White-Box Fuzzer With Static Analysis To Detect And Locate Timing Vulnerabilities In RISC-V Processors 


A technical paper titled “WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors” was published by researchers at Indian Institute of Technology Madras, Texas A&M University, and
Technische Universität Darmstadt.


“Timing vulnerabilities in processors have emerged as a potent threat. As processors are the foundation of any computing system, identifying these flaws is imperative. Recently fuzzing techniques, traditionally used for detecting software vulnerabilities, have shown promising results for uncovering vulnerabilities in large-scale hardware designs, such as processors. Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. However, they cannot identify the locations or root causes of these timing vulnerabilities, nor do they provide coverage feedback to enable the designer’s confidence in the processor’s security.
To address the deficiencies of the existing fuzzers, we present WhisperFuzz–the first white-box fuzzer with static analysis–aiming to detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors. WhisperFuzz uses the fundamental nature of processors’ timing behaviors, microarchitectural state transitions, to localize timing vulnerabilities. WhisperFuzz automatically extracts microarchitectural state transitions from a processor design at the register-transfer level (RTL) and instruments the design to monitor the state transitions as coverage. Moreover, WhisperFuzz measures the time a design-under-test (DUT) takes to process tests, identifying any minor, abnormal variations that may hint at a timing vulnerability. WhisperFuzz detects 12 new timing vulnerabilities across advanced open-sourced RISC-V processors: BOOM, Rocket Core, and CVA6. Eight of these violate the zero latency requirements of the Zkt extension and are considered serious security vulnerabilities. Moreover, WhisperFuzz also pinpoints the locations of the new and the existing vulnerabilities.”

Find the technical paper here. Published February 2024 (preprint).

Borkar, Pallavi, Chen Chen, Mohamadreza Rostami, Nikhilesh Singh, Rahul Kande, Ahmad-Reza Sadeghi, Chester Rebeiro, and Jeyavijayan Rajendran. “WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors.” arXiv preprint arXiv:2402.03704 (2024).

Related Reading
RISC-V Micro-Architectural Verification
Verifying a processor is much more than making sure the instructions work, but the industry is building from a limited knowledge base and few dedicated tools.
What’s Required To Secure Chips
There is no single solution, and the most comprehensive security may be too expensive.

Leave a Reply

(Note: This name will be displayed publicly)