scieee Science in your language
[en] (orig)

Phantom Trails: Practical Pre-Silicon Discovery of Transient Data Leaks

Author: de Faveri Tron, Alvise; Isemann, Raphael; Ragab, Hany; Giuffrida, Cristiano; von Gleissenthall, Klaus; Bos, Herbert
Publisher: Zenodo
DOI: 10.5281/zenodo.17009888
Source: https://zenodo.org/records/17009888/files/sec25cycle1-prepub-363-de-faveri-tron.pdf
Phan om T ails: P ac ical P e-Silicon Disco e y o T ansien Da a Leaks
Al ise de Fa e i T on
V ije Uni e si ei Ams e dam
Raphael Isemann
V ije Uni e si ei Ams e dam
Hany Ragab
V ije Uni e si ei Ams e dam
C is iano Giu ida
V ije Uni e si ei Ams e dam
Klaus on Gleissen hall
V ije Uni e si ei Ams e dam
He be Bos
V ije Uni e si ei Ams e dam
Abs ac
T ansien execu ion ulne abili ies ha e a ec ed CPUs o
he be e pa o he decade, ye , we a e s ill missing me h-
ods o e icien ly unco e hem a he design s age. Exis ing
app oaches y o ind p og ams ha leak explici ly de ined
sec e s, some imes including he ansmission o e a side-
channel, which se e ely es ic s he space o p og ams ha
can igge de ec ion. As a esul , cu en uzze s a e o ced o
cons ain he sea ch space using empla es o known ulne a-
bili ies, which isks o e i ing. Wha is missing is a gene al
de ec ion mechanism ha (1) makes i easy o he uzze o
igge a iola ion and (2) ca ches ulne abili ies a hei oo
cause — simila ly o sani ize s in so wa e.
In his pape , we p opose Phan om T ails, an e icien ye
gene ic me hod o disco e ing ansien execu ion ulne a-
bili ies. Phan om T ails elies on a uzze - iendly de ec ion
model ha can be applied wi hou he need o empla ing.
Ou de ec o builds on wo key design choices. Fi s , i concen-
a es on inding mic oa chi ec u al da a leaks independen ly
o he co e channel, he eby ocusing on he co e o he a -
ack. Second, i au oma ically in e s all sec e loca ions om
he a chi ec u al beha io o a p og am, making i easie o
he de ec o o ind leaks. We e alua e Phan om T ails by
uzzing he BOOM RISC-V CPU, whe e i inds all known
specula i e ulne abili ies in 24-hou s, s a ing om an emp y
seed and wi hou p e-de ined empla es, as well as a new Spec-
e a ian speci ic o BOOM — Spec e-LoopP edic o .
1 In oduc ion
T ansien execu ion a acks a e a c i ical secu i y h ea ha
has plagued CPUs o he bes pa o he las decade. A e he
ini ial disco e ies o Spec e [39] and Mel down [42], ecen
yea s ha e b ough on a a ie y o new a acks [6,40,44,46,
52,65,66,70]. Once disco e ed, hese issues a e un o una ely
no easy o ix: pos -silicon mi iga ions ha e o en p o en o
be ei he incomple e [6,13,45,69,71], opening he doo o
new a acks, o so de imen al o pe o mance as o ende
hem imp ac ical [28]. Ideally, such ulne abili ies should
be ound, and ixed, a he p e-silicon s age, i.e., du ing he
design phase o he CPU. Howe e , au oma ically de ec ing
hem in ha dwa e designs is challenging.
P e-Silicon Fuzzing. While exhaus i e app oaches such as
o mal e i ica ion [19,21,26,67] a e di icul o scale o
eal-wo ld CPUs, a p omising app oach o inding ha dwa e
bugs in RTL designs is uzzing, which has been applied o
bo h a chi ec u al [11,34,38,59,64,72] and mic oa chi ec-
u al [25,33] bugs. Fo CPUs, p e-silicon uzzing gene ally
equi es o i e a i ely gene a e andom inpu s (i.e., p og ams)
and e i y hei beha io on a cycle-accu a e simula ion o he
Design Unde Tes (DUT). This app oach poses some unique
challenges when compa ed o adi ional so wa e uzzing
– especially when looking o ansien execu ion ulne a-
bili ies. Fi s , he size o he inpu space – he space o all
possible p og ams, ini ial memo y s a es, and CPU con igu a-
ions – pai ed wi h he complexi y o he designs and he slow
speeds o cycle-accu a e simula ions make e icien uzzing
ha d. Second, ha dwa e does no inhe en ly “c ash”, which
aises he p oblem o how o de ec iola ions du ing uzzing.
T ansien execu ion ulne abili ies ep esen a u he chal-
lenge: while a chi ec u al bugs can be de ec ed h ough HDL
asse ions o golden e e ence models, modelling ansien
ulne abili ies a he RTL le el is s ill an open p oblem.
P oblem S a emen . Cu en s a e-o - he-a uzze s o an-
sien ulne abili ies add ess he p oblem o na iga ing he
huge sea ch space by employing some o m o empla ing,
i.e., by ei he (1) b eaking up known end- o-end a acks in o
indi idual s ages ha se e as a bluep in o c ea ing new a i-
an s [33], o (2) p o iding he uzze wi h p og am snippe s
such as “ y o access a sec e ” o “slow down an ins uc ion”
o mimic he beha io o known PoCs [25]. While hese e-
s ic ions help make he sea ch p ac ical, hey bias he uzze
owa ds known issues, which isks o e i ing. Ou main in-
sigh is ha cu en uzze s need es ic ions like empla es
because hei unde lying de ec ion models o e ly cons ain
he space o p og ams ha can igge a iola ion.
In pa icula , cu en de ec ion models ely on explici ly de-
ined sec e s, i.e., alues ha should no be leaked by he
mic oa chi ec u e, which a e de ined as all da a esiding
in speci ic memo y egions p o ec ed by speci ic ha dwa e
lags [25,33,60]. On op o his, s a e-o - he-a uzze s [33]
only de ec iola ions a e a sec e is ansmi ed h ough
a co e channel, he eby equi ing ull end- o-end a acks.
Bo h choices make li e o he uzze unnecessa ily ha d.
Phan om T ails. Wi h Phan om T ails, we p esen a new
app oach o e icien ly inding ansien ulne abili ies wi h-
ou empla es o sma seeds. Phan om T ails builds on a
uzze - iendly de ec o which imposes ewe cons ain s on
he p og ams and de ec s iola ions a hei oo cause. In-
s ead o end- o-end exploi s, Phan om T ails concen a es on
inding ansien da a leaks — ways in which sec e s can
en e he mic oa chi ec u e h ough ansien execu ion — in-
dependen ly o he side-channel ansmission, p o iding ea ly
de ec ion o ulne abili ies. Unlike p e ious me hods, ou
de ec ion model implici ly de ines sec e s speci ic o a p o-
g am by de i ing which memo y loca ions a e ne e accessed
a chi ec u ally. Taking a key insigh om so wa e sani ize s
such as ASAN [57] and MSAN [61], whose implici “ ain ing”
o mos o a p og am’s memo y g ea ly inc eases he p oba-
bili y o de ec ing memo y e o s, Phan om T ails’s ain ing
o all memo y no accessed a chi ec u ally maximizes he
likelihood o inding iola ions. This allows o model a wide
a ie y o ulne abili ies including Spec e- 1, Spec e- 2,
Spec e-RSB, Spec e-SSB, and Mel down a ian s.
E alua ion. To demons a e he p ac ical bene i s o ou ap-
p oach, we un a uzzing campaign on BOOM [5], a popu-
la open-sou ce RISC-V co e equipped wi h an ou -o -o de
pipeline and specula ion. On BOOM, Phan om T ails is able
o eliably de ec all Spec e and Mel down a ian s known
on his co e wi hin 24 hou s wi hou he need o empla ing,
unlike he s a e o he a [25,33]. Phan om T ails also unco -
e s Spec e-LoopP edic o – a new Spec e a ian , speci ic o
BOOM, h ough which an a acke can cause misp edic ions
on an uncon olled b anch by aining a nea by con ol- low
ins uc ion. We disclosed Spec e-LP o he main aine s o
BOOM, who acknowledged he issue.
Con ibu ions. We make he ollowing con ibu ions:
1.
We desc ibe a new, uzze - iendly de ec ion model o -
e ing sani ize -like unc ionali y o ansien execu ion
ulne abili ies in CPU designs;
2.
We build an ex ensible, so wa e-only de ec o based
on LLVM and Ve ila o o en o ce ou model on CPU
simula ions, wi h minimal knowledge o he DUT and
no ha dwa e modi ica ions;
3.
We in eg a e he de ec o in o an open-sou ce uzze ha
can ind Spec e and Mel down samples wi hin 24 hou s
on BOOM wi hou empla ing o sma seeds;
4.
We unco e a new specula ion p imi i e on BOOM
(Spec e-LP) ha can be used o misp edic an uncon-
olled b anch owa ds a disclosu e gadge .
Open Sou cing. All he sou ce code o ou de ec o , in-
cluding ou LLVM ins umen a ion o Ve ila o (BFSan)
and a ain - acking w appe o BOOM, is a ailable a
h ps://zenodo.o g/ eco ds/14726711
, along wi h all
ansien leak expe imen s and uzzing in as uc u e.
2 Backg ound
In his sec ion, we b ie ly ecap he na u e o ansien execu-
ion a acks and exis ing de ec ion models.
2.1 T ansien Execu ion A acks
Phases. End- o-end ansien execu ion a acks consis o
h ee main phases:
1

