Lost and Found in Speculation: Hybrid Speculative Vulnerability Detection

TL;DR

This paper presents Specure, a hybrid verification method combining hardware fuzzing and Information Flow Tracking to efficiently detect speculative execution vulnerabilities in processors, notably improving detection speed and coverage.

Contribution

Specure introduces a novel pre-silicon verification approach that enhances fuzzing with IFT, enabling automatic vulnerability detection and a new leakage path coverage metric.

Findings

Identified previously overlooked speculative vulnerabilities on RISC-V BOOM

Achieved 6.45x faster vulnerability search compared to existing methods

Detected known vulnerabilities 20x faster

Abstract

Microarchitectural attacks represent a challenging and persistent threat to modern processors, exploiting inherent design vulnerabilities in processors to leak sensitive information or compromise systems. Of particular concern is the susceptibility of Speculative Execution, a fundamental part of performance enhancement, to such attacks. We introduce Specure, a novel pre-silicon verification method composing hardware fuzzing with Information Flow Tracking (IFT) to address speculative execution leakages. Integrating IFT enables two significant and non-trivial enhancements over the existing fuzzing approaches: i) automatic detection of microarchitectural information leakages vulnerabilities without golden model and ii) a novel Leakage Path coverage metric for efficient vulnerability detection. Specure identifies previously overlooked speculative execution vulnerabilities on the RISC-V BOOM processor and explores the vulnerability search space 6.45x faster than existing fuzzing techniques. Moreover, Specure detected known vulnerabilities 20x faster.