High-trigger fuzz testing for microarchitectural speculative execution vulnerability

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-07 DOI:10.1016/j.cose.2025.104567

Chuan Lu, Senlin Luo, Limin Pan

{"title":"High-trigger fuzz testing for microarchitectural speculative execution vulnerability","authors":"Chuan Lu, Senlin Luo, Limin Pan","doi":"10.1016/j.cose.2025.104567","DOIUrl":null,"url":null,"abstract":"<div><div>Microarchitectural speculative execution vulnerabilities can be utilized to steal private information and even bypass some defensive programming measures in the code. The difficulty in detecting this vulnerability is ensuring a high triggering frequency of speculative execution. However, existing methods randomly generate test programs with high uncertainty, which lack dependencies relationship between code lines required by speculative execution, resulting in low trigger rates of speculative execution. Meanwhile, some variables of the test input are randomly selected for mutation, but the selected variables tend to lack the correlation with execution paths, leading to low detection adequacy and convergence of collected information. Therefore, this paper proposes a High-Trigger Fuzz Testing for Microarchitectural Speculative Execution Vulnerability (HT-SEV). HT-SEV constructs a register selectied model, which generates subsequent codes based on the data flow and real-time register distribution of generated code, establishing data dependencies between different code lines. Furthermore, bidirectional gradient mutation is proposed, which mines the correlation between inputs and the collected microarchitectural information to guide the mutation of inputs, achieving high coverage of path and diversity of detection information. Experimental results on multiple instruction subsets show that HT-SEV outperforms state-of-the-art related methods. This method innovatively defines data dependency relationship, capturing fine-grained code execution information.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104567"},"PeriodicalIF":4.8000,"publicationDate":"2025-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002561","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Microarchitectural speculative execution vulnerabilities can be utilized to steal private information and even bypass some defensive programming measures in the code. The difficulty in detecting this vulnerability is ensuring a high triggering frequency of speculative execution. However, existing methods randomly generate test programs with high uncertainty, which lack dependencies relationship between code lines required by speculative execution, resulting in low trigger rates of speculative execution. Meanwhile, some variables of the test input are randomly selected for mutation, but the selected variables tend to lack the correlation with execution paths, leading to low detection adequacy and convergence of collected information. Therefore, this paper proposes a High-Trigger Fuzz Testing for Microarchitectural Speculative Execution Vulnerability (HT-SEV). HT-SEV constructs a register selectied model, which generates subsequent codes based on the data flow and real-time register distribution of generated code, establishing data dependencies between different code lines. Furthermore, bidirectional gradient mutation is proposed, which mines the correlation between inputs and the collected microarchitectural information to guide the mutation of inputs, achieving high coverage of path and diversity of detection information. Experimental results on multiple instruction subsets show that HT-SEV outperforms state-of-the-art related methods. This method innovatively defines data dependency relationship, capturing fine-grained code execution information.

查看原文本刊更多论文

针对微架构推测性执行漏洞的高触发模糊测试

可以利用微体系结构推测性执行漏洞窃取私有信息，甚至绕过代码中的一些防御性编程措施。检测此漏洞的困难在于确保推测执行的高触发频率。然而，现有的方法随机生成的测试程序具有很高的不确定性，缺乏推测执行所需的代码行之间的依赖关系，导致推测执行的触发率较低。同时，对测试输入的一些变量进行随机选择进行突变，但所选择的变量往往缺乏与执行路径的相关性，导致采集信息的检测充分性和收敛性较低。为此，本文提出了一种针对微架构推测性执行漏洞（HT-SEV）的高触发模糊测试方法。HT-SEV构建了一个寄存器选择模型，该模型根据生成代码的数据流和实时寄存器分布生成后续代码，在不同代码行之间建立数据依赖关系。在此基础上，提出了双向梯度突变，通过挖掘输入与采集到的微建筑信息之间的相关性来引导输入的突变，实现了路径的高覆盖率和检测信息的多样性。在多指令子集上的实验结果表明，HT-SEV算法优于目前最先进的相关方法。该方法创新性地定义了数据依赖关系，获取了细粒度的代码执行信息。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.