ap iming s ep, in which an a acke
massages he mic oa chi ec u e o a ulne able s a e,
2

a
sec e access s ep, in which he CPU ansien ly accesses
some sec e da a as a esul o he a acke ’s p iming, and 3

a ansmission s ep, in which he sec e is i s encoded in o
a non- ansien mic oa chi ec u al s a e (e.g., he cache) and
hen eco e ed in o an a chi ec u al alue by he a acke .
Classi ica ion. In Mel down-like a acks, he a acke ac-
cesses da a belonging o a di e en secu i y domain h ough
a aul ing ins uc ion. In pa icula , in Mel down a aul y a -
acke load b ings ic im da a om he L1 cache in o he
pipeline, while he aul ing load in an MDS a ack accesses in-
ligh da a belonging o he ic im. In con as , in Spec e-like
a acks he access occu s in he same secu i y domain, by a
ic im ac ing as a con used depu y, while he ansien window
is gene a ed h ough specula ion. Figu e 1shows he phases
o a ypical Spec e a ack employing FLUSH+RELOAD [73].
Co e Channels. S ep
3

ansmi s he sec e ia a iming
co e channel. Many such co e channels ha e been dis-
co e ed o e he yea s, including hose based on caches [73],
ansla ion s uc u es [29,62], p e e che s [30], p edic o s [3,
20], con en ion on execu ion uni s [8], e c.
2.2 Exis ing De ec ion Models
P e ious wo k has p oposed di e en models o de ec ing
ansien execu ion ulne abili ies a he p e-silicon s age.
Templa ing. In oSpec e [25] and SpecDoc o [33] a e p e-
silicon uzze s ha a e aimed a ansien execu ion ulne a-
bili ies. Due o he complexi y o he DUT, hey bo h employ
s a egies o es ic he sea ch space. In oSpec e de ines
a se o “gadge s”, i.e., snippe s o code aken om known
ulne abili ies (such as “M5 – Gene a e s o e and load in-
s uc ions wi h o e lapping add esses.”) and combines hem.
a ch.
µ-a ch.
1
lush
3b
eload
2
access
3a
encode
A acke Vic im
D-Cache
di ec
da a low
indi ec
low
Figu e 1: Phases o a Spec e a ack employing Flush+Reload.
The a acke i s p imes he mic oa chi ec u e by lushing he
cache
1

, hen o ces he ic im o ansien ly access a sec e
2

, he alue o which ge s encoded in he mic oa chi ec u al
s a e (he e he cache) which leaks o he a acke by means o
subsequen imed loads 3
.
SpecDoc o uses mul i-phased uzzing s a ing om a p e-
de ined empla e ha mimics he di e en phases o known
a acks and ies o ill hem un il an end- o-end leakage is
ound, including he ansmission and eco e y h ough a
co e channel.
Sec e T acking. De ec ion mechanisms o ansien ulne -
abili ies gene ally in ol e acking a sec e h ough he mi-
c oa chi ec u e. In pa icula , In oSpec e uses a sec e alue
gene a o o popula e sec e memo y wi h speci ic alues, and
igge s de ec ion i such alues a e ound in a mic oa chi-
ec u al bu e (e.g. he Line-Fill Bu e ). SpecDoc o uses
di e en ial es ing by changing he alues o sec e memo y
be ween wo di e en uns o he same p og am and checking
i he hash o he mic oa chi ec u al s a e di e s. STT [74]
and CellIFT [60] p opose a di e en app oach o de ec ion
(bu no in he con ex o uzzing) ha uses ha dwa e In o -
ma ion Flow T acking, o ain acking, o p ecisely ollow
he low o sec e da a du ing i s manipula ion.
Sec e De ini ion. All exis ing de ec ion app oaches ely on
de ining sec e s. STT [74] is a mic oa chi ec u al de ense
ha conside s all specula i ely-accessed da a as sec e , un il
he co esponding ins uc ion is pas a Poin -o -No-Re u n in
he RoB, by which ime he da a is conside ed a chi ec u al.
This app oach is no sui able o uzzing, as any specula-
i e window would igge a iola ion, e en hose whe e he
specula ion u ns ou o be co ec . All o he app oaches use
explici ly de ined sec e s. CellIFT and SpecDoc o s a om
a p ede ined sec e memo y egion, which is isola ed using
ha dwa e p imi i es (PMP o page lags). In oSpec e also
uses page lags o iden i y sec e s, bu allows hem o e ol e
based on he pe missions changes ope a ed by he gadge s.
3 Challenges and Obse a ions o Fuzzing
In his sec ion, we highligh some o he obs acles ha exis ing
p e-silicon de ec o s and uzze s o ansien ulne abili ies
ace, as well as key insigh s o o e come hem.
Sou ces o En opy. To gene a e a p og am ha unco e s a
ansien ulne abili y, uzze s need o bea a a ie y o en-
opy sou ces. Fi s , he uzze needs o gene a e a se o alid
ins uc ions, and a p og am ha exhibi s some non- i ial
con ol and da a low. Nex , he p og am needs o open a
specula i e window. On op o his, he p og am needs o
access a memo y loca ion con aining a sec e du ing specu-
la ion. Finally, in he case o SpecDoc o , he p og am also
needs o encode he sec e in o he mic oa chi ec u e, and he
uzze needs o gene a e he ecei e code ha ex ac s he
sec e . C ea ing p og ams ha ollow all o hese s eps is a
conside able e o o a uzze , and makes e icien uzzing
imp ac ical. Exis ing uzze s ackle his complexi y h ough
empla ing, which aims a educing he en opy o p og am
gene a ion. While his app oach speeds up uzzing, i isks
o e i ing on known ulne abili ies. We obse e ha , by con-
cen a ing on o he sou ces o en opy, we migh be able o
signi ican ly speed up uzzing wi hou he need o empla es.
Obse a ion #1: To gene a e samples o ansien ex-
ecu ion a acks, uzze s mus bea a a ie y o en opy
sou ces. By ocusing on sou ces o he han p og am
gene a ion, we can elimina e he need o empla es.
Indi ec Flows. Ou second obse a ion s ems om analyzing
he di e en s eps o ansien execu ion a acks in Figu e 1.
We obse e ha in he p iming s ep (s ep
1

) he a acke
massages he mic oa chi ec u e indi ec ly, i.e., pe o ms ac-
ions ha modi y he con en o p edic ion s uc u es, wi hou
di ec ly accessing hei con en (which is no a ailable a -
chi ec u ally). Simila ly, in s ep
3

, he ic im modi ies he
mic oa chi ec u al s a e in a sec e -dependen way, bu he e
is no di ec low o in o ma ion be ween ic im and a acke .
In con as , in s ep
2

