High-trigger fuzz testing for microarchitectural speculative execution vulnerability

Microarchitectural speculative execution vulnerabilities can be utilized to steal private information and even bypass some defensive programming measures in the code. The difficulty in detecting this vulnerability is ensuring a high triggering frequency of speculative execution. However, existing methods randomly generate test programs with high uncertainty, which lack dependencies relationship between code lines required by speculative execution, resulting in low trigger rates of speculative execution. Meanwhile, some variables of the test input are randomly selected for mutation, but the selected variables tend to lack the correlation with execution paths, leading to low detection adequacy and convergence of collected information. Therefore, this paper proposes a High-Trigger Fuzz Testing for Microarchitectural Speculative Execution Vulnerability (HT-SEV). HT-SEV constructs a register selectied model, which generates subsequent codes based on the data flow and real-time register distribution of generated code, establishing data dependencies between different code lines. Furthermore, bidirectional gradient mutation is proposed, which mines the correlation between inputs and the collected microarchitectural information to guide the mutation of inputs, achieving high coverage of path and diversity of detection information. Experimental results on multiple instruction subsets show that HT-SEV outperforms state-of-the-art related methods. This method innovatively defines data dependency relationship, capturing fine-grained code execution information.