CellIFT is now available on CirCT.
This means it now plugs into the broader MLIR-based hardware compiler ecosystem (FIRRTL, Chisel, etc.).
Huge thanks to the CirCT maintainers for the reviews and support throughout the upstreaming process.
We define ๐CFI, a new CPU security property that detects microarchitectural constant time violations and CPU vulnerabilities that allow control-flow-hijacking attacks (4 RISC-V CVEs) or proves their absence: https://t.co/Sn0dUCUvem (Paper at CCS'24)
@FlavienSolt@kavehrazavi
Confused deputy attacks on EDA software generate vulnerable hardware from secure RTL.
TransFuzz discovers 20 such translation bugs in open-source EDA (25 CVEs).
Will be presented at USENIX Security '25.
https://t.co/oNhyfxRcDz
@kavehrazavi@K_CeesaySeitz
@Amit3141592@K_CeesaySeitz@kavehrazavi Afaik most of the CPU fuzzing effort looking for bugs is done on RISC-V. Do you have any x86/ARM fuzzer in mind when asking this question? Thanks!
Oh! 37 new bugs (28 new CVEs) discovered in 5 RISC-V CPUs (e.g., BOOM and CVA6)! #Cascade fuzzes #RISC-V CPUs based on novel basic principles. Try it on your own CPU, itโs open! https://t.co/5JwUKghZ5L (with @K_CeesaySeitz@kavehrazavi)
@garricklzh @K_CeesaySeitz@kavehrazavi Yes atm Cascade is only implemented for #riscv. Porting to other ISAs would be quite some work but Cascade's ideas are agnostic of (reasonable) ISA (ARM, x86, etc. would work)
@OrangeCMS@BruceHoult@ico_TC@K_CeesaySeitz@kavehrazavi Cascade does not need RTL knowledge. Open-source CPUs help us understand sources of bugs and propose fixes to maintainers. It was also useful to know what was broken (Cascade or the CPU) during Cascade's early development.
Because Cascade found an order of magnitude more new bugs than previous fuzzers, Cascade includes an automatic pruning engine that reduces bug-triggering programs into tiny sequences of instructions, making bug interpretation human-tractable.
https://t.co/2NCFJck12Y
Today @kavehrazavi and I are finally allowed to talk about #Retbleed. In 2018, #SpectreV2 was fixed by replacing indirect jumps with returns. But, returns can be poisoned like indirect jumps, throwing us us back to 2018 again. Paper, demo, addendum, code @ https://t.co/XWzNp2kw2P
The paper is accepted for publication at USENIX Security and the source code is available on github and is easily extensible to instrumenting new designs and performing new experiments. https://t.co/cq03FS4LDJ
You said hardware dynamic taint tracking doesnโt scale? #CellIFT is the first to scale to complex CPUs/SoCs (e.g., CVA6, BOOM, PULPissimo). CellIFT detects info leakage and (micro)arch bugs like #meltdown#spectre (with @bjg@kavehrazavi). CellIFT is open! https://t.co/EIwGjpZjeF
Using CellIFT, we show microarchitectural information leakage, Spectre and Meltdown, as well as architectural bugs in an SoC. This is just the beginning! There are many more exciting applications that can be built on top of CellIFT!