How can I compile a program with Intel's Memory Protection Extensions (MPX) on a Mac?

Question

I am trying to test out Intel's Memory Protection Extensions (MPX) on my Macbook Pro by mirroring this tutorial for Linux . My processor is an Intel Core i5-6267U and it does have the ability to use MPX as verified by running sysctl machdep.cpu | grep MPX sysctl machdep.cpu | grep MPX . However, when I try to compile the following test program:

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

#define noinline __attribute__((noinline))

char dog[] = "dog";
char password[] = "secr3t";

noinline
char dog_letter(int nr)
{
        return dog[nr];
}

int main(int argc, char **argv)
{
        int max = sizeof(dog);
        int i;

        if (argc >= 2)
                max = atoi(argv[1]);

        for (i = 0; i < max; i++)
                printf("dog[%d]: '%c'\n", i, dog_letter(i));

        return 0;
}

with the following command:

/usr/local/bin/gcc-8 -o mpx_test -fcheck-pointer-bounds -mmpx mpx_test.c

I get the following string of errors:

/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:26:10: error: unexpected token in argument list
        bnd jle L2
                ^
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:37:11: error: unexpected token in argument list
        bnd call        _atoi
                        ^
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:41:10: error: unexpected token in argument list
        bnd jmp L3
                ^
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:45:11: error: unexpected token in argument list
        bnd call        _dog_letter
                        ^
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:57:9: error: unexpected token in argument list
        bnd jl  L4
                ^
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:61:2: error: invalid instruction mnemonic 'bnd'
        bnd ret
        ^~~
/var/folders/v0/g_jfwt1j0kj1cp6vjn818jjh0000gn/T//cc5F0fho.s:88:2: error: invalid instruction mnemonic 'bnd'
        bnd ret
        ^~~

If I compile with the -S flag, I can see that the assembly GCC generates does have the MPX-specific instructions ( bnd... ). What else do I need to do to compile the program with MPX protections?

Answer 1

I have found a workaround that allows me to use MPX on my Mac - though it is really only viable for small programs. The steps I took to get MPX working for kernel space are as follows:

1. Enable MPX. Refer to the Intel manual for how to do this. In short, one needs to write some bits to a MSR.
2. Startup a Linux VM or hop on any other system that has an assembler that supports MPX.
3. On this second system, write out the MPX assembly instructions (that you want for the program back on the Mac) and assemble the program.
4. Disassemble the program via objdump -d and copy the opcodes for the relevant MPX instructions and operands into inline assembly on the Mac.
5. Compile and run on the Mac:)

This should also work for MPX in user space with a slight change in how MPX is enabled ( XSAVE instructions for user space and a MSR for kernel space).

As an example of what the inline assembly on the Mac could look like after copying the opcodes, consider the following.

__asm__ volatile (
        ".byte 0xf3, 0x0f, 0x1b, 0x40, 0x10     \t\n" // bndmk 16(%rax), %bnd0
        ".byte 0xf2, 0x0f, 0x1a, 0x40, 0x16     \t\n" // bndcu 22(%rax), %bnd0
        :
        : "a" (some_input)
    );