Modern CPUs are black boxes, proprietary, and increasingly characterized by sophisticated microarchitectural flaws that evade traditional analysis. While some of these critical vulnerabilities have been uncovered through cumbersome manual effort, building an automated and systematic vulnerability detection framework for real-world post-silicon processors remains a challenge. In this paper, we present Fuzzilicon, the first post-silicon fuzzing framework for real-world x86 CPUs that brings deep introspection into the microcode and microarchitectural layers. Fuzzilicon automates the discovery of vulnerabilities that were previously only detectable through extensive manual reverse engineering, and bridges the visibility gap by introducing microcode-level instrumentation. At the core of Fuzzilicon is a novel technique for extracting feedback directly from the processor's microarchitecture, enabled by reverse-engineering Intel's proprietary microcode update interface. We develop a minimally intrusive instrumentation method and integrate it with a hypervisor-based fuzzing harness to enable precise, feedback-guided input generation, without access to Register Transfer Level (RTL). Applied to Intel's Goldmont microarchitecture, Fuzzilicon introduces 5 significant findings, including two previously unknown microcode-level speculative-execution vulnerabilities. Besides, the Fuzzilicon framework automatically rediscover the $μ$Spectre class of vulnerabilities, which were detected manually in the previous work. Fuzzilicon reduces coverage collection overhead by up to 31$\times$ compared to baseline techniques and achieves 16.27% unique microcode coverage of hookable locations, the first empirical baseline of its kind. As a practical, coverage-guided, and scalable approach to post-silicon fuzzing, Fuzzilicon establishes a new foundation to automate the discovery of complex CPU vulnerabilities.

翻译：现代CPU是黑盒、专有的，且日益以规避传统分析的复杂微架构缺陷为特征。尽管其中一些关键漏洞已通过繁琐的人工努力被发现，但为实际后硅片处理器构建自动化、系统化的漏洞检测框架仍具挑战性。本文提出Fuzzilicon，首个面向实际x86 CPU的后硅片模糊测试框架，实现了对微码与微架构层的深度内省。Fuzzilicon自动化发现了以往仅能通过大量人工逆向工程检测的漏洞，并通过引入微码级插桩技术弥合了可见性鸿沟。Fuzzilicon的核心是一种直接从处理器微架构提取反馈的新技术，该技术通过逆向工程英特尔专有微码更新接口实现。我们开发了一种侵入性极小的插桩方法，并将其与基于虚拟机监控程序的模糊测试工具集成，实现了无需寄存器传输级（RTL）访问的精准反馈引导输入生成。在英特尔的Goldmont微架构上应用时，Fuzzilicon揭示了5项重要发现，包括两个此前未知的微码级推测执行漏洞。此外，该框架自动复现了先前工作中人工发现的$μ$Spectre类漏洞。相较于基线技术，Fuzzilicon将覆盖率收集开销降低了最高31倍，并对可挂钩位置实现了16.27%的独特微码覆盖率，首次建立了此类实证基线。作为一种实用、覆盖率引导且可扩展的后硅片模糊测试方法，Fuzzilicon为自动化发现复杂CPU漏洞奠定了新基础。