Microarchitectural attacks represent a challenging and persistent threat to modern processors, exploiting inherent design vulnerabilities in processors to leak sensitive information or compromise systems. Of particular concern is the susceptibility of Speculative Execution, a fundamental part of performance enhancement, to such attacks. We introduce Specure, a novel pre-silicon verification method composing hardware fuzzing with Information Flow Tracking (IFT) to address speculative execution leakages. Integrating IFT enables two significant and non-trivial enhancements over the existing fuzzing approaches: i) automatic detection of microarchitectural information leakages vulnerabilities without golden model and ii) a novel Leakage Path coverage metric for efficient vulnerability detection. Specure identifies previously overlooked speculative execution vulnerabilities on the RISC-V BOOM processor and explores the vulnerability search space 6.45x faster than existing fuzzing techniques. Moreover, Specure detected known vulnerabilities 20x faster.

翻译：微架构攻击代表了现代处理器面临的一项严峻且持久的威胁，其通过利用处理器固有的设计漏洞来泄露敏感信息或破坏系统。特别令人担忧的是推测执行（作为性能增强的基本组成部分）对此类攻击的易感性。我们提出了Specure，一种新颖的预硅验证方法，它将硬件模糊测试与信息流追踪相结合，以应对推测执行泄露问题。集成信息流追踪使得该方法相较于现有模糊测试方法实现了两项重要且非平凡的增强：i) 无需黄金模型即可自动检测微架构信息泄露漏洞；ii) 一种新颖的泄露路径覆盖度量标准，用于高效漏洞检测。Specure在RISC-V BOOM处理器上识别出了先前被忽视的推测执行漏洞，并且其漏洞搜索空间探索速度比现有模糊测试技术快6.45倍。此外，Specure检测已知漏洞的速度快了20倍。