Related papers: SimFuzz: Similarity-guided Block-level Mutation for RISC-V Processor Fuzzing

SimFuzz: Similarity-guided Block-level Mutation for RISC-V Processor Fuzzing

URL: http://arxiv.org/abs/2601.11838v1
Date: Sat, 17 Jan 2026 00:11:24 GMT
Title: SimFuzz: Similarity-guided Block-level Mutation for RISC-V Processor Fuzzing
Authors: Hao Lyu, Jingzheng Wu, Xiang Ling, Yicheng Zhong, Zhiyuan Li, Tianyue Luo,
Abstract summary: We propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs.<n>We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan.<n>SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus.
Score: 14.509597609192092
License: http://creativecommons.org/licenses/by-sa/4.0/
Abstract: The Instruction Set Architecture (ISA) defines processor operations and serves as the interface between hardware and software. As an open ISA, RISC-V lowers the barriers to processor design and encourages widespread adoption, but also exposes processors to security risks such as functional bugs. Processor fuzzing is a powerful technique for automatically detecting these bugs. However, existing fuzzing methods suffer from two main limitations. First, their emphasis on redundant test case generation causes them to overlook cross-processor corner cases. Second, they rely too heavily on coverage guidance. Current coverage metrics are biased and inefficient, and become ineffective once coverage growth plateaus. To overcome these limitations, we propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs and employs similarity-guided, block-level mutation to efficiently explore the processor input space. By introducing instruction similarity, SimFuzz expands the input space around seeds while preserving control-flow structure, enabling deeper exploration without relying on coverage feedback. We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan, and discover 17 bugs in total, including 14 previously unknown issues, 7 of which have been assigned CVE identifiers. These bugs affect the decode and memory units, cause instruction and data errors, and can lead to kernel instability or system crashes. Experimental results show that SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus. Our findings highlight critical security bugs in mainstream RISC-V processors and offer actionable insights for improving functional verification.

Related papers

Outrunning LLM Cutoffs: A Live Kernel Crash Resolution Benchmark for All [57.23434868678603]
Live-kBench is an evaluation framework for self-evolving benchmarks that scrapes and evaluates agents on freshly discovered kernel bugs.<n> kEnv is an agent-agnostic crash-resolution environment for kernel compilation, execution, and feedback.<n>Using kEnv, we benchmark three state-of-the-art agents, showing that they resolve 74% of crashes on the first attempt.
arXiv Detail & Related papers (2026-02-02T19:06:15Z)
ReasAlign: Reasoning Enhanced Safety Alignment against Prompt Injection Attack [52.17935054046577]
We present ReasAlign, a model-level solution to improve safety alignment against indirect prompt injection attacks.<n>ReasAlign incorporates structured reasoning steps to analyze user queries, detect conflicting instructions, and preserve the continuity of the user's intended tasks.
arXiv Detail & Related papers (2026-01-15T08:23:38Z)
ReFuzz: Reusing Tests for Processor Fuzzing with Contextual Bandits [23.551672405526855]
ReFuzz is an adaptive fuzzing framework that reuses highly effective tests from prior processors to fuzz a processor-under-test (PUT) within an ISA.<n>By intelligently mutating tests that trigger vulnerabilities in prior processors, ReFuzz effectively detects similar and new variants of vulnerabilities in PUTs.
arXiv Detail & Related papers (2025-12-04T04:05:40Z)
Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts [1.2413165648298643]
Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors.<n>Current verification approaches struggle to scale to industrial-sized designs.<n>We introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing.
arXiv Detail & Related papers (2025-11-11T16:46:35Z)
LLAMA: Multi-Feedback Smart Contract Fuzzing Framework with LLM-Guided Seed Generation [56.84049855266145]
We propose a Multi-feedback Smart Contract Fuzzing framework (LLAMA) that integrates evolutionary mutation strategies, and hybrid testing techniques.<n>LLAMA achieves 91% instruction coverage and 90% branch coverage, while detecting 132 out of 148 known vulnerabilities.<n>These results highlight LLAMA's effectiveness, adaptability, and practicality in real-world smart contract security testing scenarios.
arXiv Detail & Related papers (2025-07-16T09:46:58Z)
Agent KB: Leveraging Cross-Domain Experience for Agentic Problem Solving [62.71545696485824]
We introduce AGENT KB, a universal memory infrastructure enabling seamless experience sharing across heterogeneous agent frameworks without retraining.<n>AGENT KB aggregates trajectories into a structured knowledge base and serves lightweight APIs.<n>We validate AGENT across major frameworks on GAIA, Humanity's Last Exam, GPQA, and SWE-bench.
arXiv Detail & Related papers (2025-07-08T17:59:22Z)
Exploiting Inaccurate Branch History in Side-Channel Attacks [54.218160467764086]
This paper examines how resource sharing and contention affect two widely implemented but underdocumented features: Bias-Free Branch Prediction and Branch History Speculation.<n>We show that these features can inadvertently modify the Branch History Buffer (BHB) update behavior and create new primitives that trigger malicious mis-speculations.<n>We present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope.
arXiv Detail & Related papers (2025-06-08T19:46:43Z)
Beyond Random Inputs: A Novel ML-Based Hardware Fuzzing [16.22481369547266]
Hardware fuzzing is an effective approach to exploring and detecting security vulnerabilities in large-scale designs like modern processors. We propose a novel ML-based hardware fuzzer, ChatFuzz, to address this challenge. ChatFuzz achieves condition coverage rate of 75% in just 52 minutes compared to a state-of-the-art fuzzer.
arXiv Detail & Related papers (2024-04-10T09:28:54Z)
WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors [18.926324727139377]
Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors. We present WhisperFuzz--the first white-box fuzzer with static analysis. We detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors.
arXiv Detail & Related papers (2024-02-06T04:47:58Z)
MABFuzz: Multi-Armed Bandit Algorithms for Fuzzing Processors [19.60227174252432]
We develop a novel dynamic and adaptive decision-making framework, MABFuzz, that uses multi-armed bandit (MAB) algorithms to fuzz processors. MABFuzz is agnostic to, and hence, applicable to, any existing hardware fuzzer. We integrate three widely used MAB algorithms in a state-of-the-art hardware fuzzer and evaluate them on three popular RISC-V-based processors.
arXiv Detail & Related papers (2023-11-24T16:32:43Z)
Task-Oriented Over-the-Air Computation for Multi-Device Edge AI [57.50247872182593]
6G networks for supporting edge AI features task-oriented techniques that focus on effective and efficient execution of AI task. Task-oriented over-the-air computation (AirComp) scheme is proposed in this paper for multi-device split-inference system.
arXiv Detail & Related papers (2022-11-02T16:35:14Z)
Task-Oriented Sensing, Computation, and Communication Integration for Multi-Device Edge AI [108.08079323459822]
This paper studies a new multi-intelligent edge artificial-latency (AI) system, which jointly exploits the AI model split inference and integrated sensing and communication (ISAC) We measure the inference accuracy by adopting an approximate but tractable metric, namely discriminant gain.
arXiv Detail & Related papers (2022-07-03T06:57:07Z)

This list is automatically generated from the titles and abstracts of the papers in this site.