Fuzzilicon: A Post-Silicon Microcode-Guided x86 CPU Fuzzer
Johannes Lenzen, Mohamadreza Rostami, Lichao Wu, Ahmad-Reza Sadeghi
TL;DR
Fuzzilicon tackles the challenge of finding hardware-level vulnerabilities in real, post-silicon x86 CPUs by introducing microcode-level feedback as a new guidance signal. It repurposes Intel's undocumented $\\mu$code patch interface to instrument microarchitectural execution, enabled by a bare-metal, hypervisor-based fuzzing harness and a serialization oracle to perform differential testing without a formal microarchitectural oracle. The framework discovers multiple microcode-level speculative-execution vulnerabilities (including two new ones) on Intel Goldmont, and automatically rediscovers the $\\mu$Spectre class, while achieving substantial coverage ($16.27\%$ of hookable $\\mu$code addresses) and a $\approx\$\31\times$ reduction in instrumentation overhead. These results establish a practical, scalable foundation for automated discovery of complex CPU vulnerabilities in closed-source hardware, with open-source tooling to facilitate broader research and industrial adoption.
Abstract
Modern CPUs are black boxes, proprietary, and increasingly characterized by sophisticated microarchitectural flaws that evade traditional analysis. While some of these critical vulnerabilities have been uncovered through cumbersome manual effort, building an automated and systematic vulnerability detection framework for real-world post-silicon processors remains a challenge. In this paper, we present Fuzzilicon, the first post-silicon fuzzing framework for real-world x86 CPUs that brings deep introspection into the microcode and microarchitectural layers. Fuzzilicon automates the discovery of vulnerabilities that were previously only detectable through extensive manual reverse engineering, and bridges the visibility gap by introducing microcode-level instrumentation. At the core of Fuzzilicon is a novel technique for extracting feedback directly from the processor's microarchitecture, enabled by reverse-engineering Intel's proprietary microcode update interface. We develop a minimally intrusive instrumentation method and integrate it with a hypervisor-based fuzzing harness to enable precise, feedback-guided input generation, without access to Register Transfer Level (RTL). Applied to Intel's Goldmont microarchitecture, Fuzzilicon introduces 5 significant findings, including two previously unknown microcode-level speculative-execution vulnerabilities. Besides, the Fuzzilicon framework automatically rediscover the $μ$Spectre class of vulnerabilities, which were detected manually in the previous work. Fuzzilicon reduces coverage collection overhead by up to 31$\times$ compared to baseline techniques and achieves 16.27% unique microcode coverage of hookable locations, the first empirical baseline of its kind. As a practical, coverage-guided, and scalable approach to post-silicon fuzzing, Fuzzilicon establishes a new foundation to automate the discovery of complex CPU vulnerabilities.
