WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors
CoRR(2024)
摘要
Timing vulnerabilities in processors have emerged as a potent threat. As
processors are the foundation of any computing system, identifying these flaws
is imperative. Recently fuzzing techniques, traditionally used for detecting
software vulnerabilities, have shown promising results for uncovering
vulnerabilities in large-scale hardware designs, such as processors.
Researchers have adapted black-box or grey-box fuzzing to detect timing
vulnerabilities in processors. However, they cannot identify the locations or
root causes of these timing vulnerabilities, nor do they provide coverage
feedback to enable the designer's confidence in the processor's security.
To address the deficiencies of the existing fuzzers, we present
WhisperFuzz–the first white-box fuzzer with static analysis–aiming to detect
and locate timing vulnerabilities in processors and evaluate the coverage of
microarchitectural timing behaviors. WhisperFuzz uses the fundamental nature of
processors' timing behaviors, microarchitectural state transitions, to localize
timing vulnerabilities. WhisperFuzz automatically extracts microarchitectural
state transitions from a processor design at the register-transfer level (RTL)
and instruments the design to monitor the state transitions as coverage.
Moreover, WhisperFuzz measures the time a design-under-test (DUT) takes to
process tests, identifying any minor, abnormal variations that may hint at a
timing vulnerability. WhisperFuzz detects 12 new timing vulnerabilities across
advanced open-sourced RISC-V processors: BOOM, Rocket Core, and CVA6. Eight of
these violate the zero latency requirements of the Zkt extension and are
considered serious security vulnerabilities. Moreover, WhisperFuzz also
pinpoints the locations of the new and the existing vulnerabilities.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要