hardware is the new software: finding exploitable bugs in ... · jump oriented programming c....
TRANSCRIPT
![Page 1: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/1.jpg)
Hardware is the New Software: Finding Exploitable Bugs in Hardware Designs
Cynthia SturtonHardware Security @ UNC
![Page 2: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/2.jpg)
SpectreAlmost every modern processor is affected
2
MeltdownAllows user applications to access operating system memory
ForeshadowCan expose the cryptographic keys that protect the integrity of SGX enclaves
C. Sturton
![Page 3: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/3.jpg)
3
The Pentium F00F Bugby Robert R. Collins
The Cyrix 6x86 Coma Bug
C. Sturton
![Page 4: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/4.jpg)
4
The Pentium F00F Bugby Robert R. Collins
The Cyrix 6x86 Coma Bug
19981997
C. Sturton
![Page 5: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/5.jpg)
● Buffer overflow● Integer overflow● Format string● SQL injection● Directory crawling● Cross-site scripting● Cross-site request forgery
5
Software Security
C. Sturton
![Page 6: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/6.jpg)
6
Software Security
● Buffer overflow● Integer overflow● Format string● SQL injection● Directory crawling● Cross-site scripting● Cross-site request forgery
➔ stack smashing➔ heap overflow➔ return to libC➔ return oriented
programming➔ jump oriented
programming
C. Sturton
![Page 7: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/7.jpg)
SAGEOSS-Fuzz
7C. Sturton
![Page 8: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/8.jpg)
SAGEOSS-Fuzz
8
fuzzing
C. Sturton
![Page 9: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/9.jpg)
SAGEOSS-Fuzz
9
program analysis
![Page 10: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/10.jpg)
SAGEOSS-Fuzz
10
secure languages
![Page 11: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/11.jpg)
Hardware Security
● Secure languages
● Manual review
11C. Sturton
![Page 12: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/12.jpg)
Hardware Security
● Side channels
● Transient faults➔ Extract private keys
12C. Sturton
![Page 13: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/13.jpg)
How can we identify vulnerabilities and their exploits in hardware designs?
13C. Sturton
![Page 14: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/14.jpg)
How can we identify vulnerabilities and their exploits in hardware designs?
14
property violations
C. Sturton
![Page 15: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/15.jpg)
How can we identify vulnerabilities and their exploits in hardware designs?
15
executable programs
C. Sturton
![Page 16: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/16.jpg)
How can we identify vulnerabilities and their exploits in hardware designs?
16
code
C. Sturton
![Page 17: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/17.jpg)
17C. Sturton
![Page 18: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/18.jpg)
18C. Sturton
![Page 19: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/19.jpg)
19C. Sturton
![Page 20: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/20.jpg)
Vulnerabilities:An Analysis of
Exploitable Bugs 20[ASPLOS 2015] C. Sturton
![Page 21: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/21.jpg)
21C. Sturton
![Page 22: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/22.jpg)
AMD Errata #776
Incorrect Processor Branch Prediction for Two Consecutive Linear Pages
Under a highly specific and detailed set of internal timing conditions, the processor core may incorrectly fetch instructions ...
Potential effect: unpredictable system behavior22C. Sturton
![Page 23: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/23.jpg)
23☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑
☑
AMD Processors 2007–2013
301errata
C. Sturton
![Page 24: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/24.jpg)
24☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑ ☑☑☑☑☑☑☑☑☑☑☑☑☑☑☑
☑
AMD Processors 2007–2013
28 security critical
C. Sturton
![Page 25: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/25.jpg)
Classifying Exploitable Bugs
25C. Sturton
![Page 26: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/26.jpg)
Manually Writing Security Properties
26[ASPLOS 2015] C. Sturton
![Page 27: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/27.jpg)
𝜑Specification Documents (14): 𝜑
Writing Security Properties𝜑 𝜑 𝜑 𝜑 𝜑
𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
27C. Sturton
![Page 28: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/28.jpg)
𝜑Specification Documents (14): 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
𝜑: Processor mode changes from low privilege to high privilege only by an exception or a reset. 28
Writing Security Properties
C. Sturton
![Page 29: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/29.jpg)
𝜑Specification Documents (14): 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
AMD Errata (3): 𝜑 𝜑 𝜑
𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
29
Writing Security Properties
C. Sturton
![Page 30: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/30.jpg)
𝜑Specification Documents (14): 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
AMD Errata (3): 𝜑 𝜑 𝜑
𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
𝜑: When a register changes, it must be specified as the target of the instruction. 30
Writing Security Properties
C. Sturton
![Page 31: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/31.jpg)
𝜑Specification Documents (14): 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
AMD Errata (3): 𝜑 𝜑 𝜑
Initial Evaluation (1): 𝜑
𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
31
Writing Security Properties
C. Sturton
![Page 32: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/32.jpg)
𝜑Specification Documents (14): 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
AMD Errata (3): 𝜑 𝜑 𝜑
Initial Evaluation (1): 𝜑
𝜑 𝜑 𝜑 𝜑 𝜑 𝜑 𝜑
𝜑: The instruction does not change in the pipeline. 32
Writing Security Properties
![Page 33: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/33.jpg)
Security Property Specification
33[ASPLOS 2017] C. Sturton
![Page 34: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/34.jpg)
34
● 𝜑1● 𝜑2
...● 𝜑n
Traces
PropertiesMiner
Patterns
● p1● p2
...
