Hot fuzz: Cascade finds dozens of RISC-V chip bugs using random data storm

Trending 1 month ago

Video Boffins from ETH Zurich person devised a caller fuzzer for uncovering bugs successful RISC-V chips and person utilized it to find much than 3 dozen.

Fuzzing is simply a method that involves feeding random input to package aliases hardware to spot really it responds. It's commonly utilized for identifying codification errors aliases architectural flaws, and is wide utilized successful nan information community.

But existent CPU fuzzers person limitations that make them little effective. For example, they whitethorn not screen nan full instruction group architecture (ISA) aliases they whitethorn not negociate control flow well, which intends that bugs get missed. So a caller attack is being put to nan test.

Flavien Solt and Katharina Ceesay-Seitz, doctoral students astatine ETH Zurich, and Kaveh Razavi, adjunct professor astatine ETH Zurich, telephone nan task Cascade.

"Flavien started by looking astatine nan trial cases that different fuzzers make and quickly realized that they are either excessively elemental aliases neglect early, which make existing fuzzers mostly ineffective," explained Razavi to The Register. "So he started reasoning astir really to make arbitrarily agelong and analyzable programs? This is what led to nan creation of Cascade."

Unlike different CPU fuzzers, Cascade tin conception agelong random programs that negociate nan power travel during execution. This allows nan fuzzer to much thoroughly probe nan silicon. The method is described successful a paper [PDF] that's scheduled to beryllium presented adjacent twelvemonth astatine USENIX Security '24.

  • Intel banal stumbles connected study Nvidia is building an Arm CPU for PC market
  • Google and Qualcomm to bring RISC-V to nan wrist successful next-gen wearable platform
  • Latest SiFive RISC-V cores purpose to boost performance, accelerate AI workloads
  • US lawmakers want China export bans to see unfastened tech for illustration RISC-V

What separates Cascade from akin devices is that it relies connected a method called asymmetric ISA pre-simulation.

"The basal thought is to usage nan ISA simulator to fig retired really to entangle nan randomized power travel pinch nan randomized information flow," explained Razavi.

"This entanglement gives immoderate bully properties: nan programme ever terminates correctly connected a CPU that executes each of it correctly, contempt nan randomized power and information flows. So if it doesn't, it intends it triggered a CPU bug. The entanglement besides allows Cascade to build arbitrarily ample yet highly analyzable trial programs which tin fuzz nan CPU very efficiently."

Razavi explained that Cascade initially generates an intermediate programme successful which nan power travel is independent of nan information stream, but includes placeholders to adhd this dependency later.

"Cascade past uses nan ISA simulator to fig retired really to update these placeholders and makes nan power travel limited connected nan information flow, generating nan eventual trial program," he said. You tin spot it successful action below.

Youtube Video

When applied to six existent RISC-V CPUs – VexRiscv, PicoRV32, Kronos, CVA6, Rocket, and BOOM – Cascade recovered 37 caller bugs (translating to 29 CVEs) successful 5 of these six designs. These flaws, which nan authors opportunity person been responsibly disclosed, person consequences specified arsenic allowing accusation leakage, denial of service, control-flow hijacking, missing checks, and spurious exceptions that break isolation boundaries from higher privilege levels.

The ETH Zurich machine scientists declare that compared to different fuzzers for illustration TheHuzz and DifuzzRTL, Cascade achieved akin sum but 28 to 97 times faster. They besides study uncovering a captious bug successful nan Yosys model for Verilog RTL synthesis that results successful a incorrect netlist.

Razavi said that nan RISC-V ISA useful good pinch Cascade because it's not excessively complicated. "RISC-V is simply a elemental ISA by construction," he explained. "That's wherever nan R successful nan RISC comes from (R=Reduced). This simplicity made it tractable to build a fuzzer that exercises a ample fraction of nan functionalities provided by nan ISA and implemented by nan CPUs."

"Doing thing for illustration Cascade for an ISA specified arsenic x86 which is simply a CISC (C=Complex), while conceptually similar, will beryllium a much monolithic engineering undertaking. I deliberation personification should do it though!" ®