Skip to content
STIMSMITH

CPU Fuzzing

Concept

CPU fuzzing is a security testing technique that exercises processor hardware (or its models) with randomized or crafted instruction sequences to discover architectural and microarchitectural vulnerabilities, including bugs triggerable from unprivileged code. It can be applied pre-silicon (at the register-transfer level) or post-silicon (on real hardware), and commonly uses differential testing across implementations of the same instruction set architecture (ISA) to detect deviations indicative of bugs.

First seen 6/11/2026
Last seen 6/11/2026
Evidence 5 chunks
Wiki v1

WIKI

CPU Fuzzing

Overview

CPU fuzzing applies the general principle of fuzzing—testing with random or specially crafted inputs to surface unexpected behavior—to the central processing unit itself rather than to a software program. The objective is to discover hardware-level vulnerabilities, including architectural (functional) bugs exploitable from user space and microarchitectural issues. Because a well-defined ISA requires that the architectural result of every deterministic instruction be the same across conforming implementations, deviations across implementations can be flagged as candidate bugs without requiring a complete golden model [1].

READ FULL ARTICLE →

NEIGHBORHOOD

1 nodes · 0 edges
graph · CPU Fuzzing · depth=1

RELATIONSHIPS

1 connections
RISCover ← implements 100% 2e
RISCover is a CPU fuzzing framework for finding architectural vulnerabilities.

LINKED ENTITIES

1 links
RISCover IMPLEMENTS Extracted graph relationship

CITATIONS

10 sources
10 citations — click to expand
[1] CPU fuzzing can be applied pre-silicon (RTL-based) or post-silicon (on real hardware). RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[2] Differential CPU fuzzing compares architectural results across multiple implementations and flags deviations as potential bugs, without requiring a complete golden model. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[3] Post-silicon CPU fuzzing is necessary because synthesis-introduced and system-level bugs can escape pre-silicon verification, as illustrated by vulnerabilities such as Zenbleed, Reptar, ÆPICLeak, and CacheWarp. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[4] Bölcskei et al. showed that structural-coverage-based fuzzers can be slower than black-box fuzzers in bug discovery, motivating post-silicon black-box approaches. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[5] Sequence generation in CPU fuzzing is difficult because RTL coverage feedback is unavailable; bottom-up search with weighted random selection biased by instruction frequency in real-world code is one solution. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[6] Non-deterministic effects such as performance counter values, OS-controlled memory regions (e.g., Linux vDSO), and the inability to freely modify architectural state complicate post-silicon CPU fuzzing. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[7] Running CPU fuzz tests in user mode acts as an automatic filter that retains only bugs exploitable by unprivileged users. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[8] Post-silicon CPU fuzzers require a custom sandbox because they cannot run bare-metal code or perform hardware resets from user space, and Linux provides a versatile deployment environment. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[9] A typical CPU fuzzing deployment uses a centralized server to generate and analyze test cases, with resource-constrained client CPUs executing sequences and reporting back state. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
[10] CPU fuzzing concepts have been extended to GPU code by transforming GPU programs into CPU programs at the compiler IR level, enabling sanitizer-based fuzzing for languages like CUDA. CuFuzz: Hardening CUDA Programs through Transformation and Fuzzing