Enter, Exit, Page Fault, Leak!
Published in IEEE S&P 2026
Testing Isolation Boundaries for Microarchitectural Leaks.
Our paper introduces an end-to-end platform for stress-testing microarchitectural isolation between security domains. By extending model-based relational testing to multiple “actors” (processes, VMs, kernels), the tool:
- exposes four novel cross-domain leaks – including a cross-VM cache-to-cache disclosure and two new rogue system-register reads – while flagging only two false positives in 88 machine-days of testing;
- rediscovers every known leak expected in its threat model (MDS, Foreshadow, Meltdown, DSS, Meltdown 3a);
- achieves up to 4 500 measurements/s thanks to a purpose-built Linux kernel module and adaptive statistics.
Why “Enter, Exit”?
Isolation boundaries are crossed constantly: VMENTER, SYSCALL, page-fault handlers, etc. But microcode and speculative helpers execute behind the scenes. Enter, Exit turns those normally opaque transitions into a fuzzing surface:
“We solve these challenges by introducing an actor framework … one actor can transition to another by executing a specific instruction sequence (e.g., syscall or VM-enter).”
Key Idea
- Actors = security domains (host, VM, user, …).
- Templates define transition choreography; the generator splices in random instructions around the mandatory sequences.
- Executor (a lightweight kernel module) instantiates VMs, page tables, fault-handlers, & trace-collection at hundreds of tests per second.
- Contracts specify what a victim may leak; any extra information in the hardware trace is flagged.
The Actor Framework in One Picture
Host (kernel) ─┐
│ VMEXIT
Guest VM 1 ────┤
│ VMENTER
Guest VM 2 ────┘ ← observer
Templates let us swap Host/User, add mitigations (e.g., VERW), or alias memory with a single YAML knob, then blast 100 k randomised programs per template.
What We Found
| Leak class | Short description | CVE / status |
|---|---|---|
| Cross-VM cached-line leak | Victim’s cached byte modulates attacker timing via dual page-fault gadget | CVE-2024-36357 |
| Kernel-store echo | Last ≈ 32 kernel stores observable from user mode | CVE-2024-36350 |
Rogue read of RDTSCP.AUX | RDTSCP speculates past CR4.TSD | CVE-2024-36349 |
Speculative SMSW under UMIP | AMD CPUs return lower 16 bits of CR0 | CVE-2024-36348 |
(Full disclosure timeline and patches in AMD-SB-7029.)
Validating Defenses
Because templates are first-class, we could prepend mitigations and immediately retest:
VERWvs. MDS – effective.L1D_FLUSH_CMDvs. Foreshadow – effective;WBINVDalone is not.- Early vs. late dummy division – only the early (Linux mainline) variant stops DSS.
Performance at a Glance
- 800 – 4 500 traces/s → 60 – 700 complete test-case executions/s.
- 85 % of violations surface within one hour of fuzzing a template; median < 20 k rounds.
Paper & Code
- Conference: IEEE Symposium on Security & Privacy 2026 (Oakland).
- Source: integrated into the Revizor repository (open-source).
FAQ
Q: Is this only for x86? A: No. The framework cleanly separates generation, execution and contract layers; porting the executor to ARM/RISC-V is mostly engineering work.
Q: Can I use this like a fuzzer for my mitigation patch? Yes, drop your patch into a macro, point the victim actor to it, and see if any leaks survive.
Q: What if I just want a PoC for my newly discovered gadget? Write the gadget as a template, mark the leak you expect allowed in the contract, and publish the minimal repo; others can reproduce in minutes.
Acknowledgements
We would like to thank Adrien Ghosn and Kaveh Razavi for the discussions and support they provided. We also thank our shepherd and the anonymous reviewers for their valuable feedback. We are grateful to AMD and Intel PSIRT teams as well as Microsoft Security Response Center for their prompt responses and the constructive discussions we had while reporting the vulnerabilities. This research was supported by the Swiss State Secretariat for Education, Research and Innovation under contract MB22.00057 (ERC-StG PROMISE).