux_kernel_mainline) in kernel version 3.19, which was released on February 8, 2015.[13][14] In 2018, Thomas Gleixner proposed removing MPX support from Linux kernel 4.18.[15] The pull request with its removal was posted in December 2018, during 4.20 development cycle,[16] but wasn't accepted. The second attempt was made in July 2019.[17] MPX support was removed in 5.6.[18]

- [QEMU](/source/QEMU) supported MPX since version 2.6[19] and dropped its support in 4.0 release.[20]

- [Microsoft Visual Studio 2015](/source/Microsoft_Visual_Studio_2015) Update 1 added experimental support for MPX.[21]

## Analysis

A study examined a detailed cross-layer dissection of the MPX system stack and comparison with three prominent software-based memory protection mechanisms ([AddressSanitizer](/source/AddressSanitizer), SAFECode, and SoftBound) and presents the following conclusions.[8]

- Even though Intel MPX is a specially designed hardware-assisted approach with its own added set of hardware registers, it is not faster than any of the software-based approaches. New Intel MPX instructions can cause up to 4× slowdown in the worst case, although compiler optimizations amortize it and lead to runtime overheads of ~50% on average.

- In contrast to the other software-based solutions, Intel MPX provides no protection against temporal memory safety errors.

- Reading and writing from the doubly-indirected bounds tables is not thread-safe.

- MPX does not support several common [C](/source/C_(programming_language))/[C++](/source/C%2B%2B) programming idioms, such as [flexible array members](/source/Flexible_array_member), referencing one field as an offset from another, etc.

- MPX conflicts with some other ISA extensions, resulting in performance and security issues. More specifically, these issues arise when Intel MPX is used in combination with other hardware-based protection mechanisms, such as [Intel TSX](/source/Transactional_Synchronization_Extensions) and [Intel SGX](/source/Software_Guard_Extensions).

- MPX instructions incur a significant performance penalty (15+%) even on Intel CPUs without MPX support.

In addition, a review concluded MPX was not production ready, and [AddressSanitizer](/source/AddressSanitizer) was a better option.[8] A review by Kostya Serebryany at Google, AddressSanitizer's developer,[22] had similar findings.[23]

### Meltdown

Another study[24] exploring the scope of [Spectre](/source/Spectre_(security_vulnerability)) and [Meltdown](/source/Meltdown_(security_vulnerability)) security vulnerabilities discovered that Meltdown can be used to bypass Intel MPX, using the Bound Range Exceeded (#BR) hardware exception. According to their publication, the researchers were able to leak information through a Flush+Reload covert channel from an out-of-bound access on an array safeguarded by the MPX system. Their Proof Of Concept has not been publicly disclosed.

## See also

- [Memory protection keys](/source/Memory_protection_keys)

- [Software Guard Extensions](/source/Software_Guard_Extensions)

## References

1. **[^](#cite_ref-1)** [*Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture*](https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-software-developers-manual-volume-1-basic-architecture.html). [Intel](/source/Intel). November 2020. Retrieved 2021-03-03.

1. **[^](#cite_ref-isa_ext_2-0)** ["Intel ISA Extensions"](https://software.intel.com/en-us/isa-extensions). [Intel](/source/Intel). Retrieved 2013-11-04.

1. **[^](#cite_ref-3)** ["Introduction to Intel Memory Protection Extensions"](https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions). [Intel](/source/Intel). 2013-07-16. Retrieved 2013-09-10.

1. **[^](#cite_ref-4)** ["Discussion of Intel Memory Protection Extensions (MPX) and comparison with AddressSanitizer"](https://code.google.com/p/address-sanitizer/wiki/IntelMemoryProtectionExtensions). *code.google.com*. Retrieved 2013-11-04.

1. **[^](#cite_ref-5)** ["Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler"](https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler). *gcc.gnu.org*. Retrieved 2013-11-04.

1. **[^](#cite_ref-6)** ["Intel MPX Explained: Storing bounds in memory"](https://intel-mpx.github.io/design/#boundstore). *intel-mpx.github.io*. Retrieved 2017-02-06.

