We define 𝜇CFI, a new CPU security property that detects microarchitectural constant time violations and CPU vulnerabilities that allow control-flow-hijacking attacks (4 RISC-V CVEs) or proves their absence: https://t.co/Sn0dUCUvem (Paper at CCS'24) @FlavienSolt @kavehrazavi

Confused deputy attacks on EDA software generate vulnerable hardware from secure RTL. TransFuzz discovers 20 such translation bugs in open-source EDA (25 CVEs). Will be presented at USENIX Security '25. https://t.co/oNhyfxRcDz @kavehrazavi @K_CeesaySeitz

The paper is accepted for publication at USENIX Security ‘24 and the source code is readily available on github. Try it out!

Because Cascade found an order of magnitude more new bugs than previous fuzzers, Cascade includes an automatic pruning engine that reduces bug-triggering programs into tiny sequences of instructions, making bug interpretation human-tractable. https://t.co/2NCFJck12Y

Cascade fuzzes the CPUs 25x to 100x faster than the state-of-the-art coverage-guided CPU fuzzers, measured on their own coverage metric! It finds a wide range of new bugs in 5 RISC-V CPUs. https://t.co/2VksyVCIrG

Instead, we came up with a new idea: asynchronous ISA pre-simulation (AIPS). Cascade executes the golden ISA model not to compare with the CPU’s execution, but to build very intricate valid test cases. These intricate test cases fail only, with high chance, if a bug is triggered.

In addition, we want to reliably and cost-effectively detect when bugs are triggered. Previous work generally executes test cases on the CPU under test and on a golden ISA model independently.

Effective inputs are RISC-V programs that must be: - Randomized - Long (for performance and for pressuring the microarchitecture). - Complex (data and control flows must be non-trivial and should be entangled for finding bugs).

So far, CPU fuzzers hoped that a coverage metric would build interesting CPU programs for them. We show that this is generally not the case. So we propose to explicitly build inputs that are likely to be effective.

Oh! 37 new bugs (28 new CVEs) discovered in 5 RISC-V CPUs (e.g., BOOM and CVA6)! #Cascade fuzzes #RISC-V CPUs based on novel basic principles. Try it on your own CPU, it’s open! https://t.co/5JwUKghZ5L (with @K_CeesaySeitz @kavehrazavi)

Today @kavehrazavi and I are finally allowed to talk about #Retbleed. In 2018, #SpectreV2 was fixed by replacing indirect jumps with returns. But, returns can be poisoned like indirect jumps, throwing us us back to 2018 again. Paper, demo, addendum, code @ https://t.co/XWzNp2kw2P

The paper is accepted for publication at USENIX Security and the source code is available on github and is easily extensible to instrumenting new designs and performing new experiments.

Using CellIFT, we show microarchitectural information leakage, Spectre and Meltdown, as well as architectural bugs in an SoC. This is just the beginning! There are many more exciting applications that can be built on top of CellIFT!

Instrumenting at the cell level results in far simpler instrumented designs: 21x to 61x faster simulation, better FPGA ports, and CellIFT scales for the first time to the arguably most complex open source RISC-V designs.

To tackle this scalability issue, it would be great to have a constant number of cell copies, instead of exponential. We discovered three fundamental mathematical properties that precisely allow us to use only 1 or 2 copies instead of 2^n.

CellIFT operates at a higher level of abstraction: the (macro-)cell level, e.g., adders and shifts. We first design a perfectly precise, generic taint-supporting logic for any cell, called m-replica. But m-replica requires an exponential number of copies of each cell.

The only complete hardware taint tracking mechanism so far (GLIFT) operates at the gate level. It takes a design, breaks it into logic gates (OR, AND, NOT) and adds logic for each of them. Operating at gate level is super expensive and has precision issues (overtainting).

You said hardware dynamic taint tracking doesn’t scale? #CellIFT is the first to scale to complex CPUs/SoCs (e.g., CVA6, BOOM, PULPissimo). CellIFT detects info leakage and (micro)arch bugs like #meltdown #spectre (with @bjg @kavehrazavi). CellIFT is open!