CPU Fuzzing Via Intricate Program Generation (ETH Zurich)


A technical paper titled “Cascade: CPU Fuzzing via Intricate Program Generation” was published by researchers at ETH Zurich.


“Generating interesting test cases for CPU fuzzing is akin to generating programs that exercise unusual states inside the CPU. The performance of CPU fuzzing is heavily influenced by the quality of these programs and by the overhead of bug detection. Our analysis of existing state-of-the-art CPU fuzzers shows that they generate programs that are either overly simple or execute a small fraction of their instructions due to invalid control flows. Combined with expensive instruction-granular bug detection mechanisms, this leads to inefficient fuzzing campaigns. We present Cascade, a new approach for generating valid RISC-V programs of arbitrary length with highly randomized and interdependent control and data flows. Cascade relies on a new technique called asymmetric ISA pre-simulation for entangling control flows with data flows when generating programs. This entanglement results in non-termination when a program triggers a bug in the target CPU, enabling Cascade to detect a CPU bug at program granularity without introducing any runtime overhead. Our evaluation shows that long Cascade programs are more effective in exercising the CPU’s internal design. Cascade achieves 28.2x to 97x more coverage than the state-of-the-art CPU fuzzers and uncovers 37 new bugs (28 new CVEs) in 5 RISC-V CPUs with varying degrees of complexity. The programs that trigger these bugs are long and intricate, impeding triaging. To address this challenge, Cascade features an automated pruning method that reduces a program to a minimal number of instructions that trigger the bug.”

Find the technical paper here. Published October 2023.

Solt, Flavien, Katharina Ceesay-Seitz, and Kaveh Razavi. “Cascade: CPU Fuzzing via Intricate Program Generation.”

Related Reading
How Secure Are RISC-V Chips?
Open source by itself doesn’t guarantee security. It still comes down to the fundamentals of design.
RISC-V Driving New Verification Concepts
Doing what has been done in the past only gets you so far, but RISC-V is causing some aspects of verification to be fundamentally rethought.
What Makes RISC-V Verification Unique?
The verification of a processor is a lot more complex than a comparably-sized ASIC, and RISC-V processors take this to another layer of complexity.


Leave a Reply

(Note: This name will be displayed publicly)