1. ^ [***a***](#cite_ref-intel-isepr_7-0) [***b***](#cite_ref-intel-isepr_7-1) ["Intel Architecture Instruction Set Extensions Programming Reference"](https://software.intel.com/en-us/intel-architecture-instruction-set-extensions-programming-reference) (PDF). [Intel](/source/Intel). December 2013. Retrieved 2014-01-17.

1. ^ [***a***](#cite_ref-mpx-explained_8-0) [***b***](#cite_ref-mpx-explained_8-1) [***c***](#cite_ref-mpx-explained_8-2) [***d***](#cite_ref-mpx-explained_8-3) Oleksenko, Oleksii; Kuvaiskii, Dmitrii; Bhatotia, Pramod; Felber, Pascal; Fetzer, Christof (2017). "Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches". [arXiv](/source/ArXiv_(identifier)):[1702.00719](https://arxiv.org/abs/1702.00719) [[cs.CR](https://arxiv.org/archive/cs.CR)].

1. ^ [***a***](#cite_ref-intelemu_9-0) [***b***](#cite_ref-intelemu_9-1) ["Intel Software Development Emulator"](https://software.intel.com/en-us/articles/intel-software-development-emulator). [Intel](/source/Intel). 2012-06-15. Retrieved 2013-11-04.

1. ^ [***a***](#cite_ref-intelmpx.github_10-0) [***b***](#cite_ref-intelmpx.github_10-1) ["Design of Intel MPX"](https://intel-mpx.github.io/design/). Intel.

1. **[^](#cite_ref-11)** ["GCC 9 Looks Set To Remove Intel MPX Support"](https://www.phoronix.com/scan.php?page=news_item&px=GCC-Patch-To-Drop-MPX). [Phoronix](/source/Phoronix). Retrieved 2018-04-27.

1. **[^](#cite_ref-12)** ["Intel MPX Support Removed From GCC 9 - Phoronix"](https://www.phoronix.com/scan.php?page=news_item&px=MPX-Removed-From-GCC9). *www.phoronix.com*.

1. **[^](#cite_ref-13)** ["Linux kernel 3.19, Section 1.2. Support for the Intel Memory Protection Extensions"](http://kernelnewbies.org/Linux_3.19). *kernelnewbies.org*. February 9, 2015. Retrieved February 9, 2015.

1. **[^](#cite_ref-14)** Jonathan Corbet (January 29, 2014). ["Supporting Intel MPX in Linux"](https://lwn.net/Articles/582712/). [LWN.net](/source/LWN.net). Retrieved February 9, 2015.

1. **[^](#cite_ref-15)** ["The Linux Kernel Might Drop Memory Protection Extensions Support"](https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-Weighing-Intel-MPX). [Phoronix](/source/Phoronix).

1. **[^](#cite_ref-16)** ["\[GIT PULL\] x86: remove Intel MPX"](http://lkml.iu.edu/hypermail/linux/kernel/1812.0/04478.html).

1. **[^](#cite_ref-17)** ["\[PATCH 0/3\] \[RFC\] x86: start the MPX removal process"](https://lkml.org/lkml/2019/7/5/587).

1. **[^](#cite_ref-18)** ["Intel MPX Support Is Dead With Linux 5.6 - Phoronix"](https://www.phoronix.com/scan.php?page=news_item&px=Intel-MPX-Is-Dead). *www.phoronix.com*.

1. **[^](#cite_ref-19)** ["ChangeLog/2.6"](https://wiki.qemu.org/ChangeLog/2.6).

1. **[^](#cite_ref-20)** ["QEMU 4 arrives with toys for Arm admirers, RISC-V revolutionaries, POWER patriots... you get the idea"](https://www.theregister.co.uk/2019/04/25/qemu_4/). *[The Register](/source/The_Register)*.

1. **[^](#cite_ref-21)** ["Visual Studio 2015 Update 1: New Experimental Feature – MPX"](https://blogs.msdn.microsoft.com/vcblog/2016/01/20/visual-studio-2015-update-1-new-experimental-feature-mpx/). [Microsoft](/source/Microsoft). 2016-01-20.

