GhaSShee


Intel's "Bound Table"


# Introduction bound table is skylake intel cpu's new feature.





# History ## buffa over(under)flow problem ### memory checking tools work with compiler - mudflap - Address Sanitizer

### cpu ditector of buffa overflow - start with intel MPX (skylake~)





# bounds レジスタ ~~~ %bnd0 ~~~ bounds register : - 128bit register - upper 64bit : upper limit accesable address - lower 64bit : lower limit accesable address there are 4 bounds registers - BND0 ~ BND3

## operation ### `bndcl` : check if address >= lower bound ### `bndcu` : check if address <= upper bound ### `bndmk` : set a value on bounds register





# an example code ~~~ void foo(int *x) { *x = 0x1234 } int *bar() { static int a; return &a; } int matin() { int a[16]; int b[16]; foo(a); foo(a+16); return 0; } ~~~

~~~ 00000000004005c8 : 4005c8: 66 0f 1a 05 70 20 bndmov 0x200570(%rip),%bnd 4005cf: 00 4005d0: mov $0x600c00,%eax 4005d5: f2 c3 bnd retq 00000000004005d7 : 4005d7: f3 0f 1a 07 bndcl (%rdi),%bnd0 4005db: f2 0f 1a 47 03 bndcu 0x3(%rdi),%bnd0 4005e0: c7 07 34 12 00 00 movl $0x1234,(%rdi) 4005e6: f2 c3 bnd retq 0000000000400538
: 4005e8: 48 83 ec 58 sub $0x58,%rsp # configure bound register 4005ec: 40 8d 7c 24 10 lea 0x10(%rsp),%rdi # lea ~~ mov (similar) 4005f1: b8 3f 00 00 00 mov $0x3f,%eax 4005f6: f3 0f 1b 0c 07 bndmk (%rdi,%rax,1),%bnd1 # rdi:start rax:region 4005fb: 66 0f 1a c1 bndmov %bnd1,%bnd0 4005ff: 66 0f 1b 0c 24 bndmov %bnd1,(%rsp) 400604: f2 e8 cd ff ff ff bnd callq 4005d7 40060a: 66 0f 1a 04 24 bndmov (%rsp),%bnd0 40060f: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi 400614: f2 e8 bd ff ff ff bnd callq 4005d7 40061a: b8 00 00 00 00 mov $0x0,%eax 40061f: 48 83 c4 58 add $0x58,%rsp 400623: f2 c3 bnd retq ~~~





# bound tabel With bound table ## BNDCFGU/S register keeps the bound directory's root address. ### `BNDCFGU` register : for userland ### `BNDCFGS` register : for system kernel ## use Bound Table ### `bndldx` : loads bound values from boundtable ### `bndstx` : store bound values into boundtable

****************************************************************************** * * * * * Pointer Address * * +---------+-------------+--------+ * * | | 1234567 | 89AB0 | * * +---------+-------------+--------+ * * 28bit 17bit * * * * * * Bound Directory ( 2GB = 2^28 × 8 bit ) * * +---------------+ * * | | * * +---------------+ * * | | a particular * * +---------------+ +---------------+ Bound Table * * | BNDCFGU/S + | | | +------------------------+ * * | 0x1234567 × 8 | +---------------+ | | * * +---------------+ | +---+ +------------------------+ * * +--->+---------------+ | | | * * | 8 byte | | +------------------------+ * * +---------------+ | | ($TABLE + 0x89AB0) | * * | 8 byte | | +------------------------+ * * +---------------+ | | | * * | 8 byte | | +------------------------+ * * +---------------+ | | | * * | 8 byte | | +------------------------+ * * +---------------+ | | 32 byte | * * | 8 byte | | +------------------------+ * * +-->+---------------+ | | 32 byte | * * / | +------------------------+ * * +-----+---------+ | | 32 byte | * * |BNDCFGU/BNDCFGS| +--->+------------------------+ * * +---------------+ +------+ * * |$TABLE| * * +------+ * * * * * * 1 entry of bound table (8 byte × 4) * * +-----------------+----------------+ * * | pointer value | reserved | * * +-----------------+----------------+ * * | lower bound | upper bound | * * +-----------------+----------------+ * * * * * * * * * * * * * * * ****************************************************************************** As described above,
`bound table` implements `page table` structure.