UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching

Li, Xixing; Wu, Zihao; Wei, Qiang; Wu, Haolan

doi:10.1109/access.2019.2946444

Cited by 14 publications

(5 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2018, Jianping Zhu et al [9] proposed a comprehensive CPU security benchmark to evaluate the hardware security of processors, which contains numerous known CPU vulnerabilities. In 2019, Xixing Li et al [10] proposed an undocumented instruction search method for CPUs of the x86 architecture named UISfuzz. This method further reduces the search space based on Sandsifter and improves the search efficiency through instruction format identification.…”

Section: The Security Of Ciscmentioning

confidence: 99%

An efficient mining method for DSP undocumented instruction

Zhang

Wang

Liu

et al. 2023

International Conference on Cyber Security, Artificial Intelligence, and Digital Economy (CSAIDE 2023)

View full text Add to dashboard Cite

Nowadays, DSP processors have been widely used in wireless network systems, since it can meet high-speed real-time information processing requirements. Meanwhile, the undocumented instructions in processors, with potentially catastrophic consequences, have become one of the main threats to system security. Therefore, the mining of undocumented instructions in processors is quite crucial for reinforcing the security of wireless network. To achieve this goal, we propose an undocumented instruction search method specifically for DSP processors, which can efficiently and accurately obtain undocumented instructions. First, to compress the instruction search space, we analyze the characteristics of DSP instruction format. Second, we build a precise instruction disassembly framework to identify all the undefined instructions. Finally, we build an automatic test tool for the executability of undefined instructions. We perform extensive experiments to evaluate the effectiveness of our method. The results reveal that our approach is valid for mining undocumented instructions in DSP processors. Specifically, we have successfully mined 335 instructions on 14 TI DSP processors from 6 different series.

show abstract

Section: The Security Of Ciscmentioning

confidence: 99%

An efficient mining method for DSP undocumented instruction

Zhang

Wang

Liu

et al. 2023

International Conference on Cyber Security, Artificial Intelligence, and Digital Economy (CSAIDE 2023)

View full text Add to dashboard Cite

show abstract

“…Domas [9] demonstrated a hardware back-door in a commercial x86 processor, and Duflot [1] exposed the security threats of the undocumented instructions. In response to the serious security concern over the fact that an undocumented instruction may actually exist in a commercially available off-the-shelf processor, a fuzzing test method targeting the x86 processors was proposed [2], and a later work used an improved algorithm with better performance and reduced overhead [10]. Dofferhoff et al [11] presented a reduced instruction set computer (RISC) instruction scanner that is used to search for undocumented instructions on RISC architectures implemented on emulators.…”

Section: Related Studiesmentioning

confidence: 99%

IMSC: Instruction set architecture monitor and secure cache for protecting processor systems from undocumented instructions

Wang

Liu

Jiang

2022

IET Information Security

View full text Add to dashboard Cite

A secure processor requires that no secret, undocumented instructions be executed. Unfortunately, as today's processor design and supply chain are increasingly complex, undocumented instructions that can execute some specific functions can still be secretly introduced into the processor system as flaws or vulnerabilities. To address this problem that may cause potentially serious security breaches, the instruction set architecture (ISA) monitor and secure cache (IMSC) is proposed. As a lightweight solution, IMSC employs an ISA monitor to discover and correct any potential threats imposed by undocumented instructions, and it relies on a secure cache to ensure the credibility of the system. The authors’ case studies have confirmed that IMSC can effectively protect a processor system from being exploited by undocumented instructions and thus provide a trustworthy computing environment, all at low hardware and run‐time costs.

show abstract

“…Therefore, the memcage method provides a more general way of scanning for undocumented instructions than provided by Domas. Xi et al [10] extend the work of Domas by further reducing the search space and associated efficiency gains. Like Domas' work, this extension only applies to x86 and an alternative to the trap flag is not proposed, which is one of the main contributions of our work.…”

Section: Related Workmentioning

confidence: 99%

“…[12] describes how the ARMv8 ISA is converted to machine readable format, used to create Verilog models for formal verification. Our system uses disassemblers as a ground truth for correct processor behavior, analog to previous work done for the x86 architecture [10], [13]. It should be noted that the disassembler may be inconsistent with the official ISA specification, although in practice the number of false positives due to disassembler bugs was small enough to make manual verification of the results viable.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

iScanU: A Portable Scanner for Undocumented Instructions on RISC Processors

Dofferhoff

Goebel

Rietveld

et al. 2020

2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

View full text Add to dashboard Cite

Undocumented and faulty CPU instructions can cause undefined behavior and system instability, impairing software efforts such as OS crash recovery and resilience, and system security. Although often not considered, the identification of such undocumented instructions is critical. We present a portable RISC instruction scanner that is able to search for undocumented instructions on a wide range of RISC architectures, empowering users to verify the reliable and secure operation of their systems. We propose two methods to look for undocumented instructions. Both attempt to execute a single instruction word in a controlled manner, regaining control afterwards. Subsequently, we determine if the instruction word is considered valid by the processor, comparing this result to the processor's ISA specification. Our prototype scanner can scan multiple ARMv8 and RISC-V systems. Various inconsistencies were discovered in the QEMU emulator and disassemblers used as ground truth. Furthermore, we found an undocumented instruction on a RISC-V chip.

show abstract

UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching

Cited by 14 publications

References 28 publications

An efficient mining method for DSP undocumented instruction

An efficient mining method for DSP undocumented instruction

IMSC: Instruction set architecture monitor and secure cache for protecting processor systems from undocumented instructions

iScanU: A Portable Scanner for Undocumented Instructions on RISC Processors

Contact Info

Product

Resources

About