1. **[^](#cite_ref-22)** Serebryany, Konstantin. ["Konstantin Serebryany"](https://web.archive.org/web/20230727153419/https://research.google/people/KonstantinSerebryany/). *Google Research*. Archived from [the original](https://research.google.com/pubs/KonstantinSerebryany) on 2023-07-27. Retrieved 2024-07-18.

1. **[^](#cite_ref-23)** ["Address Sanitizer Intel Memory Protection Extensions"](https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions). *GitHub*. [Archived](https://web.archive.org/web/20240718183709/https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions) from the original on 2024-07-18. Retrieved 2013-11-04.

1. **[^](#cite_ref-24)** Canella, Claudio; Van Bulck, Jo; Schwarz, Michael; Lipp, Moritz; von Berg, Benjamin; Ortner, Philipp; Piessens, Frank; Evtyushkin, Dmitry; Gruss, Daniel (2018). "A Systematic Evaluation of Transient Execution Attacks and Defenses". [arXiv](/source/ArXiv_(identifier)):[1811.05441](https://arxiv.org/abs/1811.05441) [[cs.CR](https://arxiv.org/archive/cs.CR)].

## External links

- [*Intel Architecture Instruction Set Extensions Programming Reference*](https://software.intel.com/sites/default/files/managed/07/b7/319433-023.pdf) (PDF). [Intel](/source/Intel). July 2013. Retrieved 2016-01-10.

- Oleksenko, Oleksii; Kuvaiskii, Dmitrii; Bhatotia, Pramod; Felber, Pascal; Fetzer, Christof (2017). "Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches". [arXiv](/source/ArXiv_(identifier)):[1702.00719](https://arxiv.org/abs/1702.00719) [[cs.CR](https://arxiv.org/archive/cs.CR)]. Online supplementary material at [https://intel-mpx.github.io](https://intel-mpx.github.io).

- ["Introduction to Intel Memory Protection Extensions"](https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions). [Intel](/source/Intel). 2013-07-16. Retrieved 2013-09-10.

- ["Intel ISA Extensions"](https://software.intel.com/en-us/isa-extensions). [Intel](/source/Intel). Retrieved 2013-11-04.

- ["Intel® Memory Protection Extensions (Intel® MPX) support in the GCC compiler"](https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler). *gcc.gnu.org*. Retrieved 2013-11-04.

- Hansen, Dave (2016-03-16). ["Intel® Memory Protection Extensions (Intel® MPX) for Linux"](https://01.org/blogs/2016/intel-mpx-linux). Retrieved 2018-05-17.