(sec e access) he e is a di ec da a low
be ween sec e da a and some mic oa chi ec u al bu e , e.g.,
he Regis e File o he Line-Fill Bu e . A key obse a ion is
ha , while indi ec lows a e a known issue o ain acking
amewo ks and can o en lead o o e ain ing, di ec da a
lows can be p ecisely acked—making he sec e access s ep
an ideal place o ca ch specula i e a acks. Mo eo e , as he
sec e access happens independen ly o he ansmission and
eco e y s ep, i is o hogonal o he side-channel being used.
Focusing on he sec e access s ep he e o e a ge s he co e
o he a ack, educing uzze en opy.
Obse a ion #2: We can emo e he en opy o he
side-channel by ocusing on he sec e access phase,
whe e we ha e a di ec da a low o he sec e .
Sec e Model. A co e challenge o de ining ansien execu-
ion a acks a he RTL le el is modelling sec e s. Exis ing
echniques ely on explici ly de ined sec e s— o ins ance,
by ma king some pages as sec e [33,60]. Explici sec e
models es ic he numbe o specula i e accesses ha ig-
ge de ec ion, making i ha de o he uzze o ind a iola-
ion. Mo eo e , hey equi e he de ec o o commi o spe-
ci ic h ea models. Fo example, a acks can leak da a ac oss
ha dwa e-de ined bounda ies (e.g., use code eading supe -
iso memo y) o so wa e-only bounda ies (e.g., Ja aSc ip
p og ams b eaking websi e isola ion). Simila ly, he sec e
may be ead di ec ly om wi hin he a acke con ex (Mel -
down), o h ough he ic im ( ia a gadge in he ic im code),
and hen ex il a ed by he a acke (Spec e). App oaches
based on explici sec e s p o ec ed wi h PMP/Page Flags mus
explici ly pick an a acke model be o e uzzing [33], and
canno accoun o leakage ac oss so wa e-only bounda ies.
Obse a ion #3: By a oiding explici sec e s we can
g ea ly educe he en opy o he sec e add ess (and
possibly ca ch same-domain leaks).
4 Phan om T ails
We now discuss how Phan om T ails add esses hese uzzing
challenges, based on ou obse a ions.
4.1 T ansien Da a Leaks
While de ec ing end- o-end leaks is a challenging ask and
ep esen s a conside able obs acle o uzzing, de ec ing se-
c e accesses, which happen be o e and independen ly o he
side-channel ansmission, can be achie ed wi h p ecise ain -
acking, and ca ches ulne abili ies a hei oo . In pa icula ,
gi en a p og am o es , we ack all da a lows h ough he
DUT by accessing he RTL-le el design and applying ain
acking o he cycle-accu a e simula ion o he CPU. This
includes specula i e da a lows, e.g., specula i e loads, which
a e isibile in he mic oa chi ec u e o a es ic ed pe iod o
ime (un il he specula ion is squashed) bu no om he a chi-
ec u al execu ion. Such da a lows can mo e sec e da a om
he memo y subsys em o an exposed bu e inside he CPU,
i.e., a ain sink, such as he Regis e File. Once he sec e
has en e ed he RF, i can be leaked in a a ie y o ways, o
example, by a subsequen load o a a iable- ime ins uc ion.
We call di ec leaks om sec e memo y o exposed bu e s
ansien da a leaks, and ocus ou de ec ion me hod on hem.
4.2 Implici Sec e s
Ins ead o elying on explici sec e s, which make i ha d o
he uzze o ind ulne abili ies and isk missing a acks, we
in oduce he concep implici sec e s, depic ed in Figu e 2.
Gi en a s eam o ins uc ions execu ed by he CPU, we can
DRAM
x = *A0
i (x < 10)
y = a ay[x]
A0
A1
a ch.
spec.
sec e
(a) Explici Sec e s
x = *A0
i (x < 10)
y = a ay[x]
DRAM
A0
A1
a ch.
spec.
(b) Implici Sec e s
Figu e 2: A isualiza ion o he di e ence be ween explici
sec e models
a

and implici sec e models
b

( ed is sec e ).
ISA Simula o
*A0 = 100

x = *A0
i (x < 10)
y = a ay[x]
A0
a ch.
no
aken
(a) ISA Simula ion
Cycle-Accu a e
Simula o
DRAM
A0
*A0 = 100

x = *A0
i (x < 10)
y = a ay[x]
(b) Tain Ini ializa ion
DRAM
A0
A1
busy
busy
spec
.
RoB
x = *A
0
i (x < 10)
y = a ay[x]
Cycle-Accu a e
Simula o
(c) Tain De ec ed
DRAM
A0
A1
done
done
lush
RoB
x = *A
0
i (x < 10)
y = a ay[x]
Cycle-Accu a e
Simula o
(d) Pipeline Flush
Figu e 3: Di e en phases o ou de ec ion model.
de i e he se o all memo y loca ions ha should be accessed
a chi ec u ally. We use his in ui ion o de ine ou no ion o
implici sec e s: all da a ha is no accessed a chi ec u ally by
a p og am is conside ed a sec e . Du ing uzzing, we gene a e
p og ams ha s a om he same ini ial s a e and can un o
a maximum numbe o cycles p opo ional o he size o he
bina y (see Sec ion 5.2). We in e sec e s by i s execu ing
a gene a ed p og am on an ISA simula o , such as Spike [2],
which eco e s he lis o a chi ec u al accesses o a single
un, and hen ain e e y o he memo y loca ion in he simu-
la ed DRAM be o e unning he same p og am om he same
ini ial s a e on he mic oa chi ec u al simula o .
Example. Figu e 3 ep esen s an example o how a Specula-
i e Bounds Check Bypass (Spec e- 1) can be de ec ed by
ou model. Fi s , we un a sequence o ins uc ions wi h an
ISA simula o (Phase
a

) and in e he se o a chi ec u ally-
accessed loca ions (
{A0}
). Then, we ain e e y o he loca ion
in he simula ed DRAM as “sec e ” (Phase
b

). Finally, on he
cycle-accu a e simula ion o he CPU, we obse e ain com-
ing om
A1
, which was ne e loaded a chi ec u ally, inside
o he Regis e File (Phase c
), which igge s de ec ion.
4.3 Flush-Based Classi ica ion
The ansien na u e o he ulne abili ies we a e looking o
implies ha he ins uc ion accessing he sec e is specula-
i e, and he e o e has o be squashed when he specula ion
is e ealed o be inco ec . Mic oa chi ec u es ypically ha e
a leas h ee ways o signal ha an ins uc ion has o be
squashed: (1) pipeline excep ions, gene a ed by aul y ins uc-
ions (e.g., loads ha cause a page aul ), (2) misp edic ions
ha indica e inco ec con ol- low specula ion, (3) and oll-
backs, which migh happen on alue specula ion, e.g., wi h
s o e- o-load o wa ding. We can use hese signals o classi-
ica ion: whene e he mic oa chi ec u e b ings a sec e in o a
sink, ins ead o immedia ely c ashing he execu ion, we wai
un il one o such signals is de ec ed (Phase
d

