v2.0.0

This release contains a major refactoring of the codebase, including many of the core modules. This breaks compatibility with previous versions, hence the major version bump.

In addition, several significant enhancements have been made:

• ARM64 is now fully supported.
• New DynamoRIO-based model backend has been added, which vastly improves ISA coverage on x86.
• The documentation has been fully restructured and expanded.

Added

ARM64 Support

• Full hardware tracing support for ARM64 CPUs (#137)
• ARM64 executor, fuzzer, and code generator implementations
• ARM64 test suite with acceptance and unit tests
• ARM64 ISA specification and target description

DynamoRIO Model Backend

• New DynamoRIO-based model backend added, which completely re-implements the leakage modeling functionality
• New tracers: indirect memory access (IND) tracer and poisoning of faulty loads (#133)
• Contract-based input generation for DynamoRIO backend (#138)

Documentation

• Complete documentation restructure with tutorials, reference guides, and topic guides
• Five comprehensive tutorials covering first fuzzing campaign, vulnerability detection, fault handling, isolation, and extending Revizor
• Detailed primer on contracts and leakage models
• In-depth guides on choosing contracts, designing campaigns, interpreting results, and root-causing violations
• Architecture overview with detailed diagrams
• DynamoRIO backend instrumentation diagrams
• Sandbox and binary format documentation
• Actor and test case generation topics
• Glossary of key terms

Demos and Examples

• TSA-L1D demo configuration and template
• TSA-SQ demo files
• Improved detection demos for various Spectre variants

Testing and Development

• Unified tests for Unicorn and DynamoRIO backends
• Unit tests for traces, stats, and test case components
• Utility scripts for generating RCBF/RDBF test files
• Interface to run individual testing stages
• Improved test coverage and CI integration

Misc. Features

• Special value generation option for input data (not just random values)
• More verbose configuration error messages
• Better visibility for warnings in logger output
• Support for FS/GS segment register instructions in ISA specification
• Input differential minimization for observer actors

Changed

WARNING: This release contains breaking changes! The release introduces a complete refactoring of the code structure, including many of the core modules. See docs/internals/architecture/overview.md for details.

Code Structure

• Renamed source directory from src/ to rvzr/ for better compliance with Python packaging standards
• Encapsulated all core components into dedicated modules (sandbox.py, actor.py, etc)
• Moved all test case components into a dedicated directory rvzr/tc_components
• Refactored fuzzer.py to isolate the multi-stage filtering logic into a dedicated class
• Isolated utility classes into dedicated modules stats.py and logs.py
• Unicorn-based backend split into logical classes: Tracer, Speculator, TaintTracker, etc. (rvzr/model_unicorn)
• Reorganized into architecture-specific subdirectories (rvzr/arch/x86, rvzr/arch/arm64)
• Minimizer refactored to encapsulate each pass into a separate class (rvzr/postprocessing)
• Executor KM is now shared between x86 and ARM to avoid code duplication
• Consistent naming conventions for generators across architectures
• Improved code style and formatting

Configuration Options

• Many config options have been renamed during the refactoring process
• Refer to the updated documentation (docs/ref/config.md)for the new option names and their usage.

ISA Spec Format

• Renamed several fields in the json produced by the download_spec command

Testing Infrastructure

• Cleaner interface for test scripts
• GitHub Actions aligned with internal test scripts

Documentation Structure

• Reorganized into intro/, howto/, ref/, topics/, and internals/ sections
• Split architecture documentation into per-module pages
• Updated navigation structure in MkDocs

Deprecated

• MPX support

v1.3.2

Minor release with compatibility fixes and a few bug fixes:

• Executor: modified to be compatible with Linux 6.8+
• Python build: modified to be compatible with Python 3.12
• Model: fixed the reset of the tracing state after exceptions
• Executor: fixed type cast issue in VMCB initialization + added corresponding sanity checks
• Executor: gracefully handle cases when SMAP/MPX are disabled in kernel; ref #113

Full Changelog: v1.3.1...v1.3.2

v1.3.1

Minor release with several bug fixes and stability improvements:

• cli: Invalid argument in CLI tfuzz mode by @brianfu in #109
• root: update list of tested branches in CI by @OleksiiOleksenko in #110
• tests: L1TF tests - only test for Tiger Lake+ by @brianfu in #112
• config: instruction_blocklist_append is no longer ignored
• re-written the measurement state machine in executor from ASM into C

Full Changelog: v1.3.0...v1.3.1

v1.3.0

Major update on the testing features:

• Support for template-based program generation
• Support for template macros
• Support for multi-mode test cases (kernel mode, user mode, VM mode, and transitions between them)
• Support for actors: Isolated parts of test case that have their own code and data, and that can interact with each other
• Added architectural fuzzing mode for detecting mismatches between the model and the executor
• Added TSC (time stamp counter) measurement mode
• Rewritten analyzer to support multiple analysis modes. Changed default analyzer to a statistics (chi2)-based one
• Added an option to track instruction coverage
• Added value speculation contracts
• Added a non-interference model for testing information flows between actors

Wider support for x86-64 ISA:

• Support for 128-bit SIMD (SSE 1-4)
• Correct handling of IDIV
• Intel MPX exceptions

Stability features:

• Synchronized seeds for both program and input generators
• Multi-pass testing of detected violations to gradually remove various known types of False Positives
• Many improvements to the logging infrastructure
• Pass-based re-implementation of minimizer
• Graceful propagation of errors from executor up to the user interface
• Implemented full fault sandbox for catching bugs in executor without causing crashes
• State machine-based monitoring of incomplete measurements in executor

And also a bit more documentation on cli, config, and minimization.

v1.2.4

This release bundles several recent bug fixes:

• Fix incorrect patching of undefined flags (#64)
• Added a missing hatch target (#92)
• Added generation of signed immediates (#91)
• Removed outdated fields in demos
• Added missing py.typed file
• Added Borg-based Logger

Also updates the instruction set file (attached).

v1.2.2

This release is mainly dedicated to the changes that were required to publish on PyPI, including:

• Updated structure of imports (36bf130)
• Changed CLI entry point from src/cli.py to revizor.py (2c9383e)
• The default installation method is now via pip: pip install revizor-fuzzer

Beside that, the release includes the following minor changes:

• Input array is now zero-initialized (0c5c999)
• The interface to input generator and program generator became more uniform (b03baaa)
• Contract traces are now normalized. For example, if the model executes a memory access to address 0x110 and the sandbox base address is 0x100, the contract trace will contain the value 0x10 (in the past, it would contain 0x110).

V1.2

In release v1.2:

• support for AMD CPUs
• support for testing exceptions (page faults, division errors, undefined opcodes, etc)
• new CLI interface for generating test cases cli.py generate
• new CLI interface for reproducing and debugging violations cli.py reproduce
• several improvements to the logging output
• new executor mode: Partial Prime+Probe
• improved algorithm for generating conditional branches
• several refactorings and bug fixes

V1.1

• Split the code base into the architecture-independent part (src/) and the architecture-specific part (e.g., src/x86/)
• Factory module (src/factory.py) to set up Revizor according to the user config
• x86-specific optimizations - speculation filter and observation filter - that discard the test cases that do not show signs of leakage
• Numpy-based re-implementation of the input generator (it has better performance)
• Migrated to using a vendor-independent JSON format for describing ISA
• Added basic documentation (docs/) and a small demo (demo/)