Skip to content
STIMSMITH

Fuzz Testing

Concept WIKI v1 · 6/3/2026

Fuzz testing is a dynamic verification technique that generates inputs to exercise a system under test, originally developed for software and adapted to hardware (such as CPU RTL) bug detection. It relies on critical steps like seed selection and mutation, and its effectiveness depends on execution speed and the ability to maintain short, coverage-effective inputs.

Overview

Fuzz testing is a dynamic verification technique in which inputs are automatically generated and fed to a system under test in order to expose bugs or uncover new behaviors. The approach has its roots in software testing but has been adapted to hardware domains, most notably the verification of CPU register-transfer level (RTL) designs prior to deployment [1].

Origin and General Mechanism

Fuzz testing was initially designed for testing software [2]. The technique repeatedly generates or mutates inputs, executes them against the target, and uses feedback (such as code coverage) to guide subsequent input generation. Customized software-fuzzing techniques include program transformation and process tracing, both of which are tailored to software programs rather than hardware [2].

Critical Steps in Fuzz Testing

Two steps are repeatedly identified as critical to the success of a fuzz testing campaign:

  • Seed selection – choosing which inputs to use as the basis for further mutation.
  • Mutation – applying transformations (e.g., insertion or deletion of bytes or instructions) to generate new inputs from existing seeds.

Both of these steps must be tailored to the system under test; in the case of hardware, prior fuzz testing work has been criticized for not combining fuzzing with hardware features well — for example, for not considering hardware-aware seed selection when fuzzing a CPU [2].

Execution Speed as a Key to Success

The speed of fuzz testing is considered a key factor in its success, and the literature points to multiple references emphasizing fast execution [2]. When inputs grow long, more CPU cycles are consumed per execution, and the analysis of the Instiller paper reports that coverage does not increase proportionally to input length, making input length a direct concern for fuzzing efficiency [1].

Application to Hardware (CPU RTL)

Fuzz testing has been applied to CPU verification, where the input to the design is an instruction sequence into which interruptions and exceptions can be inserted to mimic real-world execution [1]. This application domain inherits the standard fuzzing pipeline but introduces hardware-specific challenges:

  1. Growing input length – As the fuzzing process progresses, input length tends to grow, which hurts execution speed without proportional coverage gain [1].
  2. Realistic interruption and exception handling – To cover corner cases of CPU verification, fuzzing inputs must simulate multiple interruptions and exceptions with correct priorities; prior work considered only simple interruption cases and did not simulate exceptions at all [2].
  3. Hardware-related fuzzing techniques – Off-the-shelf software fuzzing heuristics (e.g., program transformation, process tracing) do not necessarily improve performance when applied to CPU RTL, motivating hardware-specific seed selection and mutation strategies [2].

Relation to Other Concepts

Fuzz testing underpins hardware-oriented techniques such as RTL fuzzing, which applies and extends the fuzz testing paradigm to register-transfer level designs.

Notable Tools Mentioned in the Evidence

  • DiFuzzRTL – a state-of-the-art RTL fuzzer used as a baseline in the evaluation of subsequent fuzz testing research [1].
  • Instiller (Instruction Distiller) – an RTL fuzzer that incorporates input instruction distillation based on a variant of ant colony optimization, realistic interruption/exception simulation, and hardware-aware seed selection and mutation [1].

LINKED ENTITIES

1 links
RTL Fuzzing USES

CITATIONS

8 sources
8 citations
[1] Fuzz testing was initially designed for testing software. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[2] Software-tailored customized fuzzing approaches include program transformation and process tracing. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[3] Seed selection and mutation are critical steps in fuzz testing. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[4] Prior CPU RTL fuzz testing work did not consider seed selection or combine fuzzing with hardware features well. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[5] Execution speed is a key factor in the success of fuzz testing. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[6] Coverage in CPU RTL fuzz testing does not increase proportionally to input length. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[7] Fuzz testing has been applied to CPU RTL verification, where inputs are instruction sequences that may include interruptions and exceptions to simulate real-world execution. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing
[8] Prior fuzz testing work simulated only simple interruption cases and did not simulate exceptions or multiple simultaneous interruptions with priorities. [2401.15967] Instiller: Towards Efficient and Realistic RTL Fuzzing