C. Sturton
![Page 35: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/35.jpg)
35
Traces
Minerr[0] ^ r[1] ^ … ^ r[n]
Pattern
0 0 1
ctrl:
ctrl[0] ^ ctrl[1] ^ ctrl[2]
Property
0 1 0 1 0 0
C. Sturton
![Page 36: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/36.jpg)
Example of Exploitable Bug
36
assign a_lt_b = comp_op[3] ? ((a[width - 1] & !b[width - 1]) |(!a[width - 1] & !b[width - 1] & result_sum[width - 1]) |(a[width - 1] & b[width - 1] & result_sum[width - 1])) :result_sum[width - 1];
C. Sturton
![Page 37: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/37.jpg)
Example of Exploitable Bug
37
assign a_lt_b = comp_op[3] ? ((a[width - 1] & !b[width - 1]) |(!a[width - 1] & !b[width - 1] & result_sum[width - 1]) |(a[width - 1] & b[width - 1] & result_sum[width - 1])) :result_sum[width - 1]; (a < b);
C. Sturton
![Page 38: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/38.jpg)
38
● 𝜑1● 𝜑2
...● 𝜑n
Traces
PropertiesMiner
Security Errata
SCI Finder
C. Sturton
![Page 39: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/39.jpg)
39
𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑𝜑 𝜑𝜑𝜑
C. Sturton
![Page 40: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/40.jpg)
40
𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑𝜑 𝜑𝜑𝜑
1. Known bugs → Demonstrate exploit → Security properties
C. Sturton
![Page 41: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/41.jpg)
41
𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑𝜑
𝜑𝜑
𝜑𝜑 𝜑𝜑𝜑𝜑𝜑𝜑𝜑𝜑 𝜑𝜑𝜑
1. Known bugs → Demonstrate exploit → Security properties2. Machine learning → Additional security properties
C. Sturton
![Page 42: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/42.jpg)
SCIFinder
𝜑
42
Miner[Daikon]
Bug Classification
[Manual]
Security Property
Identification
Logistic Regression
Traces
SecurityBugs
Processor Errata
Properties
Initial Security
PropertiesSecurity
Properties
C. Sturton
![Page 43: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/43.jpg)
𝜑
SCIFinder
43
Miner[Daikon]
Bug Classification
[Manual]
Security Property
Identification
Logistic Regression
SecurityBugs
Processor Errata
Properties
Initial Security
PropertiesSecurity
Properties
Traces
C. Sturton
![Page 44: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/44.jpg)
SCIFinder
44
Miner[Daikon]
Bug Classification
[Manual]
Security Property
Identification
Logistic Regression
SecurityBugs
Processor Errata
Properties
Initial Security
PropertiesSecurity
Properties
𝜑Traces
C. Sturton
![Page 45: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/45.jpg)
Evaluation
● How well does SCIFinder identify security properties?
● Will the generated properties find security vulnerabilities?
