skip to main content
10.1145/3548606.3560578acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities

Published: 07 November 2022 Publication History

Abstract

Transient execution vulnerabilities have critical security impacts to software systems since those break the fundamental security assumptions guaranteed by the CPU. Detecting these critical vulnerabilities in the RTL development stage is particularly important, as it offers a chance to fix the vulnerability early before reaching the chip manufacturing stage.
This paper proposes SpecDoctor, an automated RTL fuzzer to discover transient execution vulnerabilities in the CPU. To be specific, SpecDoctor designs a fuzzing template, allowing it to test all different scenarios of transient execution vulnerabilities (e.g., Meltdown, Spectre, ForeShadow, etc.) with a single template. Then SpecDoctor performs a multi-phased fuzzing, where each phase is dedicated to solve an individual vulnerability constraint in the RTL context, thereby effectively finding the vulnerabilities.
We implemented and evaluated SpecDoctor on two out-of-order RISC-V CPUs, Boom and NutShell-Argo. During the evaluation, SpecDoctor found transient-execution vulnerabilities which share the similar attack vectors as the previous works. Furthermore, SpecDoctor found two interesting variants which abuse unique attack vectors: Boombard, and Birgus. Boombard exploits an unknown implementation bug in RISC-V Boom, exacerbating it into a critical transient execution vulnerability. Birgus launches a Spectre-type attack with a port contention side channel in NutShell CPU, which is constructed using a unique combination of instructions. We reported the vulnerabilities, and both are confirmed by the developers, illustrating the strong practical impact of SpecDoctor.

References

[1]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. Spec- tre attacks: Exploiting speculative execution. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.
[2]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, et al. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.
[3]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the intel {SGX} kingdom with transient out-of-order execution. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.
[4]
Stephan Van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Ridl: Rogue in-flight data load. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.
[5]
Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida. Rage against the machine clear: A systematic analysis of machine clears and their implica- tions for transient execution attacks. In Proceedings of the 30th USENIX Security Symposium (Security), Online, August 2021.
[6]
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom. Cacheout: Leaking data on intel cpus via cache evictions. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.
[7]
Antonio Gonzalez, Fernando Latorre, and Grigorios Magklis. Processor mi- croarchitecture: An implementation perspective. Synthesis Lectures on Computer Architecture, 5(1):1--116, 2010.
[8]
Daniel Moghimi, Moritz Lipp, Berk Sunar, and Michael Schwarz. Medusa: Mi- croarchitectural data leakage via automated attack synthesis. In Proceedings of the 29th USENIX Security Symposium (Security), Boston, MA, August 2020.
[9]
Yuan Xiao, Yinqian Zhang, and Radu Teodorescu. Speechminer: A framework for investigating and measuring speculative execution vulnerabilities. February 2020.
[10]
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessan- dro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. Smotherspectre: exploiting speculative execution through port contention. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.
[11]
M. Zalewski. American fuzzy lop. http://lcamtuf.coredump.cx/afl/.
[12]
Dmitry Vyukov. Syzkaller: an unsupervised, coverage-guided kernel fuzzer, 2019.
[13]
Giorgi Maisuradze and Christian Rossow. ret2spec: Speculative execution using return stack buffers. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, ON, Canada, October 2018.
[14]
Jann Horn. Google project zero. speculative execution, variant 4: speculative store bypass. https://bugs.chromium.org/p/project-zero/issues/detail?id=1272.
[15]
Risc-v boom's documentation. https://docs.boom-core.org/en/latest/index.html.
[16]
Mohammad Rahmani Fadiheh, Johannes Müller, Raik Brinkmann, Subhasish Mitra, Dominik Stoffel, and Wolfgang Kunz. A formal approach for detecting vulnerabilities to transient execution attacks in out-of-order processors. In 2020 57th ACM/IEEE Design Automation Conference (DAC), pages 1--6, 2020.
[17]
Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. Hardware-software contracts for secure speculation. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.
[18]
Ben Gras, Cristiano Giuffrida, Michael Kurth, Herbert Bos, and Kaveh Razavi. Absynthe: Automatic blackbox side-channel synthesis on commodity microarchitectures. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2020.
[19]
Julian Stecklina and Thomas Prescher. Lazyfp: Leaking fpu register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480, 2018.
[20]
Yuval Yarom and Katrina Falkner. Flush reload: A high resolution, low noise, l3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, August 2014.
[21]
Dmitry Evtyushkin, Ryan Riley, Nael CSE Abu-Ghazaleh, ECE, and Dmitry Ponomarev. Branchscope: A new side-channel attack on directional branch predictor. March 2018.
[22]
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache side-channel attacks are practical. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015.
[23]
Daniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz, and Christian Rossow. Osiris: Automated discovery of microarchitectural side channels. August 2021.
[24]
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. Hyper-cube: High-dimensional hypervisor fuzzing. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2020.
[25]
Jaewon Hur, Suhwan Song, Dongup Kwon, Eunjin Baek, Jangwoo Kim, and Byoungyoung Lee. Difuzzrtl: Differential fuzz testing to find cpu bugs. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.
[26]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC), Boston, MA, June 2012.
[27]
Changwoo Min, Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, and Taesoo Kim. Cross-checking semantic correctness: The case of finding file system bugs. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP), Monterey, CA, October 2015.
[28]
Yuting Chen, Ting Su, and Zhendong Su. Deep differential testing of jvm im- plementations. In Proceedings of the 41th International Conference on Software Engineering (ICSE), Montreal, Canada, May 2019.
[29]
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. Zombieload: Cross-privilege-boundary data sampling. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.
[30]
Suhwan Song, Chengyu Song, Yeongjin Jang, and Byoungyoung Lee. Crfuzz: fuzzing multi-purpose programs through input validation. In Proceedings of the 25th European Software Engineering Conference (ESEC) / 28st ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), Online, November 2020.
[31]
Moein Ghaniyoun, Kristin Barber, Yinqian Zhang, and Radu Teodorescu. Intro- spectre: A pre-silicon framework for discovery and analysis of transient execution vulnerabilities. In Proceedings of the 48st ACM/IEEE International Symposium on Computer Architecture (ISCA), Online, June 2021.
[32]
Risc-v isa manual (privileged). https://riscv.org/specifications/privileged-isa/.
[33]
Risc-v isa manual (unprivileged). https://riscv.org/specifications/unprivileged-isa/.
[34]
Boom: Berkeley out-of-order machine. https://github.com/riscv-boom/riscv-boom.
[35]
Nutshell, risc-v cpu developed by oscpu team. https://github.com/OSCPU/ NutShell.
[36]
Riscyoo: Risc-v out-of-order processors. https://github.com/csail-csg/riscy-OOO.
[37]
The lizard core. https://github.com/cornell-brg/lizard.
[38]
Chisel 3: A modern hardware design language. https://github.com/ freechipsproject/chisel3.
[39]
Firrtl:flexible intermediate representation for rtl. https://github.com/ freechipsproject/FIRRTL.
[40]
Chipyard, an agile risc-v soc design framework with in-order cores, out-of-order cores, accelerators, and more. https://github.com/ucb-bar/chipyard.
[41]
Jerry Zhao, Ben Korpan, Abraham Gonzalez, and Krste Asanovic. Sonicboom: The 3rd generation berkeley out-of-order machine. In Fourth Workshop on Computer Architecture Research with RISC-V, 2020.
[42]
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the 13th European Conference on Computer Systems (EuroSys), Crete, Greece, April 2020.
[43]
Oleksii Oleksenko, Christof Fetzer, Boris Köpf, and Mark Silberstein. Revizor: Fuzzing for leaks in black-box cpus. arXiv preprint arXiv:2105.06872, 2021.
[44]
Esmaeil Mohammadian Koruyeh, Khaled N Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. Spectre returns! speculation attacks using the return stack buffer. In Proceedings of the 13th USENIX Workshop on Offensive Technologies (WOOT), Baltimore, MD, August 2019.
[45]
Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, et al. Fallout: Leaking data on meltdown-resistant cpus. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.
[46]
Hany Ragab, Alyssa Milburn, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Crosstalk: Speculative data leaks across cores are real. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.
[47]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016.
[48]
Peng Chen and Hao Chen. Angora: Efficient fuzzing by principled search. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2018.
[49]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. {QSYM}: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.
[50]
Caroline Lemieux and Koushik Sen. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), Montpellier, France, September 2018.
[51]
Dae R Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. Razzer: Finding kernel race bugs through fuzzing. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.
[52]
Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D Keromytis, and Suman Jana. Nezha: Efficient domain-independent differential testing. In Proceedings of the 38th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017.
[53]
Shirin Nilizadeh, Yannic Noller, and Corina S Pasareanu. Diffuzz: differential fuzzing for side-channel analysis. In Proceedings of the 41th International Confer- ence on Software Engineering (ICSE), Montreal, Canada, May 2019.

