SIGFuzz is a framework for discovering microarchitectural timing side channels in processors. SIGFuzz implementation is based on DifuzzRTL (https://github.com/compsec-snu/difuzz-rtl). SIGFuzz use cycle-accurate commit traces of programs combined with a differential method for identifying potential timing side channels. SIGFuzz is accepted at DATE 2023 conference (paper).
First install the prerequisite software. Make sure to install the exact version if it's mentioned.
- sbt for FIRRTL
- verilator for RTL simulation (v4.106)
- riscv for RISC-V instruction mutation (2021.04.23)
- Python3
git clone https://github.com/bu-icsg/SIGFuzz
cd SIGFuzz
source setup.sh
source env.sh
cd Fuzzer/
# For running Rocket
make SIM_BUILD=build_rocket VFILE=RocketTile_latest TOPLEVEL=RocketTile NUM_ITER=<num_iter> OUT=<outdir> |& tee run.rocket.log
# For running BOOM
make SIM_BUILD=build_boom VFILE=SmallBoomTile_v1.2_state TOPLEVEL=BoomTile NUM_ITER=<num_iter> OUT=<outdir> |& tee run.boom.log
NOTE: Replace <num_iter> with number of test iterations you want to run and with the output directory (which contains the testcases and logs).
At the end of the specified number of iterations, a spreadsheet will be generated in the directory. Summary sheet in the spreadsheet contains all flagged side channels during the fuzzing sessions. Clusters column contains the number of clusters identified for each instruction mnemonic based on Commit Time Difference (CTD). Red color cells represent trace property 1 violations while blue color represent trace property 2 violations. Green color represent both property 1 and 2 violations. Identifying the exact testcase that triggered a property violation can be identified using the fuzzing run log (run.rocket.log or run.boom.log).