Info

Cascade: CPU Fuzzing via Intricate Program Generation

USENIX Security’24 pdf slides website artifacts GitHub

COMSEC, ETH Zurich

Motivation

  • Programs must be long to increase fuzzing throughput.
  • Programs must be complex to increase the probability of triggering a bug.
  • The fuzzer must reliably and efficiently detect bugs once triggered.

Pitfalls of existing fuzzers

  • Programs are short by design with trivial control flows.
  • The executed portion of the programs is short because the control flow is poorly managed.
  • Most instructions are not randomized and correspond to initialization and finalization.
  • Only a small part of the ISA is covered.
  • The CPU state is checked at instruction granularity, significantly impacting the fuzzing performance.
  • Bugs have a high chance of being shadowed because their expression is eventually overwritten in the control flow.

Cascade

Overview

  • generates valid, long, and complex programs
  • cascade-effect termination for bug detection
    • complex data and control flows intermediate program
    • golden model data flow feedback
    • oracle: non-terminations bugs

Insights

  • non-termination bug in control flow bug in data flow
  • entangle the data flow into the control flow: golden model (spike for RISC-V) dependent register values generated by critical points
  • bug programs reduction