Timing vulnerabilities in processors have emerged as a potent threat. As processors are the foundation of any computing system, identifying these flaws is imperative. Recently fuzzing techniques, traditionally used for detecting software vulnerabilities, have shown promising results for uncovering vulnerabilities in large-scale hardware designs, such as processors. Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. However, they cannot identify the locations or root causes of these timing vulnerabilities, nor do they provide coverage feedback to enable the designer's confidence in the processor's security. To address the deficiencies of the existing fuzzers, we present WhisperFuzz--the first white-box fuzzer with static analysis--aiming to detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors. WhisperFuzz uses the fundamental nature of processors' timing behaviors, microarchitectural state transitions, to localize timing vulnerabilities. WhisperFuzz automatically extracts microarchitectural state transitions from a processor design at the register-transfer level (RTL) and instruments the design to monitor the state transitions as coverage. Moreover, WhisperFuzz measures the time a design-under-test (DUT) takes to process tests, identifying any minor, abnormal variations that may hint at a timing vulnerability. WhisperFuzz detects 12 new timing vulnerabilities across advanced open-sourced RISC-V processors: BOOM, Rocket Core, and CVA6. Eight of these violate the zero latency requirements of the Zkt extension and are considered serious security vulnerabilities. Moreover, WhisperFuzz also pinpoints the locations of the new and the existing vulnerabilities.

翻译：处理器中的时序漏洞已成为一种严峻的安全威胁。由于处理器是任何计算系统的基石，识别这些缺陷至关重要。传统用于检测软件漏洞的模糊测试技术，近来在发现处理器等大规模硬件设计漏洞方面展现出良好前景。研究者已采用黑盒或灰盒模糊测试方法检测处理器时序漏洞，但这些方法既无法定位时序漏洞的具体位置或根本原因，也无法提供覆盖率反馈以确保设计人员对处理器安全性的信心。针对现有模糊测试工具的不足，本文提出WhisperFuzz——首个集成静态分析的白盒模糊测试框架，旨在检测并定位处理器时序漏洞，同时评估微架构时序行为的覆盖率。WhisperFuzz利用处理器时序行为的本质特征——微架构状态转移——来实现时序漏洞定位。该框架自动从寄存器传输级（RTL）处理器设计中提取微架构状态转移，并通过插桩技术将状态转移监测作为覆盖率指标。此外，WhisperFuzz通过测量待测设计（DUT）处理测试用例的时间，识别可能暗示时序漏洞的微小异常波动。在BOOM、Rocket Core和CVA6等先进开源RISC-V处理器中，WhisperFuzz检测出12个新时序漏洞，其中8个漏洞违反Zkt扩展的零延迟要求，被认定为严重安全漏洞。同时，WhisperFuzz还精准定位了新发现漏洞与已知漏洞的具体位置。