in Figu e 3)
and pe o m a p elimina y classi ica ion o he leak based
on i . I no pipeline lush is de ec ed be o e he end o he
p og am, we epo an uniden i ied leak. This migh indica e
ei he he p esence o an addi ional, uniden i ied lush signal,
o an a chi ec u al bug ha leaks ansien ly-accessed da a.
4.4 Tain ing So wa e Simula ions
The implemen a ion o ou de ec o has wo majo equi e-
men s: (1) we need a ain - acking engine o ack sec e s in
he mic oa chi ec u e (2) we need easy access o he mic oa -
chi ec u al s a e du ing simula ion, in pa icula he simula ed
DRAM, he Physical Regis e File (i.e., ou sink) and any
ele an componen o classi ica ion (Re-O de Bu e , and
signals indica ing a pipeline lush). Addi ionally, o uzzing,
we need o ins umen he simula ion o ga he eedback.
To ackle hese equi emen s, we adop an app oach sim-
ila o T ippel e al. [64] and ins umen he so wa e cycle-
accu a e simula ion o he CPU gene a ed by Ve ila o [58],
an open-sou ce cycle-accu a e simula o . Wi h such app oach,
we can bene i om he powe and ma u i y o exis ing so -
wa e such as LLVM [41] and AFL [22,23,75]. Mo e speci i-
cally, a so wa e-only app oach has he ollowing ad an ages:
1.
Reusing ma u e in as uc u e widely adop ed in
academia and indus y (LLVM, AFL) makes his ap-
p oach compa ible wi h pas and u u e esea ch/ ooling
on so wa e uzzing and ulne abili y disco e y
2.
Using LLVM ins umen a ion o bo h ain acking and
uzzing means ha he same ain in as uc u e can be
used o bo h de ec ion and uzzing eedback
3.
A so wa e-only in as uc u e makes i easie o p o o-
ype new de ec ion mechanisms and ain policies, and
gua an ees easie scalabili y (does no equi e FPGAs)
ISA
Simula o
ICache
ReO de
Bu e
Exec
Uni s
inpu
p og am
eco d
accessed
memo y
un
p og am
CPU Co e
Cycle-Accu a e Simula o
DRAM
L2 Cache
DCache
Load
Po s
Regis e
File
Tain Engine
ain
e e y hing
else
de ec ion +
classi ica ion
1
3
4
6
2
5
Figu e 4: S uc u e o Phan om T ails’ de ec o . Gi en an
inpu bina y
1

, he de ec o uns an ISA Simula o o ob ain
a lis o a chi ec u al accesses
2

. E e y add ess ha is
no in his lis is ain ed in he simula ed DRAM
3

. Then,
he p og am is un h ough he cycle-accu a e simula o
4

,
whe e ain is allowed o p opaga e un il i eaches a sink
5

.
On he nex pipeline lush, he de ec o will abo he execu ion
wi h an e o code and p oduce a de ec ion epo
6

ha
ma ks he inpu as p oblema ic.
5 De ec o Design
We now p esen ou implemen a ion o Phan om T ails’ de ec-
ion componen , and e alua e i s abili y o co ec ly iden i y
and classi y PoCs o known ulne abili ies.
5.1 Componen s
Figu e 4 ep esen s an o e iew o he s uc u e o Phan om
T ails’ de ec o . Simila o p e ious wo k, we use he BOOM
RISC-V co e [5] as he design-unde - es o ou p o o ype.
ISA simula o . To in e sec e loca ions,we use a modi ied
e sion o he RISC-V ISA simula o Spike [2] o a chi ec-
u ally simula e an inpu p og am. We modi ied Spike o log
all memo y loca ions (and ins uc ions) accessed du ing sim-
ula ion as well as he numbe o execu ed ins uc ions. Addi-
ionally, we added he possibili y o disca ding es cases ha
hinde co ec classi ica ion, such as sel -modi ying code (see
Sec ion 6.2). I is wo h no ing ha , while ou sys em is cu -
en ly implemen ed o RISC-V a chi ec u es, ISA simula o s
exis also o o he ins uc ion se s.

