Hardware Bug Detection

Scope of the evidence

In the provided evidence, hardware bug detection is demonstrated through MorFuzz, a generic RISC-V processor fuzzer published at USENIX Security 2023 (paper title: MorFuzz: Fuzzing Processor via Runtime Instruction Morphing). MorFuzz is described as a novel processor fuzzer that can detect software-triggerable hardware bugs efficiently. The authors release the source code at https://github.com/sycuricon/MorFuzz.

How MorFuzz approaches hardware bug detection

MorFuzz addresses three challenges faced by prior processor fuzzers:

1. Generating diverse, meaningful instruction streams. MorFuzz introduces a stimulus template input structure that explores the processor's input space from multiple dimensions, with primitives to mutate at the processor-state, instruction-field, and program-semantic levels.
2. Coverage-guided mutation despite format/semantic constraints. MorFuzz uses a runtime instruction morphing technique that collects contextual information from the device under test (DUT) at runtime and mutates instructions into valid formats with meaningful semantics. Because all mutations are executed, the coverage feedback correctly reflects the effect of the mutation, achieving efficient mutation guidance.
3. Reducing false positives from reference-model differences. MorFuzz extends a co-simulation framework to various microarchitectures and adds state synchronization support. The fuzzer identifies the source of differences between hardware and a software reference model and synchronizes the hardware state to the reference model to eliminate legal differences (since "software reference models are inherently different from hardware, and not all differences are bugs").

Background: RISC-V

RISC-V is described as an open-source reduced instruction set architecture that has become popular in industry and academia. It is composed of a base integer instruction set plus a set of optional extensions. Standard extensions reported in the paper include:

• M — integer multiplication and division
• A — atomic memory operations
• F/D — single/double-precision floating-point
• C — compressed instructions
• CSR extension — control and status register instructions that control the privileged architecture
• Instruction-fetch fence extension — synchronizes the instruction memory

The paper also shows RISC-V base instruction formats (R, I, S, B) and their field layouts (funct7, rs2, rs1, funct3, rd, opcode, with immediates varying by format).

Evaluated targets

The paper evaluates MorFuzz on three real-world open-source RISC-V processors that span from simple in-order to complex out-of-order designs. The Spike reference ISA simulator was also found to contain bugs (B18, B19):

• CVA6 — RV64GC, 6-stage in-order pipeline, ~24K lines of code
• Rocket — RV64GCHX, 5-stage in-order pipeline, ~99K lines of code
• BOOM — RV64GCX, 10-stage out-of-order pipeline, ~339K lines of code
• Spike — RISC-V reference ISA simulator (B18, B19 found here)

Observed effectiveness

MorFuzz discovered 17 new bugs and 2 already known bugs in total across the targets, with 13 CVE assignments for the newly discovered bugs. The authors reported all discovered bugs, helped developers fix 9 of them, and obtained 13 CVE assignments.

Discovered bug inventory

The paper's Table 2 lists 19 bugs found by MorFuzz. Each is described below by target.

Rocket (B1–B3)

• B1 — aes64ks1i with rcon field greater than 0xA is treated as valid, although the specification requires that rcon not be greater than 0xA. Rocket does not throw an illegal-instruction exception. CVE-2022-34632, CWE-327. New, confirmed, fixed.
• B2 — Error in condition of the rocc_illegal signal (the custom-extension illegal signal incorrectly uses vector-extension status, so a valid custom instruction may fail to execute). Issue #2980, CWE-1281. New, confirmed, fixed.
• B3 — vsstatus.xs is writable even though the specification says it is read-only. CVE-2022-34627, CWE-732. New, confirmed, fixed.

BOOM (B4–B7)

• B4 — Incorrect exception type when a PMA (Physical Memory Attribution) violation occurs. CVE-2022-34636, CWE-1202.
• B5 — Incorrect exception type when a PMP (Physical Memory Protection) violation occurs. CVE-2022-34641, CWE-1198.
• B6 — Floating-point instruction with invalid rm field (such as 5 or 6) does not raise an exception. Issue #458, CWE-391. (Known bug, confirmed.)
• B7 — Floating-point instruction with invalid frm does not raise an exception. Issue #492, CWE-391. (Known bug, confirmed.) Specifically, when frm is set to DYN or another invalid value, floating-point instructions whose rm field is DYN should raise an illegal-instruction exception, but BOOM executes them without the exception.

