Modern processor advancements have introduced security risks, particularly in the form of microarchitectural timing attacks. High-profile attacks such as Meltdown and Spectre have revealed critical flaws, compromising the entire system's security. Recent black-box automated methods have demonstrated their advantages in identifying these vulnerabilities on various commercial processors. However, they often focus on specific attack types or incorporate numerous ineffective test cases, which severely limits the detection scope and efficiency. In this paper, we present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. Our framework employs a two-pronged approach, enhancing both mutation space and exploration efficiency: 1) we introduce an innovative fuzzer that precisely constrains mutation direction for diverse instruction combinations, including opcode, data, address, and execution level; 2) we develop a coverage feedback mechanism based on our instruction classification to discard potentially trivial or redundant test cases. This mechanism significantly expands coverage across a broader spectrum of instruction types. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures. BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities. BETA outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.
翻译:暂无翻译