BOOM sou ce
(Chisel)
Ve ilog
"Ve ila ed"
C
Bina y
FIRRTL
Compile
Ve ila o
Clang
Add simula ion
w appe
Compile wi h
da a- low sani ize
Run ime ain
p opaga ion
Figu e 5: Compila ion pipeline ha ans o ms he BOOM de-
sign in o an ins umen ed bina y ha can be used o uzzing.
Tain acking engine. Ou p o o ype uses a cus om ain
acking engine called BFSan, which suppo s bi -p ecise
acking o ain h oughou a p og am. We only p opaga e
ain h ough di ec da a lows. BFSan is buil on op o he
Memo ySani ize (MSan) e o de ec o om he LLVM com-
pile in as uc u e. Simila o MSan, i di ides he memo y
space in o wo pa s: no mal p og am memo y, and a shadow
map, used o ack he ain o each bi . BFSan ollows he
low o ain by ins umen ing a p og am du ing compila ion.
The ins umen ed code p opaga es he ain h ough he p o-
g am by upda ing he con en s o he shadow map on each
execu ed ins uc ion.
Cycle-accu a e simula o . The cycle-accu a e simula o used
in ou p o o ype is gene a ed by he Chipya d [1] build sys em.
The sou ce code o BOOM is i s lowe ed om Chisel [17]
o Ve ilog, hen ansla ed by Ve ila o in o a compilable C
++
objec ha con ains all simula ion logic and whose membe s
ep esen ha dwa e egis e s and wi es. Figu e 5shows an
o e iew o he compila ion p ocess. Once he C
++
objec
is gene a ed, we iden i y he ele an componen s o mon-
i o and execu e he simula o h ough a so wa e w appe .
The so wa e w appe applies he ini ial ain o he DRAM,
ad ances he simula ion clock, and moni o s ain sinks o
classi ica ion. The esul ing C
++
p og am is hen compiled
wi h BFSan, which adds logic o ain acking.
5.2 Challenges
Te mina ion. Since ha dwa e is eac i e, ha is, i does no
e mina e as long as a clock signal is p o ided, we ace he
p oblem o deciding when o s op he simula ion o a gi en
p og am. We employ he ollowing s a egy:
1.
Du ing a chi ec u al simula ion (Spike), we e mina e on
any aul y ins uc ion, hus ensu ing we only execu e he
loaded p og am. In pa icula , we ini ialize all DRAM
loca ions ou side he loaded p og am o 0 – an illegal
ins uc ion in RISC-V – and ensu e ha ou ap handle
also con ains an illegal ins uc ion. This means ha when
he p og am eaches i s end, he CPU will encoun e an
illegal ins uc ion, which we use as a e mina ion signal.
Since ou p og am may con ain unbounded loops, we
u he pu a bound on he o al numbe o execu ion
s eps. I no illegal ins uc ion is ound, he simula ion
e mina es a e he maximum numbe o s eps, which is
calcula ed depending on he size o he inpu p og am.
2.
Du ing cycle-accu a e simula ion, we moni o he Re-
O de Bu e (RoB) o coun he numbe o e i ed in-
s uc ions. Whene e his numbe ma ches he numbe
o ins uc ions epo ed by Spike, we end he simula ion.
Tain sou ces. Since all he inpu p og am’s code and da a
a e loaded in memo y a he s a o each execu ion, we use
DRAM as ou ini ial ain sou ce. In pa icula , we le e age
BOOM’s op ion o p o ide a black-box implemen a ion o
he simula ed DRAM. We use he lis o memo y accesses
gene a ed by he ISA simula o o ini ialize ain . In pa icula ,
we apply ain o all DRAM loca ions ha ha e no been
accessed a chi ec u ally. This includes loca ions whose ini ial
alue is o e w i en by a subsequen s o e be o e being ead.
Tain sink(s). The simula ion w appe moni o s he p esence
o ain in a p ede ined sink a e each clock cycle. Fo ou
p o o ype, we chose he Physical Regis e File (PRF) as sink
o wo main easons: (1) non-a chi ec u al da a eaching
he PRF can be leaked h ough a a ie y o side-channels,
e.g., po con en ion, cache, TLB; (2) i ain ed da a eaches
a physical egis e , we can easily in e which ins uc ion is
esponsible o i by inspec ing en ies in he RoB.
Tain washing. I a p og am specula i ely jumps o a ain ed
alue a he han loading i , ain migh end up in he Regis e
File. While his co ec ly implies ha specula i e code is
being execu ed, we only ca e abou specula i e code ha
b ings new da a in o he Regis e File, like Spec e gadge s
o example. To a oid ma king specula i e code ha does
no di ec ly leak alues as a ulne abili y, we make su e ha
ain is washed o ins uc ions passing h ough he ins uc ion
cache, which p e en s ain om sp eading o he RF.
Sel -modi ying code. Di e en ly om x86, RISC-V a chi ec-
u es do no gua an ee ha he ins uc ion cache is in alida ed
i code is modi ied du ing execu ion, and ins ead equi e ex-
plici synch oniza ion om so wa e h ough FENCE.I. P o-
g ams ha modi y cached ins uc ions wi hou lushing he
I-Cache a e expec ed o p oduce a di e en beha io han he
ISA simula ion. Fo ou use-case, his means ha any p og am
ha modi ies a load (e.g., by u ning i in o a
nop
), will s ill
obse e he mic oa chi ec u al e ec s o ha load, while he
ISA simula ion will no . To a oid epo ing such cases, we
de ec p og ams ha con ain sel -modi ying code du ing he
ISA simula ion, and immedia ely disca d he p og am wi hou
was ing ime on he slow cycle-accu a e simula ion.
5.3 Classi ica ion
To aid he analysis o he epo ed leaks, we pe o m an ini ial
classi ica ion o he bug using he pipeline lush signal. In
pa icula , ins ead o abo ing he simula ion immedia ely
when ain eaches an exposed sink, he simula ion con inues
execu ing he p og am and eco ds:
1.
The Tain E en , i.e., when ain is i s obse ed in he
Regis e File. We e e o he ins uc ion esponsible
o his e en as he ain ing ins uc ion, which can be
de i ed by obse ing he Re-O de Bu e .
2.
The Flush E en , i.e., a lush signal ha squashes he
ain ins uc ion. We e e o he ins uc ion ha igge s
he lush e en as he lushing ins uc ion.
The simula o inally c ashes whene e i de ec s ha a
pipeline lush is abou o “ emo e” (squash) he ain ing in-
s uc ion om he pipeline. I ain is ound in a sink bu
he co esponding ins uc ion is ne e squashed, he c ash is
gene a ed a he end o he es -case execu ion, i.e., when all
he a chi ec u ally-execu ed ins uc ions ha e e i ed om he
pipeline, and he es case is ma ked as Unknown Flush.
We use his in o ma ion o pe o m a p elimina y classi-
ica ion o he iola ion ound. In pa icula , by obse ing
he lush signal we can dis inguish be ween Spec e iola-
ions (misp edic ions), Mel down iola ions (pipeline excep-
ions), and memo y o de ing aul s (Spec e- 4). Fo Spec-
e a ian s o he han Spec e- 4, we obse e he lush in-
s uc ion o de e mine i he misp edic ion was caused by
a b anch (Spec e- 1), indi ec jump (Spec e- 2) o e u n
(Spec e-RSB). Fo pipeline excep ions, we check i ain was
in oduced by he lush ins uc ion i sel (Mel down) o by a
younge ins uc ion in he pipeline (OOO - Ou -O -O de ).
Finally, o b anch misp edic ions, we u he epo i he
b anch was p edic ed aken o no - aken, and i he ain -
ing ins uc ion was a chi ec u ally execu ed a leas once
be o e he ain de ec ion. This allows us o di e en ia e be-
ween Spec e- 1-s a ic (p edic ed no - aken, new ins uc ion),
Spec e- 1- aining (p edic ed aken, p e iously execu ed in-
s uc ion), and Spec e- 1-new (p edic ed aken, new ins uc-
ion).
5.4 Ex ensions
MDS De ec ion. MDS a acks, such as RIDL [66] and
Fallou [13] and de i a i e a acks such as LVI [65] and
C ossTalk [53], showed ha , on In el mic oa chi ec u es, an
a acke can leak in- ligh da a om Line-Fill Bu e s, Load
Po s, and S o e Bu e s. Di e en ly om adi ional Spec-
e and Mel down a acks, hese ulne abili ies inco ec ly
access alues in in e nal CPU bu e s, as opposed o sec e s
in memo y. These ulne abili ies can be modeled in Phan-
om T ails by adding such in e nal bu e s as ain sou ces.
In pa icula , we ex ended ou p o o ype wi h a simple use -
space ini ializa ion snippe (a se o loads and s o es) ha uns
igh be o e he s a o he p og am unde es , wi hou any
ence. Once he las ins uc ion o he ini ializa ion snippe
e i es, Phan om T ails ain s he ini ial alues o all in e nal
bu e s, while he use p og am is eady o s a . I he p o-
g am is able o leak such s ale alues, e.g., h ough a aul y
load, hei ain will be obse ed in he Regis e File. No e
ha he use p og am is no allowed o di ec ly access such
alues, so, whene e hey a e leaked, we a e su e ha he e
is a iola ion. As BOOM is no ulne able o MDS, o es
his se up we added a simple MDS-S o eBu e ulne abili y,
as desc ibed by he Fallou [13] pape , o he BOOM co e de-
sign, and e i ied ha he leakage is de ec ed. Fo he bene i
o u u e esea ch, we open-sou ce he pa ch o adding he
ulne abili y o BOOM.
Secu e Specula ion. Phan om T ails can be ex ended o in-
co po a e knowledge o bo h so wa e and ha dwa e de enses.
Fo ins ance, he ins uc ion gene a o can be cons ained o
always emi an
LFENCE
[37] a e each b anch, o mimic cases
whe e his mi iga ion is deployed. Fo secu e specula ion de-
enses such as STT [74], ine -g ained de ec ion policies can
be added o ain sinks, e.g., disca ding ain ed en ies ha
a e ead by ins uc ions deemed "sa e" by STT.
O he Tain Sou ces. Simila ly o MDS, o he da a sampling
a acks such as Ga he Da a Sampling [46], AEPIC Leak [10]
and ZenBleed [51] ha e been shown o be possible on x86
co es. In pa icula , Down all [46] shows ha he
ga he
in-
s uc ion can ansien ly leak s ale da a om a empo al bu e
called he SIMD egis e bu e , con i med by In el. AEPIC
Leak and ZenBleed ins ead can ead s ale da a a chi ec u ally
om he supe queue (bu e be ween L2 and LLC) and XMM
egis e s, espec i ely. Simila ly o he MDS case, Phan om
T ails can be ex ended o handle mo e ain sou ces by mak-
ing su e such in e nal bu e s a e ini ialized and ain ed igh
be o e he s a o he p og am. Fo ini ial ain esiding in
he Regis e File, mo e ine-g ained ain sink policies can be
applied o igno e speci ic ini ially- ain ed loca ions un il hey
a e o e w i en by ano he ope a ion.
6 Fuzzing
This sec ion desc ibes how we in eg a ed Phan om T ails’
de ec o in o a p e-silicon uzze , and highligh s he bene i s
o ou de ec ion model o he uzzing use-case.
6.1 O e iew
Phan om T ails esembles a adi ional g eybox uzze ha
exe cises a so wa e ep esen a ion o he ha dwa e as he
DUT [64]. Figu e 6p esen s a high-le el o e iew o i s
componen s. In pa icula we used he se up desc ibed in Sec-
ion 7.1 as he DUT in ou uzzing campaigns, which includes
ISA
simula o
mu a ed
p og am
p og am
+
me ada a
Ve ila ed
BOOM co e
BFSAN + AFL
ins umen a ion
de ec ion
3
45
co e age
Mu a o
pick
andom
mu a e
uzze
queue
DETECTOR
FUZZER
So wa e w appe
6
1
2
Ins .
Gene a o
Figu e 6: Phan om T ails’s uzzing cycle. A sequence o
ins uc ions is picked andomly om he uzze queue
1

and modi ied by he mu a o
2

. The esul ing sequence is
hen ansla ed in o a RISCV p og am
3

and execu ed by he
ISA simula o . I he p og am is no disca ded, he me ada a
is passed o a cycle-accu a e simula o
4

