### CPU Fuzzing via Intricate Program Generation

**Flavien Solt**, Katharina Ceesay-Seitz and Kaveh Razavi ETH Zürich













### CPUs are certainly still full of bugs, with potential security implications

[1] Flavien Solt, Patrick Jattke, and Kaveh Razavi. "RemembERR: Leveraging Microprocessor Errata for Design Testing and Validation." 2022

More **new CVEs** than all previous CPU fuzzers combined

More **new CVEs** than all previous CPU fuzzers combined Outperforms SoA **coverage** (despite being black-box)

### More **new CVEs** than all previous CPU fuzzers combined

### Outperforms SoA **coverage** (despite being black-box)



Idea: Explicitly generate long, complex and valid programs.













# SoA CPU fuzzers

(DifuzzRTL family)



By definition, CPU inputs are programs.

Initialization

# SoA CPU fuzzers

### (DifuzzRTL family)



12

Initialization

# SoA CPU fuzzers

### (DifuzzRTL family)



Initialization

# SoA CPU fuzzers

### (DifuzzRTL family)



Finalization

15

Initialization

Program dies prematurely

# SoA CPU fuzzers

### (DifuzzRTL family)





Initialization

Program

#### Finalization

Program dies prematurely

# SoA CPU fuzzers

### (DifuzzRTL family)





**Problem 1:** Overrepresentation of always the same instruction snippets



J. Hur et al., "DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs", S&P '21

Initialization

#### Program

#### Finalization

Program dies prematurely

# SoA CPU fuzzers

### (DifuzzRTL family)





**Problem 1:** Overrepresentation of always the same instruction snippets





J. Hur et al., "DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs", S&P '21



J. Hur et al., "DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs", S&P '21



J. Hur et al., "DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs", S&P '21



# Requirements





# Cascade design



1. Program generation



### 2. Entanglement





































| xor    | x7,x4,x9         |
|--------|------------------|
| csrrwi | x9,mcause,15     |
| beq    | x9,x4,0x8000098e |
| fadd   | f8,f9,f10        |
| feq.s  | x4,f9,f8         |
| jalr   | x9, (x7)         |
|        |                  |

Intended basic block

x7,x4,x9 xor Should not x9,mcause,15 <u>srrwi</u> be taken Should contain the start x9,x4,0x8000098e beq address of the next f8,f9,f10 Fuud instruction basic block x4,f9,f8 feq.s x9, ((x7) jalr Intended basic block

x7,x4,x9 xor Should not x9,mcause,15 csrrwi be taken Should contain the start x9,x4,0x8000098e beq address of the next f8,f9,f10 Fuud instruction basic block x4,f9,f8 feq.s x9, ((x7) jalr Intended basic block Extreme 1: Keep everything random

x7,x4,x9 xor Should not x9, mcause, 15 csrrwi be taken Should contain the start x9,x4,0x8000098e beq address of the next f8,f9,f10 Fund instruction basic block x4,f9,f8 feq.s x9, (x7) jalr Intended basic block Extreme 1: Keep everything random lomp

#### Code generation in Cascade

x7,x4,x9 xor Should not x9,mcause,15 csrrwi be taken Should contain the start x9,x4,0x8000098e beq address of the next f8,f9,f10 Fund instruction basic block x4,f9,f8 feq.s x9, ((x7) jalr Intended basic block Extreme 1: Keep everything random Invalid Complex





# Asymmetric ISA pre-simulation



ISA Simulator (executed only once per program)



## Asymmetric ISA pre-simulation



Test case execution



41

# Asymmetric ISA pre-simulation









### Results

#### Program length matters





## Coverage of SoA CPU fuzzers





## Coverage of SoA CPU fuzzers







#### RISC-V cores under test

- PicoRV32
- Kronos
- VexRiscv
- CVA6
- Rocket
- BOOM



### Bugs







### Bugs







On VexRiscv without compressed instruction support

Branch



















- **Cascade** is a RISC-V CPU fuzzer that generates **valid**, **long** & **complex** programs.
- Cascade introduces AIPS to entangle flows and use non-termination as a bug signal.
- Cascade outperforms state-of-the-art coverage-guided CPU fuzzers by 28-200x.
- Cascade found 37 new CPU bugs + 1 new synthesizer bug, 29 new CVEs.
- Cascade is readily open source: <u>https://github.com/comsec-group/cascade-artifacts</u>











Computer Security Group