{\mu}RL: Discovering Transient Execution Vulnerabilities Using Reinforcement Learning

TL;DR

This paper introduces a reinforcement learning-based method to efficiently discover microarchitectural vulnerabilities like Spectre and Meltdown, outperforming traditional fuzzing techniques by learning from real-time feedback across various processor architectures.

Contribution

The paper presents a novel RL framework for discovering hardware vulnerabilities, demonstrating its effectiveness on Intel processors and uncovering new transient execution leakages.

Findings

RL approach successfully identified new transient execution vulnerabilities.

Method outperforms random fuzzing in efficiency and coverage.

Detected vulnerabilities include previously unknown instruction sequences.

Abstract

We propose using reinforcement learning to address the challenges of discovering microarchitectural vulnerabilities, such as Spectre and Meltdown, which exploit subtle interactions in modern processors. Traditional methods like random fuzzing fail to efficiently explore the vast instruction space and often miss vulnerabilities that manifest under specific conditions. To overcome this, we introduce an intelligent, feedback-driven approach using RL. Our RL agents interact with the processor, learning from real-time feedback to prioritize instruction sequences more likely to reveal vulnerabilities, significantly improving the efficiency of the discovery process. We also demonstrate that RL systems adapt effectively to various microarchitectures, providing a scalable solution across processor generations. By automating the exploration process, we reduce the need for human intervention, enabling continuous learning that uncovers hidden vulnerabilities. Additionally, our approach detects subtle signals, such as timing anomalies or unusual cache behavior, that may indicate microarchitectural weaknesses. This proposal advances hardware security testing by introducing a more efficient, adaptive, and systematic framework for protecting modern processors. When unleashed on Intel Skylake-X and Raptor Lake microarchitectures, our RL agent was indeed able to generate instruction sequences that cause significant observable byte leakages through transient execution without generating any $\mu$code assists, faults or interrupts. The newly identified leaky sequences stem from a variety of Intel instructions, e.g. including SERIALIZE, VERR/VERW, CLMUL, MMX-x87 transitions, LSL+RDSCP and LAR. These initial results give credence to the proposed approach.