Peihong Lin (National University of Defense Technology), Pengfei Wang (National University of Defense Technology), Lei Zhou (National University of Defense Technology), Gen Zhang (National University of Defense Technology), Xu Zhou (National University of Defense Technology), Wei Xie (National University of Defense Technology), Zhiyuan Jiang (National University of Defense Technology), Kai Lu (National University of Defense Technology)

CPU vulnerabilities pose ongoing security challenges in modern CPU architectures. Among the CPU vulnerabilities, write port contention—caused by multiple functional modules
simultaneously competing for a limited number of shared write ports—remains insufficiently studied. In this paper, we study write port contention side-channel vulnerabilities in CPUs and
propose **PortRush**, a novel fuzzing framework designed to detect and validate such vulnerabilities at the register-transfer level (RTL). First, PortRush constructs a **Write Request Graph (WRG)** to statically identify potential write port contention instances by modeling write paths and priority relationships among functional modules that target shared storage elements.
Second, within the WRG, PortRush implements a **Hierarchical Aggregation and Decoding** method to efficiently detect write port contention by monitoring relevant hardware signals across design hierarchies. Third, PortRush employs a **Contention-guided
Hardware Fuzzing** approach to trigger write port contention and automatically combine contention-triggered instruction sequences with transient execution attack patterns, enabling validation of write port contention side-channel vulnerabilities. We evaluate
PortRush on three RISC-V CPUs (BOOM, NutShell, and Rocket Core) and demonstrate its effectiveness in identifying and triggering write port contention. Furthermore, we validate that
the discovered vulnerabilities can be exploited in realistic write port contention attack scenarios. Based on these vulnerabilities, we present two novel attack vectors: *Birgus-variant*, which exploits contention at the physical register file in the Reorder Buffer, and *MSHRush*, which leverages contention between the *Load/Store Unit (LSU)* and the *Miss Status Handling Register (MSHR)*
at the L1 data cache to induce secret-dependent execution delays. We also propose mitigation strategies for CPU developers to prevent such vulnerabilities.

View More Papers

PriMod4AI: Lifecycle-Aware Privacy Threat Modeling for AI Systems using...

Gautam Savaliya (Deggendorf Institute of Technology, Germany), Robert Aufschlager (Deggendorf Institute of Technology, Germany), Abhishek Subedi (Deggendorf Institute of Technology, Germany), Michael Heigl (Deggendorf Institute of Technology, Germany), Martin Schramm (Deggendorf Institute of Technology, Germany)

Read More

Lessons Learned through Customer Discovery in a Provenance-based Security...

Akul Goyal (Provenance Security, Inc.), Adam Bates (Provenance Security, Inc.)

Read More

Prεεmpt: Sanitizing Sensitive Prompts for LLMs

Amrita Roy Chowdhury (University of Michigan, Ann Arbor), David Glukhov (University of Toronto and Vector Institute), Divyam Anshumaan (University of Wisconsin-Madison), Prasad Chalasani (Langroid Incorporated), Nicholas Papernot (University of Toronto and Vector Institute), Somesh Jha (University of Wisconsin-Madison), Mihir Bellare (University of California, San Diego)

Read More