Cited By

View all
  • (2025)RTL Verification for Secure Speculation Using Contract Shadow LogicProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707243(970-986)Online publication date: 3-Feb-2025
  • (2024)Synthesizing Hardware-Software Leakage Contracts for RISC-V Open-Source Processors2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546681(1-6)Online publication date: 25-Mar-2024
  • (2024)A Miss Is as Good as A Mile: Metamorphic Testing for Deep Learning OperatorsProceedings of the ACM on Software Engineering10.1145/36607961:FSE(2005-2027)Online publication date: 12-Jul-2024
  • Show More Cited By

Index Terms

  1. SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
    November 2022
    3598 pages
    ISBN:9781450394505
    DOI:10.1145/3548606
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 07 November 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. differential testing
    2. fuzzing
    3. transient-execution vulnerability

    Qualifiers

    • Research-article

    Conference

    CCS '22
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)285
    • Downloads (Last 6 weeks)22
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)RTL Verification for Secure Speculation Using Contract Shadow LogicProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707243(970-986)Online publication date: 3-Feb-2025
    • (2024)Synthesizing Hardware-Software Leakage Contracts for RISC-V Open-Source Processors2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546681(1-6)Online publication date: 25-Mar-2024
    • (2024)A Miss Is as Good as A Mile: Metamorphic Testing for Deep Learning OperatorsProceedings of the ACM on Software Engineering10.1145/36607961:FSE(2005-2027)Online publication date: 12-Jul-2024
    • (2024)Instiller: Toward Efficient and Realistic RTL FuzzingIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.336031843:7(2177-2190)Online publication date: Jul-2024
    • (2023)Transient-Execution Attacks: A Computer Architect PerspectiveACM Computing Surveys10.1145/360361956:3(1-38)Online publication date: 6-Oct-2023
    • (2023)Processor Vulnerability Discovery2023 60th ACM/IEEE Design Automation Conference (DAC)10.1109/DAC56929.2023.10247906(1-3)Online publication date: 9-Jul-2023
    • (2023)Microarchitectural Side-Channel Threats, Weaknesses and Mitigations: A Systematic Mapping StudyIEEE Access10.1109/ACCESS.2023.327575711(48945-48976)Online publication date: 2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media