ReFuzz: Reusing Tests for Processor Fuzzing with Contextual Bandits

• URL: http://arxiv.org/abs/2512.04436v2
• Date: Mon, 08 Dec 2025 17:27:17 GMT
• Title: ReFuzz: Reusing Tests for Processor Fuzzing with Contextual Bandits
• Authors: Chen Chen, Zaiyan Xu, Mohamadreza Rostami, David Liu, Dileep Kalathil, Ahmad-Reza Sadeghi, Jeyavijayan Rajendran,
• Abstract summary: ReFuzz is an adaptive fuzzing framework that reuses highly effective tests from prior processors to fuzz a processor-under-test (PUT) within an ISA.<n>By intelligently mutating tests that trigger vulnerabilities in prior processors, ReFuzz effectively detects similar and new variants of vulnerabilities in PUTs.
• Score: 23.551672405526855
• License: http://creativecommons.org/licenses/by-sa/4.0/
• Abstract: Processor designs rely on iterative modifications and reuse well-established designs. However, this reuse of prior designs also leads to similar vulnerabilities across multiple processors. As processors grow increasingly complex with iterative modifications, efficiently detecting vulnerabilities from modern processors is critical. Inspired by software fuzzing, hardware fuzzing has recently demonstrated its effectiveness in detecting processor vulnerabilities. Yet, to our best knowledge, existing processor fuzzers fuzz each design individually, lacking the capability to understand known vulnerabilities in prior processors to fine-tune fuzzing to identify similar or new variants of vulnerabilities. To address this gap, we present ReFuzz, an adaptive fuzzing framework that leverages contextual bandit to reuse highly effective tests from prior processors to fuzz a processor-under-test (PUT) within a given ISA. By intelligently mutating tests that trigger vulnerabilities in prior processors, ReFuzz effectively detects similar and new variants of vulnerabilities in PUTs. ReFuzz uncovered three new security vulnerabilities and two new functional bugs. ReFuzz detected one vulnerability by reusing a test that triggers a known vulnerability in a prior processor. One functional bug exists across three processors that share design modules. The second bug has two variants. Additionally, ReFuzz reuses highly effective tests to enhance efficiency in coverage, achieving an average 511.23x coverage speedup and up to 9.33% more total coverage, compared to existing fuzzers.

Related papers

• SimFuzz: Similarity-guided Block-level Mutation for RISC-V Processor Fuzzing [14.509597609192092]
  We propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs.<n>We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan.<n>SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus.
  arXiv  Detail & Related papers  (2026-01-17T00:11:24Z)
• GoldenFuzz: Generative Golden Reference Hardware Fuzzing [13.434848597658215]
  Existing hardware fuzzers suffer from limited semantic awareness, inefficient test refinement, and high computational overhead.<n>We present GoldenFuzz, a novel two-stage hardware fuzzing framework that partially decouples test case refinement from coverage and vulnerability exploration.<n>GoldenFuzz uncovers all known vulnerabilities and discovers five new ones, four of which are classified as highly severe with CVSS v3 severity scores exceeding seven out of ten.
  arXiv  Detail & Related papers  (2025-12-25T06:16:55Z)
• What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs [46.325755802511026]
  We developLM, a dual-method pipeline that integrates two approaches based on a Large Language Model (LLM) and a fine-tuned small language model.<n>LM successfully identified 111 of 5,140 recent Linux kernel patches addressing OOB or UAF vulnerabilities, with 90 true positives confirmed by manual verification.
  arXiv  Detail & Related papers  (2025-09-26T18:06:36Z)
• Certifiably robust malware detectors by design [48.367676529300276]
  We propose a new model architecture for robust malware detection by design.<n>We show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors.<n>Our framework ERDALT is based on this structure.
  arXiv  Detail & Related papers  (2025-08-10T09:19:29Z)
• Shrinking the Generation-Verification Gap with Weak Verifiers [42.538675831498715]
  Verifiers can improve language model capabilities by scoring and ranking responses from generated candidates.<n>Weaver is a framework for designing a strong verifier by combining multiple weak, imperfect verifiers.
  arXiv  Detail & Related papers  (2025-06-22T23:38:15Z)
• Exploiting Inaccurate Branch History in Side-Channel Attacks [54.218160467764086]
  This paper examines how resource sharing and contention affect two widely implemented but underdocumented features: Bias-Free Branch Prediction and Branch History Speculation.<n>We show that these features can inadvertently modify the Branch History Buffer (BHB) update behavior and create new primitives that trigger malicious mis-speculations.<n>We present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope.
  arXiv  Detail & Related papers  (2025-06-08T19:46:43Z)
• SynFuzz: Leveraging Fuzzing of Netlist to Detect Synthesis Bugs [4.746242621988057]
  We present a novel hardware fuzzer, SynFuzz, designed to overcome the limitations of existing hardware fuzzing frameworks.<n> SynFuzz focuses on fuzzing hardware at the gate-level netlist to identify synthesis bugs and vulnerabilities that arise during the transition from RTL to the gate-level.<n>We demonstrate how SynFuzz overcomes the limitations of the industry-standard formal verification tool, Cadence Conformal.
  arXiv  Detail & Related papers  (2025-04-26T05:51:29Z)
• In the Magma chamber: Update and challenges in ground-truth vulnerabilities revival for automatic input generator comparison [42.95491588006701]
  Magma introduced the notion of forward-porting to reintroduce vulnerable code in current software releases.<n>While their results are promising, the state-of-the-art lacks an update on the maintainability of this approach over time.<n>We characterise the challenges with forward-porting by reassessing the portability of Magma's CVEs four years after its release.
  arXiv  Detail & Related papers  (2025-03-25T17:59:27Z)
• EXPLICATE: Enhancing Phishing Detection through Explainable AI and LLM-Powered Interpretability [44.2907457629342]
  EXPLICATE is a framework that enhances phishing detection through a three-component architecture.<n>It is on par with existing deep learning techniques but has better explainability.<n>It addresses the critical divide between automated AI and user trust in phishing detection systems.
  arXiv  Detail & Related papers  (2025-03-22T23:37:35Z)
• BETA: Automated Black-box Exploration for Timing Attacks in Processors [6.02100696004881]
  We present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures.
  arXiv  Detail & Related papers  (2024-10-22T02:48:19Z)
• WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors [18.926324727139377]
  Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. We present WhisperFuzz--the first white-box fuzzer with static analysis. We detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors.
  arXiv  Detail & Related papers  (2024-02-06T04:47:58Z)
• Vulnerability Detection Through an Adversarial Fuzzing Algorithm [2.074079789045646]
  This project aims to increase the efficiency of existing fuzzers by allowing fuzzers to explore more paths and find more bugs in shorter amounts of time. adversarial methods are built on top of current evolutionary algorithms to generate test cases for further and more efficient fuzzing.
  arXiv  Detail & Related papers  (2023-07-21T21:46:28Z)
• DeFuzz: Deep Learning Guided Directed Fuzzing [41.61500799890691]
  We propose a deep learning (DL) guided directed fuzzing for software vulnerability detection, named DeFuzz. DeFuzz includes two main schemes: (1) we employ a pre-trained DL prediction model to identify the potentially vulnerable functions and the locations (i.e., vulnerable addresses) Precisely, we employ Bidirectional-LSTM (BiLSTM) to identify attention words, and the vulnerabilities are associated with these attention words in functions.
  arXiv  Detail & Related papers  (2020-10-23T03:44:03Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.