Jaewon Hur
ABSTRACT
Transient execution vulnerabilities have critical security impacts to software systems since those break the fundamental security assumptions guaranteed by the CPU. Detecting these critical vulnerabilities in the RTL development stage is particularly important, as it offers a chance to fix the vulnerability early before reaching the chip manufacturing stage.
This paper proposes SpecDoctor, an automated RTL fuzzer to discover transient execution vulnerabilities in the CPU. To be specific, SpecDoctor designs a fuzzing template, allowing it to test all different scenarios of transient execution vulnerabilities (e.g., Meltdown, Spectre, ForeShadow, etc.) with a single template. Then SpecDoctor performs a multi-phased fuzzing, where each phase is dedicated to solve an individual vulnerability constraint in the RTL context, thereby effectively finding the vulnerabilities.
We implemented and evaluated SpecDoctor on two out-of-order RISC-V CPUs, Boom and NutShell-Argo. During the evaluation, SpecDoctor found transient-execution vulnerabilities which share the similar attack vectors as the previous works. Furthermore, SpecDoctor found two interesting variants which abuse unique attack vectors: Boombard, and Birgus. Boombard exploits an unknown implementation bug in RISC-V Boom, exacerbating it into a critical transient execution vulnerability. Birgus launches a Spectre-type attack with a port contention side channel in NutShell CPU, which is constructed using a unique combination of instructions. We reported the vulnerabilities, and both are confirmed by the developers, illustrating the strong practical impact of SpecDoctor.
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. Spec- tre attacks: Exploiting speculative execution. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.Google Scholar
Cross Ref
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, et al. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.Google ScholarDigital Library
- Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the intel {SGX} kingdom with transient out-of-order execution. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.Google Scholar
- Stephan Van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Ridl: Rogue in-flight data load. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.Google Scholar
- Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida. Rage against the machine clear: A systematic analysis of machine clears and their implica- tions for transient execution attacks. In Proceedings of the 30th USENIX Security Symposium (Security), Online, August 2021.Google Scholar
- Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom. Cacheout: Leaking data on intel cpus via cache evictions. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.Google Scholar
- Antonio Gonzalez, Fernando Latorre, and Grigorios Magklis. Processor mi- croarchitecture: An implementation perspective. Synthesis Lectures on Computer Architecture, 5(1):1--116, 2010.Google ScholarCross Ref
- Daniel Moghimi, Moritz Lipp, Berk Sunar, and Michael Schwarz. Medusa: Mi- croarchitectural data leakage via automated attack synthesis. In Proceedings of the 29th USENIX Security Symposium (Security), Boston, MA, August 2020.Google Scholar
- Yuan Xiao, Yinqian Zhang, and Radu Teodorescu. Speechminer: A framework for investigating and measuring speculative execution vulnerabilities. February 2020.Google Scholar
- Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessan- dro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. Smotherspectre: exploiting speculative execution through port contention. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.Google Scholar
- M. Zalewski. American fuzzy lop. http://lcamtuf.coredump.cx/afl/.Google Scholar
- Dmitry Vyukov. Syzkaller: an unsupervised, coverage-guided kernel fuzzer, 2019.Google Scholar
- Giorgi Maisuradze and Christian Rossow. ret2spec: Speculative execution using return stack buffers. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, ON, Canada, October 2018.Google Scholar
- Jann Horn. Google project zero. speculative execution, variant 4: speculative store bypass. https://bugs.chromium.org/p/project-zero/issues/detail?id=1272.Google Scholar
- Risc-v boom's documentation. https://docs.boom-core.org/en/latest/index.html.Google Scholar
- Mohammad Rahmani Fadiheh, Johannes Müller, Raik Brinkmann, Subhasish Mitra, Dominik Stoffel, and Wolfgang Kunz. A formal approach for detecting vulnerabilities to transient execution attacks in out-of-order processors. In 2020 57th ACM/IEEE Design Automation Conference (DAC), pages 1--6, 2020.Google ScholarCross Ref
- Marco Guarnieri, Boris Köpf, Jan Reineke, and Pepe Vila. Hardware-software contracts for secure speculation. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.Google Scholar
- Ben Gras, Cristiano Giuffrida, Michael Kurth, Herbert Bos, and Kaveh Razavi. Absynthe: Automatic blackbox side-channel synthesis on commodity microarchitectures. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2020.Google ScholarCross Ref
- Julian Stecklina and Thomas Prescher. Lazyfp: Leaking fpu register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480, 2018.Google Scholar
- Yuval Yarom and Katrina Falkner. Flush reload: A high resolution, low noise, l3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, August 2014.Google Scholar
- Dmitry Evtyushkin, Ryan Riley, Nael CSE Abu-Ghazaleh, ECE, and Dmitry Ponomarev. Branchscope: A new side-channel attack on directional branch predictor. March 2018.Google Scholar
- Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache side-channel attacks are practical. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015.Google ScholarDigital Library
- Daniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz, and Christian Rossow. Osiris: Automated discovery of microarchitectural side channels. August 2021.Google Scholar
- Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. Hyper-cube: High-dimensional hypervisor fuzzing. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2020.Google ScholarCross Ref
