Unit:
Department of Informatics and TelecommunicationsΠληροφορική
Author:
MOULKIOTIS GRIGORIOS
Supervisors info:
Βασίλειος Καρακώστας, Επίκουρος Καθηγητής, Τμήμα Πληροφορικής και Τηλεπικοινωνιών, ΕΚΠΑ
Original Title:
Enhanced Techniques for Testing x86 and RISC-V CPUs Against Speculation Contracts
Translated title:
Enhanced Techniques for Testing x86 and RISC-V CPUs Against Speculation Contracts
Summary:
Transient execution attacks exploit the speculative execution of modern CPUs to leak information regarding the execution of victim programs through the use of microarchitectural side-channels, e.g., caches. Due to the severe security threats that such microarchitectural attacks impose, prior work has focused on developing various testing techniques and frameworks that aim at automatically identifying security vulnerabilities on modern processors. Revizor is a recently proposed model-based relational testing framework that produces random instruction sequences, i.e., test cases, and inputs to detect existing and novel security vulnerabilities leveraging the concept of speculation contracts. In this thesis we enhance Revizor with additional functionality targeting both x86 and RISC-V processors. On the x86 front, we extend Revizor to use timing measurements, instead of hardware performance counters, for collecting hardware traces. This extension allows processor testing in more realistic system setups in which the use of hardware performance counters may be restricted to the attacker. We also enhance Revizor to use the Flush+Flush data cache side-channel attack, which has been shown to be a fast and stealthy attack. Furthermore, we extend Revizor to use the instruction cache as a side-channel for collecting hardware traces by implementing instruction cache attacks. In this way, we increase the testing coverage of the processor's microarchitectural components beyond the data cache. On the RISC-V front, we port the executor component of Revizor to be able to test real implementations of RISC-V processors, as the current version supports only simulation-based testing. Finally, we reuse some of the Revizor's components to automatically identify the CycleDrift RISC-V architectural vulnerability. Our experimental evaluation shows the capabilities and performance of our enhanced testing techniques.
Main subject category:
Technology - Computer science
Keywords:
Hardware security, microarchitectural side-channel attacks, transient execution attacks, cache attacks, fuzzing, x86, RISC-V
