BETA: Automated Black-box Exploration for Timing Attacks in Processors

TL;DR

BETA is a novel black-box fuzzing framework that efficiently uncovers diverse timing vulnerabilities in modern processors, surpassing existing methods in speed and scope, and discovering new vulnerabilities.

Contribution

Introduces BETA, a black-box fuzzing approach with enhanced mutation and coverage techniques for comprehensive timing attack detection in processors.

Findings

Successfully detected all known vulnerabilities in tested processors.

Discovered 8 new timing vulnerabilities.

Achieved at least 3x faster detection than previous methods.

Abstract

Modern processor advancements have introduced security risks, particularly in the form of microarchitectural timing attacks. High-profile attacks such as Meltdown and Spectre have revealed critical flaws, compromising the entire system's security. Recent black-box automated methods have demonstrated their advantages in identifying these vulnerabilities on various commercial processors. However, they often focus on specific attack types or incorporate numerous ineffective test cases, which severely limits the detection scope and efficiency. In this paper, we present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. Our framework employs a two-pronged approach, enhancing both mutation space and exploration efficiency: 1) we introduce an innovative fuzzer that precisely constrains mutation direction for diverse instruction combinations, including opcode, data, address, and execution level; 2) we develop a coverage feedback mechanism based on our instruction classification to discard potentially trivial or redundant test cases. This mechanism significantly expands coverage across a broader spectrum of instruction types. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures. BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities. BETA outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.