Overview

Microarchitectural coverage refers, in the provided evidence, to coverage information used by a hardware fuzzer to explore processor microarchitectural behavior relevant to side-channel leakage-contract violations. The cited work presents this in the setting of coverage-guided hardware-software contract fuzzing, a pre-silicon methodology for open-source processors based on hardware-software leakage contracts. [C1]

Role in leakage-contract fuzzing

Hardware-software leakage contracts specify side-channel security guarantees for processors, but checking whether complex hardware complies with such contracts is described as difficult: formal verification offers strong guarantees but struggles to scale, while prevalent hardware fuzzing targets functional correctness bugs and is blind to information leaks such as Spectre-style leaks. [C2]

The cited approach addresses this gap by making information leakage observable as microarchitectural state divergence within a self-compositional framework. It then uses coverage guidance to steer exploration toward execution paths that may violate the leakage contract. [C3]

Security-oriented coverage metric

The core coverage metric described in the evidence is Self-Composition Deviation (SCD). SCD is characterized as a new, security-oriented coverage metric that guides the fuzzer toward execution paths that violate the leakage contract. [C4]

Evaluation context

The approach was implemented and evaluated on two open-source RISC-V cores: the in-order Rocket Core and the more complex out-of-order BOOM core. The reported results state that coverage-guided strategies outperform unguided fuzzing. [C5]

Reported effect of increased microarchitectural coverage

For the BOOM core, the evidence reports that increased microarchitectural coverage leads to faster discovery of security vulnerabilities. This positions microarchitectural coverage as a practical feedback signal for accelerating security bug discovery in coverage-guided pre-silicon fuzzing. [C6]