Beyond Random Inputs: A Novel ML-Based Hardware Fuzzing
Mohamadreza Rostami, Marco Chilese, Shaza Zeitouni, Rahul Kande, Jeyavijayan Rajendran, Ahmad‐Reza Sadeghi
Abstract
Modern computing systems heavily rely on hardware as the root of trust. However, their increasing complexity has given rise to security-critical vulnerabilities that cross-layer attacks can exploit. Traditional hardware vulnerability detection methods, such as random regression and formal verification, have limitations. Random regression, while scalable, is slow in exploring hardware, and formal verification techniques are often concerned with manual effort and state explosions. Hardware fuzzing has emerged as an effective approach to exploring and detecting security vulnerabilities in large-scale designs like modern processors. They outperform traditional methods regarding coverage, scalability, and efficiency. However, state-of-the-art fuzzers struggle to achieve comprehensive coverage of intri-cate hardware designs within a practical timeframe, often falling short of a 70 % coverage threshold. To address this challenge, we propose a novel ML-based hardware fuzzer, ChatFuzz. Our approach leverages large language models (LLMs) to understand processor language and generate data/control flow entangled yet random machine code sequences. Reinforcement learning (RL) is integrated to guide the input generation process by rewarding the inputs using code coverage metrics. Utilizing the open-source RISC-V-based RocketCore and BOOM cores as our testbed, ChatFuzz achieves 75% condition coverage in RocketCore in just 52 minutes. This contrasts with state-of-the-art fuzzers, which demand a 30-hour timeframe for comparable condition coverage. Notably, our fuzzer can reach a 79.14% con-dition coverage rate in RocketCore by conducting approximately 199k test cases. In the case of BOOM, ChatFuzz accomplishes a remarkable 97.02% condition coverage in 49 minutes. Our analysis identified all detected bugs by The Huzz, including two new bugs in the RocketCore and discrepancies from the RISC-VISA Simulator.