MileSan: Detecting μ-Architectural Leakage via Differential HW/SW Taint Tracking
5 days ago
- #Microarchitectural Security
- #RISC-V
- #Information Flow Tracking
- MileSan is an RTL sanitizer that detects exploitable microarchitectural leakage by comparing architectural and microarchitectural information flows.
- RandOS is a fuzzer that uses MileSan for program generation and leakage detection, discovering 19 new vulnerabilities (13 assigned CVEs) in RISC-V CPUs.
- Existing pre-silicon fuzzers overfit by focusing on specific microarchitectural structures, vulnerabilities, or templates, limiting their effectiveness.
- Architectural Information Flows (AIFs) are derived from the ISA, while Microarchitectural Information Flows (MIFs) include additional timing-related flows introduced by optimizations.
- MileSan detects leakage by comparing static software-level taint tracking (AIFs) with dynamic hardware-level information flow tracking (MIFs).
- RandOS generates random programs with controlled architectural information flow, enabling leakage detection within and across security domains.
- Leakage identification in RandOS pinpoints executed code sections, transiently executed code, and leaked memory addresses.
- MileSan is ISA-agnostic but currently implemented only for RISC-V; its scalability depends on the underlying information flow tracking mechanism.
- MileSan does not guarantee perfect security, as it only tests against the set of programs generated by RandOS.