Table of Contents
Fetching ...

DejaVuzz: Disclosing Transient Execution Bugs with Dynamic Swappable Memory and Differential Information Flow Tracking assisted Processor Fuzzing

Jinyan Xu, Yangye Zhou, Xingzhi Zhang, Yinshuai Li, Qinhan Tan, Yinqian Zhang, Yajin Zhou, Rui Chang, Wenbo Shen

TL;DR

Transient execution vulnerabilities pose a significant threat to modern processors, and prior fuzzers struggle with microarchitectural controllability and observability. DejaVuzz introduces dynamic swappable memory and differential information flow tracking to efficiently trigger diverse transient windows and observe data propagation, guiding exploration with taint-based coverage and liveness analysis. The three-phase framework achieves up to a 4.7x improvement in coverage over the state of the art and uncovers 5 new transient execution vulnerabilities with CVEs, validating its practical impact in pre-silicon contexts. The work provides open-source tooling and demonstrates effective testing on BOOM and XiangShan, offering a scalable path for proactive hardware security verification.

Abstract

Transient execution vulnerabilities have emerged as a critical threat to modern processors. Hardware fuzzing testing techniques have recently shown promising results in discovering transient execution bugs in large-scale out-of-order processor designs. However, their poor microarchitectural controllability and observability prevent them from effectively and efficiently detecting transient execution vulnerabilities. This paper proposes DejaVuzz, a novel pre-silicon stage processor transient execution bug fuzzer. DejaVuzz utilizes two innovative operating primitives: dynamic swappable memory and differential information flow tracking, enabling more effective and efficient transient execution vulnerability detection. The dynamic swappable memory enables the isolation of different instruction streams within the same address space. Leveraging this capability, DejaVuzz generates targeted training for arbitrary transient windows and eliminates ineffective training, enabling efficient triggering of diverse transient windows. The differential information flow tracking aids in observing the propagation of sensitive data across the microarchitecture. Based on taints, DejaVuzz designs the taint coverage matrix to guide mutation and uses taint liveness annotations to identify exploitable leakages. Our evaluation shows that DejaVuzz outperforms the state-of-the-art fuzzer SpecDoctor, triggering more comprehensive transient windows with lower training overhead and achieving a 4.7x coverage improvement. And DejaVuzz also mitigates control flow over-tainting with acceptable overhead and identifies 5 previously undiscovered transient execution vulnerabilities (with 6 CVEs assigned) on BOOM and XiangShan.

DejaVuzz: Disclosing Transient Execution Bugs with Dynamic Swappable Memory and Differential Information Flow Tracking assisted Processor Fuzzing

TL;DR

Transient execution vulnerabilities pose a significant threat to modern processors, and prior fuzzers struggle with microarchitectural controllability and observability. DejaVuzz introduces dynamic swappable memory and differential information flow tracking to efficiently trigger diverse transient windows and observe data propagation, guiding exploration with taint-based coverage and liveness analysis. The three-phase framework achieves up to a 4.7x improvement in coverage over the state of the art and uncovers 5 new transient execution vulnerabilities with CVEs, validating its practical impact in pre-silicon contexts. The work provides open-source tooling and demonstrates effective testing on BOOM and XiangShan, offering a scalable path for proactive hardware security verification.

Abstract

Transient execution vulnerabilities have emerged as a critical threat to modern processors. Hardware fuzzing testing techniques have recently shown promising results in discovering transient execution bugs in large-scale out-of-order processor designs. However, their poor microarchitectural controllability and observability prevent them from effectively and efficiently detecting transient execution vulnerabilities. This paper proposes DejaVuzz, a novel pre-silicon stage processor transient execution bug fuzzer. DejaVuzz utilizes two innovative operating primitives: dynamic swappable memory and differential information flow tracking, enabling more effective and efficient transient execution vulnerability detection. The dynamic swappable memory enables the isolation of different instruction streams within the same address space. Leveraging this capability, DejaVuzz generates targeted training for arbitrary transient windows and eliminates ineffective training, enabling efficient triggering of diverse transient windows. The differential information flow tracking aids in observing the propagation of sensitive data across the microarchitecture. Based on taints, DejaVuzz designs the taint coverage matrix to guide mutation and uses taint liveness annotations to identify exploitable leakages. Our evaluation shows that DejaVuzz outperforms the state-of-the-art fuzzer SpecDoctor, triggering more comprehensive transient windows with lower training overhead and achieving a 4.7x coverage improvement. And DejaVuzz also mitigates control flow over-tainting with acceptable overhead and identifies 5 previously undiscovered transient execution vulnerabilities (with 6 CVEs assigned) on BOOM and XiangShan.
Paper Structure (28 sections, 2 equations, 7 figures, 5 tables)

This paper contains 28 sections, 2 equations, 7 figures, 5 tables.

Figures (7)

  • Figure 1: Training and transient execution sections of Spectre-V1, Spectre-V2 and Spectre-RSB. The secret decoding step ④ is omitted.
  • Figure 2: Hardware dynamic information flow tracking instrumentation. a) is the example circuit from the BOOM RoB module, b) is the corresponding IFT shadow circuit.
  • Figure 3: Assuming the branch instruction at 0x1010 can trigger transient windows at different addresses by using different branch targets L?, only transient windows that do not conflict with training instructions can be exploited.
  • Figure 4: Using swapMem to trigger transient execution.
  • Figure 5: DejaVuzz fuzzing workflow for finding transient execution vulnerabilities, taking Spectre-RSB for example.
  • ...and 2 more figures