MileSan: Detecting Exploitable Microarchitectural Leakage via Differential Hardware-Software Taint Tracking

Tobias Kovats; Flavien Solt; Katharina Ceesay-Seitz; Kaveh Razavi

doi:10.1145/3719027.3765066

What is it about?

MileSan is an RTL sanitizer that detects arbitrary exploitable information leakage by checking for the architecturally-observable differences between architectural and microarchitectural information flows. We built RandOS, a fuzzer that employs MileSan for program generation and leakage detection, and found 19 new leakages (of which 13 were assigned CVEs) across 5 RISC-V CPUs. Below is a video of RandOS discovering leakage using MileSan:

Why is it important?

Pre-silicon vulnerability discovery lacks generic methods that can detect arbitrary vulnerabilities. Many vulnerabilities are therefore only discovered after CPUs have already been shipped, resulting in mitigations at the software- of microcode-level that incur substantial performance overheads.

This page is a summary of: MileSan: Detecting Exploitable Microarchitectural Leakage via Differential Hardware-Software Taint Tracking, November 2025, ACM (Association for Computing Machinery),
DOI: 10.1145/3719027.3765066.
You can read the full text:

Read

Contributors

The following have contributed to this page

The microarchitectural leakage sanitizer MileSan

What is it about?

Why is it important?

Contributors

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management

The microarchitectural leakage sanitizer MileSan

What is it about?

Featured Image

Why is it important?

Read the Original

Contributors

Share this page:

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management