An exploration of effective fuzzing for side‐channel cache leakage

Abstract

SummaryAdversaries can compute the secret information of a program, such as the key for encryption routines, from side channels in the light of timing‐based and access‐based CPU cache behaviours. As a result, it is crucial to understand whether a program is vulnerable to side‐channel cache leakage or not. Yet how we can find out such a vulnerability in a program remains a problem. In this paper, we revisit this problem and contemplate a test‐generation methodology, which, in both timing‐based and access‐based dimensions, systematically discovers the cache side‐channel leakage of an arbitrary software program. At the core of our test‐generation framework is an algorithm that explores the program's input space and adapts at runtime according to observed cache performance in the executed tests. We have implemented our test generator for timing‐based and access‐based attack tests and evaluated it with open‐source subject programs, including ones from OPENSSL and Linux GDK libraries. Our extensive evaluation effectively discloses the vulnerabilities of these real‐world software to both timing‐based and access‐based cache attacks. We also empirically show that our test generator achieves higher and comparable effectiveness, respectively, in simulations and real hardware platforms with regard to revealing cache side‐channel leakage than do state‐of‐the‐art fuzz testing tools.