DeepAI AI Chat
Log In Sign Up

Revizor: Testing Black-box CPUs against Speculation Contracts

by   Oleksii Oleksenko, et al.

Speculative vulnerabilities such as Spectre and Meltdown expose speculative execution state that can be exploited to leak information across security domains via side-channels. Such vulnerabilities often stay undetected for a long time as we lack the tools for systematic testing of CPUs to find them. In this paper, we propose an approach to automatically detect microarchitectural information leakage in commercial black-box CPUs. We build on speculation contracts, which we employ to specify the permitted side effects of program execution on the CPU's microarchitectural state. We propose a Model-based Relational Testing (MRT) technique to empirically assess the CPU compliance with these specifications. We implement MRT in a testing framework called Revizor, and showcase its effectiveness on real Intel x86 CPUs. Revizor automatically detects violations of a rich set of contracts, or indicates their absence. A highlight of our findings is that Revizor managed to automatically surface Spectre, MDS, and LVI, as well as several previously unknown variants.


page 1

page 2

page 3

page 4


Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

Attacks like Spectre abuse speculative execution, one of the key perform...

Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs

Mass assignment is one of the most prominent vulnerabilities in RESTful ...

AntFuzzer: A Grey-Box Fuzzing Framework for EOSIO Smart Contracts

In the past few years, several attacks against the vulnerabilities of EO...

EVMFuzz: Differential Fuzz Testing of Ethereum Virtual Machine

Ethereum Virtual Machine (EVM) is the run-time environment for smart con...

Systematic Meets Unintended: Prior Knowledge Adaptive 5G Vulnerability Detection via Multi-Fuzzing

The virtualization and softwarization of 5G and NextG are critical enabl...

Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer

Information leakage is a class of error that can lead to severe conseque...

Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake)

Microarchitectural Data Sampling (MDS) is a set of hardware vulnerabilit...