whe e, in case
o de ec ion, he p og am will be sa ed
5

. I he p og am
execu ion p oduced new co e age in he simula o , i is also
added o he uzze queue 6
.
a minimal se up o he BOOM co e in i s MEDIUMBOOM
con igu a ion and a black-box DRAM module.
Fuzzing in as uc u e. We build ou uzze on op o he
s a e-o - he-a
liba l
[23] uzzing amewo k and un i
in o k mode— o king a e he comple ion o a ha dwa e
ese o a oid he cos o es a ing he simula ion on each
inpu . To adap he
liba l
so wa e-based in as uc u e o
ha dwa e designs, we de eloped a se o componen s sui -
able o gene alized ha dwa e uzzing. Ou en i e in as uc-
u e is open-sou ce and a ailable a
h ps://gi hub.com/
usec/phan om- ails.
DUT wa mup. Be o e any code is un, he ha dwa e simula-
ion is ese h ough he de aul Ve ila o w appe o BOOM
by asse ing he ese signal o 100 cycles.
Boo phase. Upon ese , execu ion s a s om he con en o
he boo ROM, which we modi y o simply jump o he i s
DRAM add ess. A he beginning o DRAM we place ou
ini ializa ion code, which is esponsible o :
1.
Se ing up he ap handle , which in ou case simply
con ains an illegal ins uc ion o e mina e simula ion;
2.
Con igu ing he Physical Memo y P o ec ion (PMP) uni
o pe mi access o all memo y;
3.
Se ing up page ables and enabling i ual memo y man-
agemen ; in pa icula , we map a con iguous se o pages
s a ing om he beginning o DRAM wi h di e en
page lags;
4.
Op ionally, ini ializing egis e alues (op imiza ion D2);
5.
Jumping o U-mode (code wi h use p i ileges), whe e
he inpu p og am is loca ed;
P edic o s ini ializa ion. By de aul , he BOOM p ocesso
ini ializes all en ies o he Bi-Modal Table (
BIM
) o
2
on
ese , which co esponds o he “weakly aken” s a e. While
his does no p e en de ec ion, i can cause he classi ie o
mis ake cases o s a ic b anch p edic ion o cases whe e he
b anch was ained, and inco ec ly label Spec e- 1 samples.
To ensu e a co ec ine-g ained classi ica ion, we modi y
he BIM ini ializa ion p ocedu e o ins ead se en ies o he
“no - aken” s a e.
Tain ini ializa ion. While in supe iso -mode, he ini ial-
iza ion code eads om he supe iso da a egion, which
ills he D-Cache wi h ain ed (supe iso ) da a. As discussed
in Sec ion 5.4, and op ional use -mode ini ializa ion can be
pe o med o MDS o ill in e nal CPU bu e s, such as he
Load Queue o he S o e Bu e , wi h ain ed da a as well,
igh be o e he s a o he gene a ed p og am.
6.2 P og am Gene a ion
As s a ed in sec ion 3, one o he en opy sou ces ha he
uzze has o bea is p og am gene a ion. While sophis ica ed
app oaches [59] can be added on op o ou uzze , in his
pape we wan o demons a e ha ou de ec o al eady helps
e en wi h a minimal p og am gene a o . In pa icula , in ou
p o o ype we make su e o gene a e and mu a e syn ac ically
alid RISC-V ins uc ions, and we adop a se o minimal
op imiza ions o inc ease he chance o gene a ing complex
con ol and da a low. Such op imiza ions di e om em-
pla es, as hey a e aimed a maximizing he odds o gene a ed
well- o med, complex p og ams a he han ollowing he
bluep in o a speci ic ulne abili y.
6.2.1 Ins uc ions
Mu a o . Phan om T ails’ cus om p og am mu a o is awa e
o wha cons i u es syn ac ically alid RISC-V ins uc ions,
bu possesses no u he (seman ic) in o ma ion abou hem. In
i s basic o m, i gene a es ins uc ions by choosing a andom
RISC-V ins uc ion ype and applying a andom mu a ion op-
e a ion. In pa icula , he cu en p o o ype suppo s inse ing
a new ins uc ion, eplacing an ins uc ion wi h a new one,
eplacing he a gumen o an exis ing ins uc ion, epea ing an
exis ing ins uc ion, dele ing an exis ing ins uc ion, eplacing
an ins uc ion wi h a
nop
, and swapping wo ins uc ions. Op-
ionally, he mu a o can be biased owa ds emi ing
jal
and
e
ins uc ions, and owa ds eusing p e ious alues when
choosing a gumen s, as we will discuss in Sec ion 6.2.
P og am gene a o backend. Since applying andom mu-
a ions like bi - lips a he assembly le el has a high chance
o gene a ing in alid p og ams which would was e p ecious
simula ion ime, he uzze ins ead uses a s uc u ed in e nal
ep esen a ion o apply mu a ions. P og ams s o ed in his
in e nal ep esen a ion a e hen ansla ed in o alid RISC-V
p og ams by he ins uc ion gene a o , be o e en e ing he
de ec o componen .
6.2.2 Op imiza ions
To a oid was ing simula ion cycles on unin e es ing inpu s
and o maximize he likelihood o inding bugs quickly, we
de elop a se o op imiza ions ha bias ou p og am gen-
e a ion owa ds alid p og ams. Unlike empla es [33], he
op imiza ions a e gene al so as o a oid o e i ing. We g oup
ou op imiza ions in o: Basic (B), biasing he gene a o o-
wa ds eusing a gumen s, Con ol-Flow (C), maximizing
he p obabili y o gene a ing well- o med unc ion calls, and
Da a-Flow (D) op imiza ions ha inc ease he likelihood o
using alid poin e s (code and da a).
B1 - Regis e euse. Wi h his op imiza ion, when deciding
on he a gumen o an ins uc ion, he mu a o has a bias o-
wa ds selec ing he egis e s used by p e ious ins uc ions
(e.g., a p obabili y o 50% in he cu en p o o ype). The idea
is o imp o e he chance o gene a ing da a low be ween in-
s uc ion sequences, as well as ha o c ea ing ace condi ions
in he mic oa chi ec u e h ough aliasing.
B2 - Powe -o - wo cons an s. When picking immedia e al-
ues, his op imiza ion adds a bias owa ds powe s o 2, which
educes he amoun o en opy o cons an s and helps wi h
alignmen .
C1 - Indi ec calls. To help he uzze educe he en opy
o indi ec calls, his op imiza ion adds he possibili y o in-
se ing one o wo code snippe s shown in Lis ing 1. Snippe
1 pe o ms a well- o med indi ec jump o a nea by add ess
(i.e., a small o se om he cu en p og am coun e ); Snip-
pe 2 emi s a alid
e
ins uc ion, which, in RISC-V, is a
pseudonym o an indi ec jump o
a
. While his does no
gua an ee he gene a ion o a alid indi ec call, i imp o es
he chances o execu ing alid calls and e u ns. No e ha
mo e sophis ica ed app oaches [59,72] o p og am gene a ion
can build on op o such a basic op imiza ion—albei a he
cos o addi ional o e head.
C2 - Disca d in alid jumps. To u he educe he likelihood
o was ing simula ion cycles on p og ams wi h in alid con ol-
low, he ISA simula o e mina es he execu ion immedia ely
whene e a p og am jumps ou side he ange o alid mem-
# Load cu en PC
auipc x2,0
# Jump o PC + o se
jal a, and_o se (x2)
(a) Snippe 1: Indi ec call
# Re u n
jal ze o,0( a)
(b) Snippe 2: Re u n
