Skip to content

mpx

Intro

mpx - manage memory protection keys

Description

The mpx system call is used to create, enable, disable, or get the status of a memory protection key (MPX) on a system. The MPX system call requires a key set register and a bound register, both of which are only available on x86-64 CPUs with the MPX feature enabled. Using the key set register, a process can set and change the memory area to be protected using the MPX key. The bound register specifies boundaries to the portion of memory applicable to the key.

MPX is useful for distinguishing between memory areas that must be kept secure and those that do not need to be protected from malicious or erroneous accesses. For example, a process may want to mark a memory region as "private" so that it can't be accessed by any other process. This can be done using the MPX system call, enabling the process to protect itself from malicious or erroneous accesses within that region.

Arguments

  • addr:void *[U,TOCTOU] - pointer to an address space area.
  • len:int[U,TOCTOU] - length of the address space area.
  • key:unsigned int[U] - MPX key used to protect the given area.
  • op:int[U] - Operation to perform (e.g. set or get).

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_mpx

Type

Kprobe + Kretprobe

Purpose

Monitor the process accesses to keys and its associated protections.

Example Use Case

A security-based application that monitors memory access requests, and uses MPX to protect a specific memory region. The application can use the hooks to be notified when a process modifies keys or attempts to access its corresponding protection regions. The application can then take the necessary actions to protect the system.

Issues

The main issue with mpx is that it only works with x86-64 Architecture segments, which limits its ability to provide protection against malicious or erroneous accesses on older systems.

  • msr: Used to access and modify model-specific registers.
  • set_thread_area: Used to set up and modify thread local storage areas.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.