CVA6 (B8–B17)

• B8 — Crafted or incorrectly formatted sfence.vma instructions are executed. An illegal sfence.vma with a non-zero rd is treated as valid. CVE-2022-34633, CWE-1242. New, confirmed, fixed.
• B9 — Crafted or incorrectly formatted dret instructions are executed. dret with a non-zero rd (which should be zero by specification) is handled as if it were legal. CVE-2022-34634, CWE-1242. New, confirmed, fixed.
• B10 — Non-standard fence instructions (e.g., fence.i/fence with a non-zero rd) are treated as illegal, although implementations are expected to ignore rd for forward compatibility. CVE-2022-34639, CWE-1209. New, confirmed, fixed.
• B11 — The mstatus.sd field does not update immediately when mstatus.fs is set to dirty. CVE-2022-34635, CWE-1199. New, confirmed.
• B12 — The value of mtval/stval after ecall/ebreak is incorrect. CVE-2022-34640, CWE-755. New, confirmed.
• B13 — Incorrect exception type when a PMA violation occurs. CVE-2022-34636, CWE-1202. New, confirmed.
• B14 — Incorrect exception type when a PMP violation occurs. CVE-2022-34641, CWE-1198. New, confirmed, fixed.
• B15 — Incorrect exception type when accessing an illegal virtual address. CVE-2022-34637, CWE-754. New, confirmed.
• B16 — Improper physical PC truncate. Issue #901, CWE-222. New, confirmed.
• B17 — Incorrect lr (load-reserved) exception type. CVE-2022-37182, CWE-754. New, confirmed.

Spike (B18, B19)

• B18 — The component mcontrol.action contains the incorrect mask. CVE-2022-34642, CWE-787. New, confirmed, fixed.
• B19 — Incorrect exception priority when accessing memory. CVE-2022-34643, CWE-754. New, confirmed, fixed.

Bug categories

The paper distinguishes two high-level categories:

• Hardware functional module bugs — bugs concentrated in a specific hardware functional module (e.g., instruction decoder, CSR logic, FPU rm/frm handling, fence/sfence.vma handling).
• Complex logic bugs — bugs that are not concentrated in a specific module and require numerous instructions with specific semantics to prepare a buggy environment. The paper notes that MorFuzz monitors the internal runtime states of the DUT to dynamically morph instructions and randomize operands, "greatly enhancing the semantics" needed to trigger these bugs.

Specific bug patterns observed in the evidence:

• Instruction/decoder compliance bugs: acceptance of illegal encodings and rejection of valid encodings (B1, B8, B9, B10, B6, B7).
• CSR-state-related bugs: require first setting a CSR to a specific state and then triggering the faulty behavior with an instruction sequence (B2, B3, B7, B11).
• Exception-type bugs: raising the wrong exception class for a given fault (B4, B5, B13, B14, B15, B17, B19).

Efficiency and coverage

The paper presents Table 3, which compares the average time to reproduce bugs across MorFuzz, DifuzzRTL, riscv-dv, and riscv-torture. MorFuzz reproduces bug B7 significantly faster than riscv-torture and DifuzzRTL. The authors attribute additional coverage to binary-level mutations, which help trigger bugs that previous methods did not cover, such as B8.

Security impact

The authors explicitly state that MorFuzz does not target security-property violations directly. They observe that many of the discovered bugs would most directly support denial-of-service (DoS)-style exploitation. Examples given:

• B10 prevents correct execution of crafted instructions.
• B13 can make the kernel mishandle exceptions because of the wrong exception type.
• B18 can crash the system abruptly (Spike shutting down due to the incorrect mcontrol.action mask).

The paper also notes that the exact security impact of functional hardware bugs is often difficult to evaluate without real-world exploitation scenarios.