Revizor: Fuzzing for Leaks in Black-box CPUs

05/14/2021 ∙ by Oleksii Oleksenko, et al. ∙ 0

Shared microarchitectural state has become a prime target for side-channel attacks that leverage timing measurements to leak information across security domains. Combined with speculative execution, they cause vulnerabilities like Spectre and Meltdown. Such vulnerabilities often stay undetected for a long time because we lack the tools for systematic testing of CPUs against them. In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We base our approach on speculation contracts, which we employ to specify the permitted side effects of program execution on the microarchitectural state. We propose a technique, called Model-based Relational Fuzzing (MRF), that enables testing of CPUs against these specifications. We implement MRF in a fuzzing framework called Revizor, and showcase its effectiveness on real Intel x86 CPUs: It automatically detects violations of a rich set of contracts, or indicates their absence. A highlight of our findings is that Revizor managed to automatically surface Spectre, MDS, and LVI by fuzzing against increasingly liberal contracts.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.