Traditional fuzzing techniques struggle to detect microarchitectural vulnerabilities such as Spectre and Meltdown due to their reliance on coarse-grained software-level signals and lack of hardware-aware feedback. Method: This paper proposes the first reinforcement learning (RL)-based automated testing framework for hardware security, integrating Deep Q-Networks (DQN) with a hardware-level real-time feedback loop—monitoring cache state and timing side channels—to guide instruction-sequence generation in an instruction-level simulator. The framework enables end-to-end autonomous exploration with microarchitectural awareness. Contribution/Results: It pioneers RL-driven discovery of processor side-channel vulnerabilities, supporting cross-microarchitecture adaptive detection. Evaluated on Intel Skylake-X and Raptor Lake platforms, it successfully synthesizes novel leakage sequences—including SERIALIZE, CLMUL, and MMX/x87 transition instructions—that induce measurable byte-level information leakage, all without system interrupts or crashes.

We propose using reinforcement learning to address the challenges of discovering microarchitectural vulnerabilities, such as Spectre and Meltdown, which exploit subtle interactions in modern processors. Traditional methods like random fuzzing fail to efficiently explore the vast instruction space and often miss vulnerabilities that manifest under specific conditions. To overcome this, we introduce an intelligent, feedback-driven approach using RL. Our RL agents interact with the processor, learning from real-time feedback to prioritize instruction sequences more likely to reveal vulnerabilities, significantly improving the efficiency of the discovery process. We also demonstrate that RL systems adapt effectively to various microarchitectures, providing a scalable solution across processor generations. By automating the exploration process, we reduce the need for human intervention, enabling continuous learning that uncovers hidden vulnerabilities. Additionally, our approach detects subtle signals, such as timing anomalies or unusual cache behavior, that may indicate microarchitectural weaknesses. This proposal advances hardware security testing by introducing a more efficient, adaptive, and systematic framework for protecting modern processors. When unleashed on Intel Skylake-X and Raptor Lake microarchitectures, our RL agent was indeed able to generate instruction sequences that cause significant observable byte leakages through transient execution without generating any $mu$code assists, faults or interrupts. The newly identified leaky sequences stem from a variety of Intel instructions, e.g. including SERIALIZE, VERR/VERW, CLMUL, MMX-x87 transitions, LSL+RDSCP and LAR. These initial results give credence to the proposed approach.