Recent research has shown that hardware fuzzers can effectively detect security vulnerabilities in modern processors. However, existing hardware fuzzers do not fuzz well the hard-to-reach design spaces. Consequently, these fuzzers cannot effectively fuzz security-critical control- and data-flow logic in the processors, hence missing security vulnerabilities. To tackle this challenge, we present HyPFuzz, a hybrid fuzzer that leverages formal verification tools to help fuzz the hard-to-reach part of the processors. To increase the effectiveness of HyPFuzz, we perform optimizations in time and space. First, we develop a scheduling strategy to prevent under- or over-utilization of the capabilities of formal tools and fuzzers. Second, we develop heuristic strategies to select points in the design space for the formal tool to target. We evaluate HyPFuzz on five widely-used open-source processors. HyPFuzz detected all the vulnerabilities detected by the most recent processor fuzzer and found three new vulnerabilities that were missed by previous extensive fuzzing and formal verification. This led to two new common vulnerabilities and exposures (CVE) entries. HyPFuzz also achieves 11.68$\times$ faster coverage than the most recent processor fuzzer.
翻译:近期研究表明,硬件模糊测试工具能有效检测现代处理器中的安全漏洞。然而,现有硬件模糊测试工具难以深入测试设计空间中难以触及的区域。因此,这些工具无法有效检测处理器中关键的安全控制流与数据流逻辑,导致安全漏洞遗漏。为应对这一挑战,我们提出HyPFuzz——一种利用形式化验证工具辅助模糊测试处理器难以触及区域的混合模糊测试工具。为提升HyPFuzz的有效性,我们从时间和空间两个维度进行优化。首先,我们设计调度策略以避免形式化工具与模糊测试工具能力被过度或不足利用。其次,我们开发启发式策略,为形式化工具在处理器设计空间中选择目标检测点。我们基于五种广泛使用的开源处理器对HyPFuzz进行评估。结果显示,HyPFuzz能检测到最新处理器模糊测试工具发现的所有漏洞,并额外发现三个此前被广泛模糊测试与形式化验证遗漏的新漏洞,由此生成两个新的通用漏洞披露(CVE)编号。此外,HyPFuzz的覆盖率速度较最新处理器模糊测试工具提升11.68倍。