- Jaewon Hur, Suhwan Song, Dongup Kwon, Eunjin Baek, Jangwoo Kim, and Byoungyoung Lee. Difuzzrtl: Differential fuzz testing to find cpu bugs. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.Google Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC), Boston, MA, June 2012.Google Scholar
- Changwoo Min, Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, and Taesoo Kim. Cross-checking semantic correctness: The case of finding file system bugs. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP), Monterey, CA, October 2015.Google ScholarDigital Library
- Yuting Chen, Ting Su, and Zhendong Su. Deep differential testing of jvm im- plementations. In Proceedings of the 41th International Conference on Software Engineering (ICSE), Montreal, Canada, May 2019.Google Scholar
- Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. Zombieload: Cross-privilege-boundary data sampling. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.Google ScholarDigital Library
- Suhwan Song, Chengyu Song, Yeongjin Jang, and Byoungyoung Lee. Crfuzz: fuzzing multi-purpose programs through input validation. In Proceedings of the 25th European Software Engineering Conference (ESEC) / 28st ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), Online, November 2020.Google ScholarDigital Library
- Moein Ghaniyoun, Kristin Barber, Yinqian Zhang, and Radu Teodorescu. Intro- spectre: A pre-silicon framework for discovery and analysis of transient execution vulnerabilities. In Proceedings of the 48st ACM/IEEE International Symposium on Computer Architecture (ISCA), Online, June 2021.Google ScholarDigital Library
- Risc-v isa manual (privileged). https://riscv.org/specifications/privileged-isa/.Google Scholar
- Risc-v isa manual (unprivileged). https://riscv.org/specifications/unprivileged-isa/.Google Scholar
- Boom: Berkeley out-of-order machine. https://github.com/riscv-boom/riscv-boom.Google Scholar
- Nutshell, risc-v cpu developed by oscpu team. https://github.com/OSCPU/ NutShell.Google Scholar
- Riscyoo: Risc-v out-of-order processors. https://github.com/csail-csg/riscy-OOO.Google Scholar
- The lizard core. https://github.com/cornell-brg/lizard.Google Scholar
- Chisel 3: A modern hardware design language. https://github.com/ freechipsproject/chisel3.Google Scholar
- Firrtl:flexible intermediate representation for rtl. https://github.com/ freechipsproject/FIRRTL.Google Scholar
- Chipyard, an agile risc-v soc design framework with in-order cores, out-of-order cores, accelerators, and more. https://github.com/ucb-bar/chipyard.Google Scholar
- Jerry Zhao, Ben Korpan, Abraham Gonzalez, and Krste Asanovic. Sonicboom: The 3rd generation berkeley out-of-order machine. In Fourth Workshop on Computer Architecture Research with RISC-V, 2020.Google Scholar
- Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the 13th European Conference on Computer Systems (EuroSys), Crete, Greece, April 2020.Google Scholar
- Oleksii Oleksenko, Christof Fetzer, Boris Köpf, and Mark Silberstein. Revizor: Fuzzing for leaks in black-box cpus. arXiv preprint arXiv:2105.06872, 2021.Google Scholar
- Esmaeil Mohammadian Koruyeh, Khaled N Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. Spectre returns! speculation attacks using the return stack buffer. In Proceedings of the 13th USENIX Workshop on Offensive Technologies (WOOT), Baltimore, MD, August 2019.Google Scholar
- Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, et al. Fallout: Leaking data on meltdown-resistant cpus. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.Google ScholarDigital Library
- Hany Ragab, Alyssa Milburn, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Crosstalk: Speculative data leaks across cores are real. In Proceedings of the 42st IEEE Symposium on Security and Privacy (Oakland), Online, May 2020.Google Scholar
- Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016.Google ScholarDigital Library
- Peng Chen and Hao Chen. Angora: Efficient fuzzing by principled search. In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2018.Google ScholarCross Ref
- Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. {QSYM}: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.Google Scholar
- Caroline Lemieux and Koushik Sen. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), Montpellier, France, September 2018.Google ScholarDigital Library
- Dae R Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. Razzer: Finding kernel race bugs through fuzzing. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2019.Google ScholarCross Ref
- Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D Keromytis, and Suman Jana. Nezha: Efficient domain-independent differential testing. In Proceedings of the 38th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017.Google ScholarCross Ref
- Shirin Nilizadeh, Yannic Noller, and Corina S Pasareanu. Diffuzz: differential fuzzing for side-channel analysis. In Proceedings of the 41th International Confer- ence on Software Engineering (ICSE), Montreal, Canada, May 2019.Google ScholarDigital Library
Index Terms
- SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities
Recommendations
SEnFuzzer: Detecting SGX Memory Corruption via Information Feedback and Tailored Interface Analysis
RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and DefensesIntel SGX provides protected memory called enclave to secure the private user data against corrupted or malicious OS environment. However, several researches have shown that the SGX applications suffer from memory corruption vulnerabilities, thus ...
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityPatches and related information about software vulnerabilities are often made available to the public, aiming to facilitate timely fixes. Unfortunately, the slow paces of system updates (30 days on average) often present to the attackers enough time to ...
History and Future of Automated Vulnerability Analysis
SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and TechnologiesThe software upon which our modern society operates is riddled with security vulnerabilities. These vulnerabilities allow hackers access to our sensitive data and make our system insecure. To identify vulnerabilities in software, human experts, or ...
Comments