- Complete title: SiliFuzz: Fuzzing CPUs by proxy
- PDF: dfd284fa842310205b02d74c8518c4001a03131918cff7a5cc041628a2bdc83b_silifuzz.pdf
Another fine paper by Google. The main idea is, as hinted by the paper name, to fuzz CPU-related "proxies", then use the results to fuzz actual CPUs.
- Use coverage-based fuzzing on CPU emulators/decoders/… like XED, unicorn and ifuzz to generate a ~large corpus of interesting instructions.
- Remove non-determinism like syscalls and i/o
- Bundle the initial-state (eg. required memory mappings), final state and instructions together in a snapshot.
- Run the snapshots on production machines
- Observe disparities on buggy CPU.
They found interesting stuff, but give no absolute numbers.
[…] about 45% of SiliFuzz findings are unique and have no been previously identified by any other tool or automation available to us
The most interesting part of the paper is the Appendices, where they detail 4 CPU bugs found by SiliFuzz.