Scapula: An Open-Source Toolkit For Model-Based Fuzzing and Verification of ARM CPUs
Date: 17th Oct – ThursdayTime: 10:30-11:30Location: Ballroom A
One of the most difficult aspects of developing reliable and secure embedded systems is understanding and programing for the complex computational environment provided by a modern CPU. System developers usually start new projects by reading documentation in the form of gigantic PDF manuals that use a natural language (such as English) to describe all of the interfaces for controlling a particular microarchitecture. As an example, the reference manual for the ARMv8-A architecture contains over 6000 pages! While these manuals certainly contain many details, the process of reading (and writing) them is both time consuming and prone to human error.
The problem is made worse in modern embedded system implementations when many parties become involved in different aspects of a CPU’s design. This leaves room for bugs, implementation errors, and undocumented features to creep into a real world computing system. In an effort to better communicate how a CPU is supposed to work, ARM recently began releasing the ARMv8-A Architectural Reference Manual in a machine parsable format designed specifically to be read and understood by both a computer program and a human programmer. This offers promising potential to bridge the gap between a CPU’s intended design, a CPU’s implementation, and the humans that program software for that design. This presentation will analyze how these manuals can be leveraged as a tool for implementing model-based fuzzing and verification techniques for ARM CPUs. I will discuss how you can use these manuals to programmatically search for behaviors that violate an intended CPU specification by introducing a new open-source tool named Scapula for accomplishing this task. Techniques, findings and results will be discussed for a couple of ARM based platforms, along with some technical challenges and future direction for improvement.
Jared Wright Software Engineer, Assured Information Security