WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors

TL;DR

WhisperFuzz is presented, the first white-box fuzzer with static analysis--aiming to detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors.

Abstract

Timing vulnerabilities in processors have emerged as a potent threat. As processors are the foundation of any computing system, identifying these flaws is imperative. Recently fuzzing techniques, traditionally used for detecting software vulnerabilities, have shown promising results for uncovering vulnerabilities in large-scale hardware designs, such as processors. Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. However, they cannot identify the locations or root causes of these timing vulnerabilities, nor do they provide coverage feedback to enable the designer's confidence in the processor's security. To address the deficiencies of the existing fuzzers, we present WhisperFuzz--the first white-box fuzzer with static analysis--aiming to detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors. WhisperFuzz uses the fundamental nature of processors' timing behaviors, microarchitectural state transitions, to localize timing vulnerabilities. WhisperFuzz automatically extracts microarchitectural state transitions from a processor design at the register-transfer level (RTL) and instruments the design to monitor the state transitions as coverage. Moreover, WhisperFuzz measures the time a design-under-test (DUT) takes to process tests, identifying any minor, abnormal variations that may hint at a timing vulnerability. WhisperFuzz detects 12 new timing vulnerabilities across advanced open-sourced RISC-V processors: BOOM, Rocket Core, and CVA6. Eight of these violate the zero latency requirements of the Zkt extension and are considered serious security vulnerabilities. Moreover, WhisperFuzz also pinpoints the locations of the new and the existing vulnerabilities.

Figures (7)

• Figure 1: A finite-state machine (FSM) representation of the cache set protocol. Each state is assumed to take a constant time as shown at each node.
• Figure 2: A high level representation of Micro-Event Graph (MEG) for cache set protocol represented as an FSM in Figure \ref{['fig:case_study']}.
• Figure 3: The WhisperFuzz framework. It includes three key modules. First, the Seed Generation module internally utilizes a coverage-feedback fuzzer to explore the design space. The generated inputs are recorded in a database. Mutations are performed to improve code coverage. Second, the Vulnerability Detection module uses the generated seed, mutates the instruction operands, and identifies the timing vulnerabilities based on DUT simulations. Finally, the Vulnerability Localization module pinpoints the locations of uncovered vulnerabilities.
• Figure 4: Sub-graph extracted from Micro-Event Graph in Figure \ref{['fig:full_graph']} of the cache set protocol case study. The L6, L7, L9, W15, W14 and R10 nodes from Figure \ref{['fig:full_graph']} correspond to addr, tag_addr, hit, mem_call, complete, way respectively.
• Figure 5: Timing behaviour of detected novel side-channels.

Theorems & Definitions (2)

• Definition 1
• Definition 2