Fuzzilicon: A Post-Silicon Microcode-Guided x86 CPU Fuzzer
Johannes Lenzen
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Fuzzing
CPU vulnerabilities like **Downfall**, **Meltdown**, **Spectre**, **ZombieLoad**, and **RIDL** have caused enormous damage, with Intel spending hundreds of millions on recalls. This talk presents **Fuzzilicon**, the **NDSS 2026 Best Paper Award winner** and the first automated post-silicon x86 CPU fuzzer with **microcode-level visibility**. By leveraging Intel's **red unlock mode** (a debug interface) to instrument microcode execution, Fuzzilicon achieves what was previously impossible in black-box hardware fuzzing: coverage-guided exploration of microarchitectural states. The system introduces a **microcode coverage bitmap**, a **serialization oracle** for detecting speculative execution vulnerabilities via differential testing, and a **bare-metal hypervisor** for deterministic test isolation.
AI review
The NDSS 2026 Best Paper Award winner and deservedly so. Fuzzilicon is the first post-silicon x86 CPU fuzzer with microarchitectural visibility, achieved by instrumenting Intel microcode through red unlock mode. The serialization oracle for detecting speculative execution vulnerabilities is elegant, the 5 new Intel CPU findings are real, and the automatic Spectre variant detection replaces what previously required manual expert analysis. This is the kind of deep hardware security research that advances the field.