Lis ing 1: Con ol- low snippe s inse ed by he mu a o .
o y loca ions, and disca ds he co esponding inpu p og am.
This gua an ees ha , a leas o jump and call ins uc ions,
Phan om T ails uns he expensi e cycle-accu a e simula ion
only i he p og am jumps o alid a ge s.
D1 - Map add ess 0. Since mos o he memo y is illed
wi h 0s a s a up, and i is no uncommon o p edic o s o
de aul o add ess 0 [36] on emp y p edic ion s uc u es, his
op imiza ion makes su e i ual add ess 0 is mapped o a alid
memo y page be o e he inpu p og am s a s execu ion.
D2 - Ini ialize egis e s. This op imiza ion ensu es ha some
egis e s a e illed wi h alid poin e s be o e jumping o he
inpu p og am’s code. We ill hal o he logical Regis e
File wi h add esses o bo h code and da a pages ha ha e
an associa ed page able en y. This means ha , whene e
an ins uc ion uses a egis e o he i s ime he e is a 50%
chance ha i will use one o he ini ialized poin e s.
6.3 Feedback
Cu en ly, he e is no consensus on he bes eedback me ic
o ha dwa e uzzing [59], no is he e is a “s anda d” s a -
egy o ansien execu ion uzze s. As we wan o show he
ad an ages o ou de ec ion model on a simple uzze , we use
as baseline eedback he s anda d co e age me ic p o ided
by he AFL
++
so wa e uzze , which we call ‘SW Feedback’.
To e alua e addi ionally Phan om T ails’s sensi i i y o eed-
back me ics, we addi ionally implemen ed an al e na i e,
ain -based eedback mechanism which is inse ed in o he
cycle-accu a e simula ion ia an LLVM pass, o explo e he
possibili y o using ain as eedback.
SW Feedback. In his case, he me ic is an app oxima ion
o he edge co e age o he sys em-unde - es as desc ibed in
p e ious wo k [64]. We adap ed his me ic by only coun ing
whe he an edge in he simula o has been execu ed a all,
and no how o en i was execu ed. Doing so a oids labelling
mu a ions ha me ely a e se he same edges as in e es ing,
while adding li le ele ance o he p og am.
Tain Feedback. Ins ead o acking he edge co e age o
he simula o du ing he inpu p og am’s execu ion, his me -
ic ies o measu e how much ain has sp ead h ough he
design—ac oss all he CPU’s wi es. Since mos Ve ilog-
speci ic in o ma ion, including he lis o wi es, is los du ing
Ve ila o ’s ansla ion p ocess, we iden i y he code o each
[14]
Bo u Chen, Yingchen Wang, P adyumna Shome,
Ch is ophe W Fle che , Da id Kohlb enne , Ricca do
Paccagnella, and Daniel Genkin. Go e ch: B eaking
cons an - ime c yp og aphic implemen a ions using da a
memo y-dependen p e e che s. In USENIX Secu i y,
2024.
[15]
Chen Chen, Vasude Gohil, Rahul Kande, Ahmad-Reza
Sadeghi, and Jeya ijayan Rajend an. Pso uzz: Fuzzing
p ocesso s wi h pa icle swa m op imiza ion. In ICCAD,
2023.
[16]
Chen Chen, Rahul Kande, Na han Nguyen, Flemming
Ande sen, Aakash Tyagi, Ahmad-Reza Sadeghi, and
Jeya ijayan Rajend an.
{
HyPFuzz
}
:
{
Fo mal-Assis ed
}
p ocesso uzzing. In USENIX Secu i y, 2023.
[17]
ChipsAlliance. Chisel.
h ps://www.chisel-lang.
o g/.
[18]
Yaako Cohen, Ke in Sam Tha ayil, A ie Haenel,
Daniel Genkin, Angelos D Ke omy is, Yossi O en, and
Yu al Ya om. Hamme scope: obse ing DRAM powe
consump ion using Rowhamme . In CCS, 2022.
[19]
S. Dinesh, M. Pa hasa a hy, and C. Fle che . Conjunc :
Lea ning induc i e in a ian s o p o e unbounded in-
s uc ion sa e y agains mic oa chi ec u al iming a -
acks. In IEEE S&P, 2024.
[20]
Dmi y E yushkin, Ryan Riley, Nael CSE Abu-
Ghazaleh, ECE, and Dmi y Ponoma e . B anchscope:
A new side-channel a ack on di ec ional b anch p edic-
o . ACM SIGPLAN No ices, 2018.
[21]
Mohammad Rahmani Fadiheh, Alex Wezel, Johannes
Mülle , Jö g Bo mann, Sayak Ray, Jason M Fung, Sub-
hasish Mi a, Dominik S o el, and Wol gang Kunz. An
exhaus i e app oach o de ec ing ansien execu ion
side channels in l designs o p ocesso s. IEEE T ans-
ac ions on Compu e s, 2022.
[22]
And ea Fio aldi, Dominik Maie , Heiko Eiß eld , and
Ma c Heuse. AFL++: Combining inc emen al s eps o
uzzing esea ch. In WOOT, 2020.
[23]
And ea Fio aldi, Dominik Ch is ian Maie , Dongjia
Zhang, and Da ide Balza o i. Liba l: A amewo k
o build modula and eusable uzze s. In CCS, 2022.
[24]
Jacob Fus os, Michael Bech el, and Heechul Yun. Spec-
eRewind: Leaking sec e s o pas ins uc ions. In
ASHES, 2020.
[25] Moein Ghaniyoun, K is in Ba be , Yinqian Zhang, and
Radu Teodo escu. In ospec e: A p e-silicon ame-
wo k o disco e y and analysis o ansien execu ion
ulne abili ies. In ISCA, 2021.
[26]
Klaus Gleissen hall, Rami Gökhan Kıcı, Deian S e-
an, and Ranji Jhala.
{
IODINE
}
: Ve i ying
{
Cons an -
Time
}
execu ion o ha dwa e. In USENIX Secu i y,
2019.
[27]
Enes Gök as, Ka eh Raza i, Geo gios Po okalidis, He -
be Bos, and C is iano Giu ida. Specula i e p obing:
Hacking blind in he Spec e e a. In CCS, 2020.
[28]
Google. Re poline: a so wa e cons uc o p e en ing
b anch- a ge injec ion.
h ps://suppo .google.
com/ aqs/answe /7625886.
[29]
Ben G as, Ka eh Raza i, He be Bos, and C is iano
Giu ida. TLBleed: When P o ec ing You CPU Caches
is no Enough. In Black Ha USA, 2018.
[30]
Daniel G uss, Clémen ine Mau ice, Ande s Fogh,
Mo i z Lipp, and S e an Manga d. P e e ch side-channel
a acks: Bypassing smap and ke nel asl . In CCS, 2016.
[31]
Ma hé He ogh, Sande Wiebing, and C is iano Giu -
ida. Leaky Add ess Masking: Exploi ing Unmasked
Spec e Gadge s wi h Noncanonical Add ess T ansla-
ion. In IEEE S&P, 2024.
[32]
Muhammad Moni Hossain, Nus a Fa zana Dipu,
Kimia Zami i Aza , Fahim Rahman, Fa imah Fa ah-
mandi, and Ma k Teh anipoo . Tain uzze : Soc secu i y
e i ica ion using ain in e ence-enabled uzzing. In
ICCAD, 2023.
[33]
Jaewon Hu , Suhwan Song, Sunwoo Kim, and Byoungy-
oung Lee. Specdoc o : Di e en ial uzz es ing o ind
ansien execu ion ulne abili ies. In CCS, 2022.
[34]
Jaewon Hu , Suhwan Song, Dongup Kwon, Eunjin Baek,
Jangwoo Kim, and Byoungyoung Lee. Di uzz l: Di -
e en ial uzz es ing o ind cpu bugs. In IEEE S&P,
2021.
[35]
Jaewon Hu , Suhwan Song, Dongup Kwon, Eunjin Baek,
Jangwoo Kim, and Byoungyoung Lee. Di uzz l: Di -
e en ial uzz es ing o ind cpu bugs. In IEEE S&P,
2021.
[36]
In el. Bhi disclosu e documen a ion.
h ps://www.in el.com/con en /
www/us/en/de elope /a icles/
echnical/so wa e-secu i y-guidance/
echnical-documen a ion/
b anch-his o y-injec ion.h ml.
[37]
In el. In el analysis o specula i e execu ion
side channels.
h ps://www.in el.com/
con en /www/us/en/de elope /a icles/
echnical/so wa e-secu i y-guidance/
echnical-documen a ion/

