Skip to content
STIMSMITH

Fuzzing Execution Environment

Concept WIKI v2 · 6/6/2026

In MorFuzz, the fuzzing execution environment is the runtime context in which fuzzing payloads execute on the device under test. It is derived from the official RISC-V testing environment, configures the processor's architectural and system state, handles exceptions and interrupts at the highest privilege level, and exposes interfaces that allow the fuzzer to mutate system-level state such as page tables.

Overview

In MorFuzz, the fuzzing execution environment is the runtime context in which fuzzing payloads execute during processor fuzzing. MorFuzz extends the testing environment provided by the official RISC-V testing repository and uses it as the fuzzing execution environment.[C1]

Responsibilities

The fuzzing execution environment initializes the processor and configures the environment, including:

  • the available instruction extensions,
  • the address translation mode,
  • the page table configuration, and
  • the runtime privilege level.[C2]

During simulation, the fuzzing execution environment is placed in a non-morphable physical area and is responsible for handling exceptions and interrupts with the highest privilege level.[C3]

Exception handling and the fuzzing-payload boundary

When the device under test (DUT) triggers an exception while executing morphed instructions, the exception handler in the fuzzing execution environment attempts to handle the exception. Whether or not the exception is successfully handled, the handler redirects the DUT back to the fuzzing payload.[C4]

A unique system call is triggered when the DUT reaches the boundary of the fuzzing payload, notifying the fuzzer to collect the current coverage and fix the program counter. By evaluating the coverage, if the fuzzer is interested in the input, it controls the DUT to return to the fuzzing payload again; otherwise, the fuzzer terminates the simulation and generates a new stimulus template.[C5]

To avoid the DUT falling into dead loops, the fuzzer also monitors coverage. If the coverage does not increase for a period of time, the fuzzer raises an interrupt to stop the simulation.[C6] In this way the fuzzer can control the DUT to continuously execute diverse and meaningful instruction streams in a loop without additional initialization, significantly improving fuzzing performance.[C7]

System-environment fuzzing interfaces

In addition to managing the execution environment, the fuzzing execution environment also provides interfaces to fuzz the system environment. The MorFuzz implementation includes a series of page-table randomization functions that mutate page table entries and evict mapped pages.[C8]

Related entities

  • MorFuzz uses the fuzzing execution environment as part of its processor-fuzzing workflow.[C1]
  • The Stimulus Template is the testing program that runs inside the fuzzing execution environment and is regenerated by the fuzzer when coverage evaluation decides the current input is not interesting or when an exception cannot be recovered.[C5]

LINKED ENTITIES

2 links
MorFuzz USES
Stimulus Template PART_OF

CITATIONS

8 sources
8 citations
[1] MorFuzz extends the testing environment provided by the official RISC-V testing repository and uses it as the fuzzing execution environment. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[2] The fuzzing execution environment initializes the processor and configures the environment, such as the available instruction extensions, the address translation mode and page table, and the runtime privilege level. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[3] During the simulation, the fuzzing execution environment is placed in a non-morphable physical area and is responsible for handling exceptions and interrupts with the highest privilege level. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[4] When the DUT triggers an exception while executing the morphed instructions, the exception handler in the fuzzing execution environment will try to handle the exception. Whether or not the handler successfully handles the exception, the handler redirects the DUT back to the fuzzing payload. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[5] A unique system call is triggered when the DUT reaches the boundary of the fuzzing payload, notifying the fuzzer to collect the current coverage and fix the program counter; based on coverage evaluation, the fuzzer returns the DUT to the payload or terminates the simulation and generates a new stimulus template. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[6] To avoid the DUT from falling into dead loops, MorFuzz monitors the coverage; if the coverage does not increase for a period of time, the fuzzer raises an interrupt to stop the simulation. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[7] The fuzzer can control the DUT to continuously execute diverse and meaningful instruction streams in a loop without additional initialization, significantly improving the fuzzing performance. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[8] The fuzzing execution environment also provides interfaces to fuzz the system environment, e.g., a series of page-table randomization functions to mutate page table entries and evict mapped pages. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing

VERSION HISTORY

v2 · 6/6/2026 · minimax/minimax-m3 (current)
v1 · 5/27/2026 · gpt-5.5