Revizor: Fuzzing for Leaks in Black-box CPUs

05/14/2021 ∙ by Oleksii Oleksenko, et al. ∙ 0

Shared microarchitectural state has become a prime target for side-channel attacks that leverage timing measurements to leak information across security domains. Combined with speculative execution, they cause vulnerabilities like Spectre and Meltdown. Such vulnerabilities often stay undetected for a long time because we lack the tools for systematic testing of CPUs against them. In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We base our approach on speculation contracts, which we employ to specify the permitted side effects of program execution on the microarchitectural state. We propose a technique, called Model-based Relational Fuzzing (MRF), that enables testing of CPUs against these specifications. We implement MRF in a fuzzing framework called Revizor, and showcase its effectiveness on real Intel x86 CPUs: It automatically detects violations of a rich set of contracts, or indicates their absence. A highlight of our findings is that Revizor managed to automatically surface Spectre, MDS, and LVI by fuzzing against increasingly liberal contracts.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.