Title: Paper notes: SiliFuzz
Date: 2021-10-19 17:00

- Complete title: SiliFuzz: Fuzzing CPUs by proxy
- PDF: [dfd284fa842310205b02d74c8518c4001a03131918cff7a5cc041628a2bdc83b_silifuzz.pdf]({static}/files/papers/dfd284fa842310205b02d74c8518c4001a03131918cff7a5cc041628a2bdc83b_silifuzz.pdf)

Another fine paper by Google. The main idea is, as hinted by the paper name,
to fuzz CPU-related "proxies", then use the results to fuzz actual CPUs.

1. Use coverage-based fuzzing on CPU emulators/decoders/… like
	 [XED](https://intelxed.github.io/),
	 [unicorn](https://www.unicorn-engine.org/) and
	 [ifuzz](https://github.com/google/syzkaller/tree/master/pkg/ifuzz) to
	 generate a ~large corpus of interesting instructions.
2. Remove non-determinism like syscalls and i/o
3. Bundle the initial-state (eg. required memory mappings), final state and instructions together in a
	 *snapshot*.
4. Run the *snapshots* on production machines
5. Observe disparities on buggy CPU.

They found interesting stuff, but give no absolute numbers.

> […] about 45% of SiliFuzz findings are unique and have no been previously
identified by any other tool or automation available to us

The most interesting part of the paper is the Appendices, where they detail 4
CPU bugs found by SiliFuzz.