![Page 46: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/46.jpg)
46
OR1200● 26GB trace data● 17 programs● full instruction
coverage𝜑1𝜑2
SCI Finder
C. Sturton
![Page 47: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/47.jpg)
47
𝜑1𝜑2
SCI Finder
17 bugs● 3 RISC architectures● processor core
OR1200● 26GB trace data● 17 programs● full instruction
coverage
C. Sturton
![Page 48: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/48.jpg)
48
87 properties● 54 bug driven● 33 model driven
𝜑1𝜑2
SCI Finder
OR1200● 26GB trace data● 17 programs● full instruction
coverage
17 bugs● 3 RISC architectures● processor core
C. Sturton
![Page 49: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/49.jpg)
Properties
Bug Driven
● 54 properties from 17 bugs● 47% false discovery rate
49C. Sturton
![Page 50: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/50.jpg)
Properties
Bug Driven
● 54 properties from 17 bugs● 47% false discovery rate
𝜑𝜑𝜑𝜑𝜑50C. Sturton
![Page 51: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/51.jpg)
Properties
Bug Driven
● 54 properties from 17 bugs● 47% false discovery rate
Model Driven
● 33 additional properties● 27% false discovery rate
𝜑𝜑𝜑𝜑𝜑51C. Sturton
![Page 52: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/52.jpg)
found in step 1
found in step 2
property not mined
not recognized as security critical
Comparison to State of the Art
52C. Sturton
![Page 53: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/53.jpg)
New properties
Comparison to State of the Art
3
53C. Sturton
![Page 54: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/54.jpg)
Finding and ExploitingProperty Violations
[FMS 2018, MICRO 2018] 54C. Sturton
![Page 55: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/55.jpg)
Given 𝜑 and a processor design
● Can we find a violation of 𝜑 ?
● How do we reach the violating state?
● Can the violating state be exploited?
Problem Statement
55C. Sturton
![Page 56: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/56.jpg)
Existing Tools
Simulation Based Testing
1010
010
56C. Sturton
![Page 57: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/57.jpg)
Existing Tools
Simulation Based Testing Model Checking
𝜑1010
010
?57C. Sturton
![Page 58: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/58.jpg)
Given 𝜑 and a processor design
● Can we find a violation of 𝜑 ?
● How do we reach the violating state?
● Can the violating state be exploited?
Problem Statementtesting model
checking
--
- -58C. Sturton
![Page 59: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/59.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
symbolic statereset := r0count := c0
59C. Sturton
![Page 60: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/60.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
60
path conditionTrue
symbolic statereset := r0count := c0
C. Sturton
![Page 61: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/61.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
61
path conditionTrue
symbolic statereset := r0count := c0
C. Sturton
![Page 62: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/62.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
62
r0 = 0
path conditionTrue
symbolic statereset := r0count := c0
C. Sturton
![Page 63: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/63.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
63
r0 = 0
path conditionTrue
symbolic statereset := r0count := c0
reset := r0count := c0 + 1
C. Sturton
![Page 64: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/64.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
64
r0 = 0
path conditionTrue
symbolic statereset := r0count := c0
reset := r0count := c0 + 1
r0 = 0c0+1 > 3
C. Sturton
![Page 65: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/65.jpg)
Symbolic Execution
if (reset) count = 0;else count = count+1;
if (count > 3) ERROR;
65
r0 = 1
path conditionTrue
symbolic statereset := r0count := c0
reset := r0count := 0
r0 = 10 > 3
C. Sturton
![Page 66: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/66.jpg)
Symbolic Execution of a Hardware Design
66
...
...
C. Sturton
![Page 67: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/67.jpg)
Symbolic Execution of a Hardware Design
67
...
...
Realizable processor states
C. Sturton
![Page 68: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/68.jpg)
Symbolic Execution of a Hardware Design
68
...
...
one clock cycle
C. Sturton
![Page 69: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/69.jpg)
Symbolic Execution of a Hardware Design
69
...
...
...
...
...
...
...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
one clock cycle
C. Sturton
![Page 70: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/70.jpg)
Backward Search
70
...
...
instruction in
C. Sturton
![Page 71: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/71.jpg)
Backward Search
71
...
...
...
...
instruction in-1
C. Sturton
![Page 72: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/72.jpg)
Backward Search
72
...
...
...
...
...
...
instruction in-2
C. Sturton
![Page 73: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/73.jpg)
Backward Search
73
trigger:i0, i1, …, in-2, in-1, in
...
...
...
...
...
...
instruction in-2
C. Sturton
![Page 74: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/74.jpg)
If a sequence of inputs is returned, it will take the processor from the initial state to an error state.
C. Sturton
![Page 75: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/75.jpg)
Requirements
75
...
...
...
...
...
...
processor’sinitial state
pathcondition⊧
C. Sturton
![Page 76: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/76.jpg)
Requirements
76
...
...
...
...
...
...
symbolicstate
assertionfailure⊆
C. Sturton
![Page 77: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/77.jpg)
Requirements
77
...
...
...
...
C. Sturton
![Page 78: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/78.jpg)
Requirements
78
...
...
...
...
symbolicstate of leaf j
path condition of leaf j+1
⊆
C. Sturton
![Page 79: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/79.jpg)
Making it Work
79
...
...
...
...
...
...