analysis-specula i e-execu ion-side-channels.
h ml.
[38]
Rahul Kande, Addison C ump, Ga e Pe syn, Pa ick
Jaue nig, Ahmad-Reza Sadeghi, Aakash Tyagi, and
Jeya ijayan Rajend an. TheHuzz: Ins uc ion uzzing
o p ocesso s using Golden-Re e ence models o ind-
ing So wa e-Exploi able ulne abili ies. In USENIX
Secu i y, 2022.
[39]
Paul Koche , Jann Ho n, Ande s Fogh, , Daniel Genkin,
Daniel G uss, We ne Haas, Mike Hambu g, Mo i z
Lipp, S e an Manga d, Thomas P esche , Michael
Schwa z, and Yu al Ya om. Spec e a acks: Exploi ing
specula i e execu ion. In IEEE S&P, 2019.
[40]
Esmaeil Mohammadian Ko uyeh, Khaled N. Kha-
sawneh, Chengyu Song, and Nael Abu-Ghazaleh. Spec-
e e u ns! specula ion a acks using he e u n s ack
bu e . In WOOT, 2018.
[41]
Ch is La ne and Vik am Ad e. Ll m: A compila ion
amewo k o li elong p og am analysis & ans o ma-
ion. In In e na ional symposium on code gene a ion
and op imiza ion, 2004. CGO 2004. IEEE, 2004.
[42]
Mo i z Lipp, Michael Schwa z, Daniel G uss, Thomas
P esche , We ne Haas, Ande s Fogh, Jann Ho n, S e an
Manga d, Paul Koche , Daniel Genkin, Yu al Ya om,
and Mike Hambu g. Mel down: Reading ke nel memo y
om use space. In USENIX Secu i y, 2018.
[43]
Ke in Loughlin, Ian Neal, and Jiacheng Ma. DOLMA:
Secu ing specula ion wi h he p inciple o ansien non-
obse abili y. In USENIX Secu i y, 2021.
[44]
Gio gi Maisu adze and Ch is ian Rossow. e 2spec:
Specula i e execu ion using e u n s ack bu e s. In
CCS, 2018.
[45]
Alyssa Milbu n, Ke Sun, and Hen ique Kawakami. You
canno always win he ace: Analyzing mi iga ions o
b anch a ge p edic ion a acks. In Eu oS&P, 2023.
[46]
Daniel Moghimi. Down all: Exploi ing specula i e da a
ga he ing. In USENIX Secu i y, 2023.
[47]
Daniel Moghimi, Mo i z Lipp, Be k Suna , and Michael
Schwa z. Medusa: Mic oa chi ec u al da a leakage ia
au oma ed a ack syn hesis. In USENIX Secu i y, 2020.
[48]
Hamed Nema i, Pablo Bui as, And eas Lindne , Robe o
Guanciale, and Swen Jacobs. Valida ion o abs ac side-
channel models o compu e a chi ec u es. In CAV,
2020.
[49]
Oleksii Oleksenko, Ch is o Fe ze , Bo is Köp , and
Ma k Silbe s ein. Re izo : Tes ing black-box cpus
agains specula ion con ac s. In ASPLOS, 2022.
[50]
Oleksii Oleksenko, Ma co Gua nie i, Bo is Köp , and
Ma k Silbe s ein. Hide and seek wi h spec es: E icien
disco e y o specula i e in o ma ion leaks wi h andom
es ing. In IEEE S&P, 2023.
[51]
Ta is O mandy. Zenbleed.
h ps://lock.
cmpxchg8b.com/zenbleed.h ml.
[52]
Hany Ragab, En ico Ba be is, He be Bos, and C is-
iano Giu ida. Rage agains he machine clea : A sys-
ema ic analysis o machine clea s and hei implica ions
o ansien execu ion a acks. In USENIX Secu i y,
2021.
[53]
Hany Ragab, Alyssa Milbu n, Ka eh Raza i, He be
Bos, and C is iano Giu ida. C oss alk: Specula i e
da a leaks ac oss co es a e eal. In IEEE S&P, 2021.
[54]
Cha hu a Rajapaksha, Leila Delshad eh ani, Manuel
Egele, and Ajay Joshi. Sig uzz: A amewo k o disco -
e ing mic oa chi ec u al iming side channels. In DATE,
2023.
[55]
Xida Ren, Logan Moody, Mohammadkazem Ta am,
Ma hew Jo dan, Dean M Tullsen, and Ashish Venka .
I see dead mic o-ops: Leaking sec e s ia In el/AMD
mic o-op caches. In ISCA, 2021.
[56]
Michael Schwa z, Ma in Schwa zl, Mo i z Lipp, Jon
Mas e s, and Daniel G uss. Ne Spec e: Read a bi a y
memo y o e ne wo k. In ESORICS, 2019.
[57]
Kons an in Se eb yany, De ek B uening, Alexande
Po apenko, and Dmi iy Vyuko . Add essSani ize : A
Fas Add ess Sani y Checke . In USENIX ATC, 2012.
[58]
Wilson Snyde . Ve ila o .
h ps://www. e ipool.
o g/ e ila o /.
[59]
Fla ien Sol , Ka ha ina Ceesay-Sei z, and Ka eh Raza i.
Cascade: Cpu uzzing ia in ica e p og am gene a ion.
In USENIX Secu i y, 2024.
[60]
Fla ien Sol , Ben G as, and Ka eh Raza i. CellIFT:
Le e aging cells o scalable and p ecise dynamic in-
o ma ion low acking in RTL. In USENIX Secu i y,
2022.
[61]
E geniy S epano and Kons an in Se eb yany. Memo-
ySani ize : as de ec o o unini ialized memo y use in
C++. In CGO, 2015.
[62]
And ei Ta a , Daniël T ujillo, C is iano Giu ida, and
He be Bos.
{
TLB; DR
}
: Enhancing
{
TLB-based
}
a acks wi h
{
TLB
}
desynch onized e e se enginee ing.
In USENIX Secu i y, 2022.
[63]
Yousse Tobah, And ew Kwong, Ingab Kang, Daniel
Genkin, and Kang G Shin. SpecHamme : Combining
Spec e and Rowhamme o new specula i e a acks. In
IEEE S&P, 2022.
[64]
Timo hy T ippel, Kang G. Shin, Alex Che nyakho sky,
Ga e Kelly, Dominic Rizzo, and Ma hew Hicks.
Fuzzing ha dwa e like so wa e. In USENIX Secu i y,
2022.
[65]
Jo Van Bulck, Daniel Moghimi, Michael Schwa z,
Mo i z Lipp, Ma ina Minkin, Daniel Genkin, Ya om
Yu al, Be k Suna , Daniel G uss, and F ank Piessens.
LVI: Hijacking T ansien Execu ion h ough Mic oa -
chi ec u al Load Value Injec ion. In IEEE S&P, 2020.
[66]
S ephan an Schaik, Alyssa Milbu n, Sebas ian Ös e -
lund, Pie o F igo, Gio gi Maisu adze, Ka eh Raza i,
He be Bos, and C is iano Giu ida. Ridl: Rogue in-
ligh da a load. In IEEE S&P, 2019.
[67]
Zilong Wang, Gideon Moh , Klaus on Gleissen hall,
Jan Reineke, and Ma co Gua nie i. Speci ica ion and
e i ica ion o side-channel secu i y o open-sou ce p o-
cesso s ia leakage con ac s. In CCS, 2023.
[68]
Daniel Webe , Ahmad Ib ahim, Hamed Nema i, Michael
Schwa z, and Ch is ian Rossow. Osi is: Au oma ed dis-
co e y o mic oa chi ec u al side channels. In USENIX
Secu i y, 2021.
[69]
Sande Wiebing, Al ise de Fa e i T on, He be Bos,
and C is iano Giu ida. InSpec e gadge : Inspec ing
he esidual a ack su ace o c oss-p i ilege spec e 2.
In USENIX Secu i y, 2024.
[70]
Johannes Wikne and Ka eh Raza i. RETBLEED: A bi-
a y specula i e code execu ion wi h e u n ins uc ions.
In USENIX Secu i y, 2022.
[71]
Johannes Wikne and Ka eh Raza i. B eaking he Ba -
ie : Pos -Ba ie Spec e A acks. In IEEE S&P, 2025.
[72]
Jinyan Xu, Yiyuan Liu, Si ui He, Hao an Lin, Yajin
Zhou, and Cong Wang.
{
Mo Fuzz
}
: Fuzzing p ocesso
ia un ime ins uc ion mo phing enhanced synch oniz-
able co-simula ion. In USENIC Secu i y, 2023.
[73]
Yu al Ya om and Ka ina Falkne . FLUSH+RELOAD:
A high esolu ion, low noise, l3 cache Side-Channel
a ack. In USENIX Secu i y, 2014.
[74]
Jiyong Yu, Mengjia Yan, A em Khyzha, Adam Mo i-
son, Josep To ellas, and Ch is ophe W. Fle che . Spec-
ula i e ain acking (s ): A comp ehensi e p o ec ion
o specula i ely accessed da a. In MICRO, 2019.
[75]
Michal Zalewski. Ame ican uzzy lop.
h ps://
gi hub.com/google/AFL.