Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BETA: Automated Black-box Exploration for Timing Attacks in Processors

Congcong Chen, Jinhua Cui, Jiliang Zhang

TL;DR

BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities, and outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.

Abstract

Modern processor advancements have introduced security risks, particularly in the form of microarchitectural timing attacks. High-profile attacks such as Meltdown and Spectre have revealed critical flaws, compromising the entire system's security. Recent black-box automated methods have demonstrated their advantages in identifying these vulnerabilities on various commercial processors. However, they often focus on specific attack types or incorporate numerous ineffective test cases, which severely limits the detection scope and efficiency. In this paper, we present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. Our framework employs a two-pronged approach, enhancing both mutation space and exploration efficiency: 1) we introduce an innovative fuzzer that precisely constrains mutation direction for diverse instruction combinations, including opcode, data, address, and execution level; 2) we develop a coverage feedback mechanism based on our instruction classification to discard potentially trivial or redundant test cases. This mechanism significantly expands coverage across a broader spectrum of instruction types. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures. BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities. BETA outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.

BETA: Automated Black-box Exploration for Timing Attacks in Processors

TL;DR

BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities, and outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.

Abstract

Modern processor advancements have introduced security risks, particularly in the form of microarchitectural timing attacks. High-profile attacks such as Meltdown and Spectre have revealed critical flaws, compromising the entire system's security. Recent black-box automated methods have demonstrated their advantages in identifying these vulnerabilities on various commercial processors. However, they often focus on specific attack types or incorporate numerous ineffective test cases, which severely limits the detection scope and efficiency. In this paper, we present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. Our framework employs a two-pronged approach, enhancing both mutation space and exploration efficiency: 1) we introduce an innovative fuzzer that precisely constrains mutation direction for diverse instruction combinations, including opcode, data, address, and execution level; 2) we develop a coverage feedback mechanism based on our instruction classification to discard potentially trivial or redundant test cases. This mechanism significantly expands coverage across a broader spectrum of instruction types. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures. BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities. BETA outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.

Paper Structure

This paper contains 18 sections, 3 equations, 5 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Fuzzing
  4. Microarchitectural Timing Side- and Covert Channels
  5. Transient Execution Attacks
  6. Microarchitectural Timing Behaviors
  7. BETA Design
  8. Phase 1: Instruction Parsing
  9. Phase 2: Fuzzing
  10. Phase 3: Verification
  11. Evaluation
  12. Performance
  13. Finding Known Channels
  14. Finding New Channels
  15. Exploitability of Detected Vulnerabilities
  16. ...and 3 more sections

Figures (5)

  • Figure 1: The sources of time differences
  • Figure 2: The diagram of BETA framework. (Iseed: initial seed; Mseed: mutated seed; N: maximum instruction length; ISA_T: tested instruction types; DM: data mutation; AM: address mutation; IM: instruction mutation; ST: single thread; SMT: simultaneous multi-threading; MTCC: multi-threading on cross cores)
  • Figure 3: The code page for execution. The blue box ① tests the effect of residual state between instructions. The red boxes ② and ③ test the effect of contention between instructions (where ② represents port contention and ③ represents out-of-order execution contention)
  • Figure 4: Comparison of two code execution paths (gray areas indicate potential data or address mutations)
  • Figure 5: The time difference of new channels.