1. Internal and input signals are symbolic
C. Sturton
![Page 80: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/80.jpg)
Making it Work
80
...
...
...
...
...
...
2. Is this aninitial state?
C. Sturton
![Page 81: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/81.jpg)
Making it Work
81
...
...
...
...
...
...
3. How much doesthis differ from aninitial state?
C. Sturton
![Page 82: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/82.jpg)
Making it Work
82
...
...
...
...
...
...
3. Are we in a loop?
C. Sturton
![Page 83: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/83.jpg)
Making it Work
83
...
...
...
...
...
...
4. Have we exceededthe bound?
C. Sturton
![Page 84: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/84.jpg)
84
CPU Design
Security Property
Exploit C Program
Coppelia
𝜑
C. Sturton
![Page 85: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/85.jpg)
Triggering Instructions
Coppelia
85
Transcompiler[Verilator]
Program Stub
Generation[Manual]
Symbolic Execution
w/Recursive Strategy
CPU Design
Payload
C Code
Exploit C Program
⊕Security Property
𝜑
C. Sturton
![Page 86: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/86.jpg)
Triggering Instructions
Coppelia
86
Program Stub
Generation[Manual]
C Code
Exploit C Program
⊕
Transcompiler[Verilator]CPU
Design
Security Property
𝜑Symbolic Execution
w/Recursive Strategy
Payload
C. Sturton
![Page 87: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/87.jpg)
Coppelia
87
Symbolic Execution
w/Recursive Strategy
Transcompiler[Verilator]CPU
Design
C Code
Security Property
𝜑Triggering
Instructions
Program Stub
Generation[Manual]
Payload
Exploit C Program
⊕
C. Sturton
![Page 88: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/88.jpg)
Optimizations
● Explore only legal instructions● Alternate depth-first and breadth-first searching● Cone of Influence analysis for slicing
88C. Sturton
![Page 89: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/89.jpg)
Evaluating Optimizations
89
Baseline DFS + BFS Cone of Influence
> 19h > 1.2h 4m 12s
● Average CPU time to find bug● Considered only bugs triggerable with a single instruction
C. Sturton
![Page 90: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/90.jpg)
Evaluating Coppelia
● Does Coppelia find bugs and generate their exploits?
● Will our approach find new bugs?
C. Sturton
![Page 91: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/91.jpg)
91
��
Processor● OR1200● 31 known bugs
Coppelia
C. Sturton
![Page 92: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/92.jpg)
92
��
Processor● OR1200● 31 known bugs
Coppelia
35 properties● SPECS● SecurityCheckers● SCIFinder C. Sturton
![Page 93: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/93.jpg)
93
��
Processor● OR1200● 31 known bugs
Coppelia
35 properties● SPECS● SecurityCheckers● SCIFinder
29 exploits
C. Sturton
![Page 94: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/94.jpg)
94
Finding Bugs (ground truth: 31)
not replayable
replayable
C. Sturton
![Page 95: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/95.jpg)
95
��
Processor● Mor1kx● PULPino
Coppelia
C. Sturton
![Page 96: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/96.jpg)
96
��
Processor● Mor1kx● PULPino
Coppelia
Properties● SPECS● SecurityCheckers● SCIFinder C. Sturton
![Page 97: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/97.jpg)
97
��
Processor● Mor1kx● PULPino
Coppelia
Properties● SPECS● SecurityCheckers● SCIFinder
4 new bugs
C. Sturton
![Page 98: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/98.jpg)
Finding New Bugs
98
3PULPino-RI5CY
1Mor1kx-Espresso
newarchitecture!
newdesign
C. Sturton
![Page 99: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/99.jpg)
Security validation of hardware designs can be done algorithmically
99C. Sturton
![Page 100: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/100.jpg)
Our Products So Far
100
● SCIFinder to produce security critical properties
● Coppelia to find and generate exploits for property violations
● Security properties for RISC processor designs
C. Sturton
![Page 101: Hardware is the New Software: Finding Exploitable Bugs in ... · jump oriented programming C. Sturton. SAGE OSS-Fuzz C. Sturton 7. SAGE OSS-Fuzz 8 fuzzing C. Sturton. SAGE OSS-Fuzz](https://reader035.vdocument.in/reader035/viewer/2022081517/5fb9d4f85ec0b46cb43883df/html5/thumbnails/101.jpg)
Thank you
Rui Zhang, Calvin Deutschbein, Natalie Stanley, Chris Griggs, Andrew Chi, Ryan Huang, Alyssa Byrnes,Matthew Hicks, Jonathan M. Smith, Sam T. King.
Hardware Security @ UNC