CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

In recent years, different new microarchitectural attacks, including side-channel attacks, Spectre, and Meltdown, have been discovered in modern CPUs. Nevertheless, such attacks are still found mainly by researchers spending countless hours and days manually developing these attacks.

In this talk, we explore different approaches that we developed to automate this attack discovery. First, we present Osiris, a fuzzing-based framework developed to find side-channels in an automated manner. Second, we discuss Transynther, an automated approach capable of finding new Meltdown-type attack variants. Afterward, we present the different attacks that these tools discovered, ranging from new side-channel attacks over KASLR breaks to new Meltdown-type attacks, showing the success of our tools.

Finally, we elaborate that even though these tools are a step towards a more scalable way of discovering microarchitectural attacks, they are far from perfect. Thus, we conclude that existing tools only scratch the tip of the iceberg and that there are likely many more hidden vulnerabilities in modern CPUs.