v t e Processor technologies Models Abstract machine Stored-program computer Finite-state machine with datapath Hierarchical Deterministic finite automaton Queue automaton Cellular automaton Quantum cellular automaton Turing machine Alternating Turing machine Universal Post–Turing Quantum Nondeterministic Turing machine Probabilistic Turing machine Hypercomputation Zeno machine Belt machine Stack machine Register machines Counter Pointer Random-access Random-access stored program Architecture Microarchitecture Von Neumann Harvard modified Dataflow Transport-triggered Cellular Endianness Memory access NUMA HUMA Load–store Register/memory Cache hierarchy Memory hierarchy Virtual memory Secondary storage Heterogeneous Fabric Multiprocessing Cognitive Neuromorphic Instruction set architectures Types Orthogonal instruction set CISC RISC Application-specific EDGE TRIPS VLIW EPIC MISC OISC NISC ZISC VISC architecture Quantum computing Comparison Addressing modes Instruction sets Motorola 68000 series VAX PDP-11 x86 ARM Stanford MIPS MIPS MIPS-X Power POWER PowerPC Power ISA Clipper architecture SPARC SuperH DEC Alpha ETRAX CRIS M32R Unicore Itanium OpenRISC RISC-V MicroBlaze LMC System/3x0 S/360 S/370 S/390 z/Architecture Tilera ISA VISC architecture Epiphany architecture Others Execution Instruction pipelining Pipeline stall Operand forwarding Classic RISC pipeline Hazards Data dependency Structural Control False sharing Out-of-order Scoreboarding Tomasulo's algorithm Reservation station Re-order buffer Register renaming Wide-issue Speculative Branch prediction Memory dependence prediction Parallelism Level Bit Bit-serial Word Instruction Pipelining Scalar Superscalar Task Thread Process Data Vector Memory Distributed Multithreading Temporal Simultaneous Hyperthreading Simultaneous and heterogenous Speculative Preemptive Cooperative Flynn's taxonomy SISD SIMD Array processing (SIMT) Pipelined processing Associative processing SWAR MISD MIMD SPMD Processor performance Transistor count Instructions per cycle (IPC) Cycles per instruction (CPI) Instructions per second (IPS) Floating-point operations per second (FLOPS) Transactions per second (TPS) Synaptic updates per second (SUPS) Performance per watt (PPW) Cache performance metrics Computer performance by orders of magnitude Types Central processing unit (CPU) Graphics processing unit (GPU) GPGPU Vector Barrel Stream Tile processor Coprocessor PAL ASIC FPGA FPOA CPLD Multi-chip module (MCM) System in a package (SiP) Package on a package (PoP) By application Embedded system Microprocessor Microcontroller Mobile Ultra-low-voltage ASIP Soft microprocessor Systems on chip System on a chip (SoC) Multiprocessor (MPSoC) Cypress PSoC Network on a chip (NoC) Hardware accelerators Coprocessor AI accelerator Graphics processing unit (GPU) Image processor Vision processing unit (VPU) Physics processing unit (PPU) Digital signal processor (DSP) Tensor Processing Unit (TPU) Secure cryptoprocessor Network processor Baseband processor Word size 1-bit 4-bit 8-bit 12-bit 15-bit 16-bit 24-bit 32-bit 48-bit 64-bit 128-bit 256-bit 512-bit bit slicing others variable Core count Single-core Multi-core Manycore Heterogeneous architecture Components Core Cache CPU cache Scratchpad memory Data cache Instruction cache replacement policies coherence Bus Clock rate Clock signal FIFO Functional units Arithmetic logic unit (ALU) Address generation unit (AGU) Floating-point unit (FPU) Memory management unit (MMU) Load–store unit Translation lookaside buffer (TLB) Branch predictor Branch target predictor Integrated memory controller (IMC) Memory management unit Instruction decoder Logic Combinational Sequential Glue Logic gate Quantum Array Registers Processor register Status register Stack register Register file Memory buffer Memory address register Program counter Control unit Hardwired control unit Instruction unit Data buffer Write buffer Microcode ROM Counter Datapath Multiplexer Demultiplexer Adder Multiplier CPU Binary decoder Address decoder Sum-addressed decoder Barrel shifter Circuitry Integrated circuit 3D Mixed-signal Power management Boolean Digital Analog Quantum Switch Power management PMU APM ACPI Dynamic frequency scaling Dynamic voltage scaling Clock gating Performance per watt (PPW) Related History of general-purpose CPUs Microprocessor chronology Processor design Digital electronics Hardware security module Semiconductor device fabrication Tick–tock model Pin grid array Chip carrier

v t e Instruction set extensions SIMD (RISC) Alpha MVI ARM NEON SVE MIPS MDMX MIPS-3D MXU MIPS SIMD PA-RISC MAX Power ISA VMX SPARC VIS SIMD (x86) MMX (1996) 3DNow! (1998) SSE (1999) SSE2 (2001) SSE3 (2004) SSSE3 (2006) SSE4 (2006) SSE5 (2007) AVX (2008) F16C (2009) XOP (2009) FMA (FMA4: 2011, FMA3: 2012) AVX2 (2013) AVX-512 (2015) AMX (2022) AVX10 (2023) Bit manipulation BMI (ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012) ADX (2014) Compressed instructions Thumb MIPS16e ASE RVC Security and cryptography PadLock (2003) AES-NI (2008); ARMv8 also has AES instructions CLMUL (2010) RDRAND (2012) SHA (2013) MPX (2015) SGX (2015) TDX (2021) Transactional memory TSX (2013) ASF Virtualization VT-x (2005) AMD-V (2006) AMD-Vi / VT-d (2011) General-purpose registers AMD64 (1999) APX (2023) Suspended extensions' dates are struck through.

---
Adapted from the Wikipedia article [Intel MPX](https://en.wikipedia.org/wiki/Intel_MPX) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Intel_MPX?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.