Hot fuzz: Cascade finds dozens of RISC-V chip bugs using random data storm

Trending 1 month ago
  1. Home
  2. Security
  3. Hot fuzz: Cascade finds dozens of RISC-V chip bugs using random data storm

Video Boffins from ETH Zurich person devised a caller fuzzer for uncovering bugs successful RISC-V chips and person utilized it to find much than 3 dozen.

Fuzzing is simply a method that involves feeding random input to package aliases hardware to spot really it responds. It's commonly utilized for identifying codification errors aliases architectural flaws, and is wide utilized successful nan information community.

But existent CPU fuzzers person limitations that make them little effective. For example, they whitethorn not screen nan full instruction group architecture (ISA) aliases they whitethorn not negociate control flow well, which intends that bugs get missed. So a caller attack is being put to nan test.

Flavien Solt and Katharina Ceesay-Seitz, doctoral students astatine ETH Zurich, and Kaveh Razavi, adjunct professor astatine ETH Zurich, telephone nan task Cascade.

"Flavien started by looking astatine nan trial cases that different fuzzers make and quickly realized that they are either excessively elemental aliases neglect early, which make existing fuzzers mostly ineffective," explained Razavi to The Register. "So he started reasoning astir really to make arbitrarily agelong and analyzable programs? This is what led to nan creation of Cascade."

Unlike different CPU fuzzers, Cascade tin conception agelong random programs that negociate nan power travel during execution. This allows nan fuzzer to much thoroughly probe nan silicon. The method is described successful a paper [PDF] that's scheduled to beryllium presented adjacent twelvemonth astatine USENIX Security '24.

  • Intel banal stumbles connected study Nvidia is building an Arm CPU for PC market
  • Google and Qualcomm to bring RISC-V to nan wrist successful next-gen wearable platform
  • Latest SiFive RISC-V cores purpose to boost performance, accelerate AI workloads
  • US lawmakers want China export bans to see unfastened tech for illustration RISC-V

What separates Cascade from akin devices is that it relies connected a method called asymmetric ISA pre-simulation.

"The basal thought is to usage nan ISA simulator to fig retired really to entangle nan randomized power travel pinch nan randomized information flow," explained Razavi.

"This entanglement gives immoderate bully properties: nan programme ever terminates correctly connected a CPU that executes each of it correctly, contempt nan randomized power and information flows. So if it doesn't, it intends it triggered a CPU bug. The entanglement besides allows Cascade to build arbitrarily ample yet highly analyzable trial programs which tin fuzz nan CPU very efficiently."

Razavi explained that Cascade initially generates an intermediate programme successful which nan power travel is independent of nan information stream, but includes placeholders to adhd this dependency later.

"Cascade past uses nan ISA simulator to fig retired really to update these placeholders and makes nan power travel limited connected nan information flow, generating nan eventual trial program," he said. You tin spot it successful action below.

Youtube Video

When applied to six existent RISC-V CPUs – VexRiscv, PicoRV32, Kronos, CVA6, Rocket, and BOOM – Cascade recovered 37 caller bugs (translating to 29 CVEs) successful 5 of these six designs. These flaws, which nan authors opportunity person been responsibly disclosed, person consequences specified arsenic allowing accusation leakage, denial of service, control-flow hijacking, missing checks, and spurious exceptions that break isolation boundaries from higher privilege levels.

The ETH Zurich machine scientists declare that compared to different fuzzers for illustration TheHuzz and DifuzzRTL, Cascade achieved akin sum but 28 to 97 times faster. They besides study uncovering a captious bug successful nan Yosys model for Verilog RTL synthesis that results successful a incorrect netlist.

Razavi said that nan RISC-V ISA useful good pinch Cascade because it's not excessively complicated. "RISC-V is simply a elemental ISA by construction," he explained. "That's wherever nan R successful nan RISC comes from (R=Reduced). This simplicity made it tractable to build a fuzzer that exercises a ample fraction of nan functionalities provided by nan ISA and implemented by nan CPUs."

"Doing thing for illustration Cascade for an ISA specified arsenic x86 which is simply a CISC (C=Complex), while conceptually similar, will beryllium a much monolithic engineering undertaking. I deliberation personification should do it though!" ®

Related Article

60 US credit unions offline after ransomware infects backend cloud outfit

60 US credit unions offline after ransomware infects backend cloud outfit

1 day ago
Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

1 day ago
UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

1 day ago
US readies prison cell for another Russian Trickbot developer

US readies prison cell for another Russian Trickbot developer

1 day ago
Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

1 day ago
Interpol makes first border arrest using Biometric Hub to ID suspect

Interpol makes first border arrest using Biometric Hub to ID suspect

1 day ago

Trending

1. Texas
2. FC Cincinnati
3. Duke Basketball
4. Kentucky basketball
5. Boise State football
6. Jalen Milroe
7. Tulane football
8. Suns
9. UFC
10. Florida State

Popular Article

These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

12 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

13 hours ago
7 best funny Christmas movies you should watch this holiday season

7 best funny Christmas movies you should watch this holiday season

13 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

12 hours ago
iOS 17: How to share contacts using Apple’s amazing NameDrop feature

iOS 17: How to share contacts using Apple’s amazing NameDrop feature

15 hours ago
The Game Awards 2023: how to watch and what to expect

The Game Awards 2023: how to watch and what to expect

14 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.