Litcius/Paper detail

ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance

Sadullah Canakci, Chathura Rajapaksha, Leila Delshadtehrani, Anoop Mysore Nataraja, Michael Taylor, Manuel Egele, Ajay Joshi

202322 citationsDOI

Abstract

As the complexity of modern processors has increased over the years, developing effective verification strategies to identify bugs prior to manufacturing has become critical. Inspired by software fuzzing, a technique commonly used for software testing, multiple recent works use hardware fuzzing for the verification of Register-Transfer Level (RTL) designs. However, these works suffer from several limitations such as lack of support for widelyused Hardware Description Languages (HDLs) and misleading coverage-signals that misidentify ‘‘interesting’’ inputs. Towards overcoming these shortcomings, we present ProcessorFuzz, a processor fuzzer that guides the fuzzer with a novel CSR-transition coverage metric. ProcessorFuzz monitors the transitions in Control and Status Registers (CSRs) as CSRs are in charge of controlling and holding the state of the processor. Therefore, transitions in CSRs indicate a new processor state, and guiding the fuzzer based on this feedback enables ProcessorFuzz to explore new processor states. We evaluated ProcessorFuzz with three real-world opensource processors — Rocket, BOOM, and BlackParrot. ProcessorFuzz triggered a set of ground-truth bugs $1.23 \times$ faster (on average) than DIFUZZRTL. Moreover, our experiments exposed 8 new bugs across the three RISC-V cores and one new bug in a reference model. All nine bugs were confirmed by the developers of the corresponding projects.

Topics & Concepts

Fuzz testingComputer scienceControl (management)Programming languageArtificial intelligenceSoftwareSecurity and Verification in ComputingParallel Computing and Optimization TechniquesAdvanced Malware Detection Techniques
ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance | Litcius