Intel MPX introduces new bounds registers, and new instruction set extensions that operate on these registers. Additionally, there is a new set of "bound tables" that store bounds beyond what can fit in the bounds registers. MPX uses four new 128-bit bounds registers, BND0 to BND3, each storing a pair of 64-bit lower bound and upper bound values of a buffer. The upper bound is stored in ones' complement form, with BNDMK and BNDCU performing the conversion. The architecture includes two configuration registers BNDCFGx, and a status registerBNDSTATUS, which provides a memory address and error code in case of an exception. Two-level address translation is used for storing bounds in memory. The top layer consists of a Bounds Directory created on the application startup. Each BD entry is either empty or contains a pointer to a dynamically created Bounds Table, which in turn contains a set of pointer bounds along with the linear addresses of the pointers. The bounds load and store instructions transparently perform the address translation and access bounds in the proper BT entry. Intel MPX was introduced as part of the Skylake microarchitecture. Intel Goldmont microarchitecture also supports Intel MPX.
Software support
GNU Compiler Collection 5.0 added support for MPX. In 2018, support for these extensions waned due to maintenance burdens and Intel developers intermittently contributing patches, resulting in a proposal to drop support in GCC 9.0. Support was removed in GCC 9.1.
Kernel-level software support for Intel MPX was merged into the Linux kernel mainline in kernel version 3.19, which was released on February 8, 2015. In 2018, Thomas Gleixner proposed removing MPX support from Linux kernel 4.18. The pull request with its removal was posted in December 2018, during 4.20 development cycle, but wasn't accepted. The second attempt was made in July 2019. MPX support was removed in 5.6.
QEMU supported MPX since version 2.6 and dropped its support in 4.0 release.
A study examined a detailed cross-layer dissection of the MPX system stack and comparison with three prominent software-based memory safety systems and presents the following conclusions.
Even though Intel MPX is a specially designed hardware-assisted approach, it is not faster than the software-based approaches. New Intel MPX instructions can cause up to 4× slowdown in the worst case, although compiler optimizations amortize it and lead to runtime overheads of ~50% on average.
In contrast to other solutions, Intel MPX provides no protection against temporal memory safety errors.
Intel MPX does not support multithreading inherently, which can lead to unsafe data races in legacy threaded programs and if compilers do not synchronize bounds explicitly.
Intel MPX does not support several common C/C++ programming idioms due to restrictions on the allowed memory layout.
Intel MPX is conflicting with some other ISA extensions resulting in performance and security issues. More specifically, these issues arise when Intel MPX is used in combination with Intel TSX and Intel SGX.
Lastly, MPX instructions incur significant performance penalty even on earlier Intel CPU generations without MPX support.
In addition, a review concluded MPX was not production ready, and AddressSanitizer was a better option. A review by Kostya Serebryany at Google, AddressSanitizer's developer, had similar findings.
Another study exploring the scope of Spectre and Meltdown security vulnerabilities discovered that Meltdown can be used to bypass Intel MPX, using the Bound Range Exceeded hardware exception. According to their publication, the researchers were able to leak information through a Flush+Reload covert channel from an out-of-bound access on an array safeguarded by the MPX system. Their Proof Of Concept has not been publicly disclosed.
