WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors

TL;DR

WhisperFuzz is a novel white-box fuzzing approach that uses static analysis and microarchitectural state monitoring to detect and locate timing vulnerabilities in processors, improving security assessment of hardware designs.

Contribution

It introduces the first white-box fuzzing framework for processors that combines static analysis with coverage feedback to identify and localize timing vulnerabilities.

Findings

Detected 12 new timing vulnerabilities in RISC-V processors.

Identified 8 vulnerabilities violating zero latency requirements.

Pinpointed locations of both new and known vulnerabilities.

Abstract

Timing vulnerabilities in processors have emerged as a potent threat. As processors are the foundation of any computing system, identifying these flaws is imperative. Recently fuzzing techniques, traditionally used for detecting software vulnerabilities, have shown promising results for uncovering vulnerabilities in large-scale hardware designs, such as processors. Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. However, they cannot identify the locations or root causes of these timing vulnerabilities, nor do they provide coverage feedback to enable the designer's confidence in the processor's security. To address the deficiencies of the existing fuzzers, we present WhisperFuzz--the first white-box fuzzer with static analysis--aiming to detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors. WhisperFuzz uses the fundamental nature of processors' timing behaviors, microarchitectural state transitions, to localize timing vulnerabilities. WhisperFuzz automatically extracts microarchitectural state transitions from a processor design at the register-transfer level (RTL) and instruments the design to monitor the state transitions as coverage. Moreover, WhisperFuzz measures the time a design-under-test (DUT) takes to process tests, identifying any minor, abnormal variations that may hint at a timing vulnerability. WhisperFuzz detects 12 new timing vulnerabilities across advanced open-sourced RISC-V processors: BOOM, Rocket Core, and CVA6. Eight of these violate the zero latency requirements of the Zkt extension and are considered serious security vulnerabilities. Moreover, WhisperFuzz also pinpoints the locations of the new and the existing vulnerabilities.