Johannes Lenzen (Technical University of Darmstadt), Mohamadreza Rostami (Technical University of Darmstadt), Lichao Wu (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)

Modern Central Processing Units (CPUs) are black boxes, proprietary, and increasingly characterized by sophisticated microarchitectural flaws that evade traditional analysis. While some of these critical vulnerabilities have been uncovered through cumbersome manual effort, building an automated and systematic vulnerability detection framework for real-world post-silicon processors remains a challenge.

In this paper, we present Fuzzilicon, the first post-silicon fuzzing framework for real-world x86 CPUs that brings deep introspection into the microcode and microarchitectural layers. Fuzzilicon automates the discovery of vulnerabilities that were previously only detectable through extensive manual reverse engineering, and bridges the visibility gap by introducing microcode-level instrumentation. At the core of Fuzzilicon is a novel technique for extracting feedback directly from the processor’s microarchitecture, enabled by reverse-engineering Intel’s proprietary microcode update interface. We develop a minimally intrusive instrumentation method and integrate it with a hypervisor-based fuzzing harness to enable precise, feedback-guided input generation, without access to Register Transfer Level (RTL) or vendor support.

Applied to Intel’s Goldmont microarchitecture, Fuzzilicon introduces 5 significant findings, including two previously unknown microcode-level speculative-execution vulnerabilities. Besides, the Fuzzilicon framework automatically rediscover the µSpectre class of vulnerabilities, which were detected manually in the previous work. Fuzzilicon reduces coverage collection overhead by up to 31× compared to baseline techniques and achieves 16.27% unique microcode coverage of hookable locations, the first empirical baseline of its kind. As a practical, coverage-guided, and scalable approach to post-silicon fuzzing, Fuzzilicon establishes a new foundation to automate the discovery of complex CPU vulnerabilities.

View More Papers

UIEE: Secure and Efficient User-space Isolated Execution Environment for...

Huaiyu Yan (Southeast University), Zhen Ling (Southeast University), Xuandong Chen (Southeast University), Xinhui Shao (Southeast University, City University of Hong Kong), Yier Jin (University of Science and Technology of China), Haobo Li (Southeast University), Ming Yang (Southeast University), Ping Jiang (Southeast University), Junzhou Luo (Southeast University, Fuyao University of Science and Technology)

Read More

STIP: Three-Party Privacy-Preserving and Lossless Inference for Large Transformers...

Mu Yuan (The Chinese University of Hong Kong), Lan Zhang (University of Science and Technology of China), Yihang Cheng (University of Science and Technology of China), Miao-Hui Song (University of Science and Technology of China), Guoliang Xing (The Chinese University of Hong Kong), Xiang-Yang Li (University of Science and Technology of China)

Read More

MES: Thwarting Fuzzing by Suppressing Memory Errors (Registered Report)

Fannv He (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, China, and School of Cyberspace Security, Hainan University, China), Yuan Liu (School of Cyber Engineering, Xidian University, China), Jice Wang (School of Cyberspace Security, Hainan University, China), Baiquan Wang (School of Cyberspace Security, Hainan University, China), Zezhong Ren (National Computer Network…

Read More