RISC-V
ConceptRISC-V is described in the provided sources as a free and open instruction-set architecture standard based on RISC design principles. The evidence positions RISC-V as a target for several distinct lines of research: randomized and tandem CPU verification with TestRIG and Direct Instruction Injection; push-button hardware verification with rtlv on RISC-V SoCs such as PicoRV32 and MicroTitan (an OpenTitan derivative); minimally invasive generation of instruction-set simulators from the LIBRISCV formal ISA model integrated with Spike and RISC-V VP; RISC-V hardware and architecture security research; and software-exploitation studies such as return-oriented programming on RISC-V.
First seen 5/25/2026
Last seen 6/9/2026
Evidence 176 chunks
Wiki v16
WIKI
Overview
RISC-V is described in the provided public sources as a free and open instruction-set architecture standard and as an open-source hardware ISA based on RISC design principles. The same sources frame RISC-V as important in embedded and IoT processors, security research, and software-exploitation analysis.
The current technical evidence positions RISC-V as a target for several distinct lines of research:
NEIGHBORHOOD
7 nodes · 8 edgesgraph · RISC-V · depth=1
RELATIONSHIPS
50 connectionsTestRIG is a framework designed to test RISC-V implementations.
RV32I is the base integer instruction set of RISC-V.
Piccolo is a simple 32-bit RISC-V implementation.
Toooba is a RISC-V 64-bit superscalar out-of-order processor.
RISC-V is a new instruction set architecture mentioned in the context of verification demands.
Ibex is a simple 32-bit RISC-V implementation.
Flute is a 5-stage in-order pipeline processor implementing RV64.
TGC is a RISC-V processor implementation
The Sail RISC-V formal model is a formal specification of the RISC-V ISA.
Toooba is a RISC-V out-of-order processor derived from RiscyOO.
VexRiscv is a RISC-V based RTL processor core.
Cross-level processor verification via endless randomized instruction stream generation with coverage-guided aging ← uses 100% 3e
The paper considers RISC-V as the target ISA for verification.
The Sail RISC-V model is a formal model of the RISC-V architecture.
The paper mentions RISC-V as a new ISA driving demand for agile verification.
RVBS is a reference RISC-V implementation.
Spike is a high-performance RISC-V emulator.
XiangShan is a RISC-V processor implementation targeted at the riscv64 ISA.
RISCV-DV generates test sequences for RISC-V processors.
CSRs are part of the RISC-V instruction set, enabling hardware/software interactions.
Rocket Core is an open-source RISC-V processor implementation.
The Rocket Core is described as an open-source RISC-V core.
CHERI is described as an experimental security extension to RISC-V.
Flute is a RISC-V microcontroller from Bluespec.
Sail provides a golden RISC-V model used as the reference in TestRIG.
RISCV-Ariane is an open-source implementation of the RISC-V architecture.
RVDFI is based on the RISC-V architecture
Dromajo is an RV64GC emulator implementing the RISC-V instruction set.
ProcessorFuzz is evaluated on RISC-V processor implementations
Towards Reliable and Secure RISC-V Systems: Survey of Testability and Security Mechanisms ← mentions 100% 2e
The paper surveys RISC-V testability and security mechanisms.
CHERI is a security extension to the RISC-V architecture.
The BOOM core is described as an open-source RISC-V core.
CHERI-RISC-V extends the RISC-V ISA with capability-based memory protection.
The RISC-V Virtual Prototype implements a RISC-V RV32IMA core.
The random instruction generator is designed for RISC-V processors.
RISC-V Torture Test Generator generates test cases for RISC-V processors.
The paper uses RISC-V as the ISA for the processor verification case study.
The paper evaluates synthesis of rewrite rules from WebAssembly to RISC-V.
BOOM Core is an out-of-order superscalar RISC-V processor implementation.
BlackParrot Core is an open-source 64-bit RISC-V processor.
riscv-vp is a RISC-V virtual prototype/ISS.
QEMU is a high-performance RISC-V emulator.
Piccolo is a RISC-V microcontroller from Bluespec.
rv64i is the 64-bit base integer instruction set of RISC-V
CVA6 is a RISC-V processor implementation in the TestRIG ecosystem.
Physical Memory Protection is a feature of the RISC-V privileged specification.
Page tables are part of the RISC-V privileged specification.
The thesis implements CHERI on RISC-V microarchitectures.
RiscyOO is a superscalar RISC-V core from MIT.
Sail CHERI-RISC-V models the CHERI-extended RISC-V ISA.
RISC-V specifies Physical Memory Protection (PMP) as a standard component.
LINKED ENTITIES
2 linksRandomized Testing of RISC-V CPUs using Direct Instruction Injection USES Extracted graph relationship
rtlv: push-button verification of software on hardware REFERENCES The push-button hardware verification section is a direct summary of this paper, including its key ideas (Rosette compilation, hint interface), deterministic-start motivating example, PicoRV32/MicroTan case studies, and bug-finding results.
CITATIONS
15 sources15 citations — click to expand
[1] The DII paper was published in IEEE Design & Test of Computers, volume 41, issue 1, pages 40-49, February 2024, by Joannou, Rugg, Woodruff, Fuchs, van der Maas, Naylor, Roe, Watson, Neumann, and Moore (DOI 10.1109/MDAT.2023.3262741). Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[2] rtlv is a push-button formal verification approach that compiles circuits to Rosette, a solver-aided programming language embedded in Racket, and provides a circuit-agnostic property checker with a performance-hint interface where the verifier is trusted and hints are untrusted. rtlv: push-button verification of software on hardware
[3] Verifying deterministic start for the PicoRV32 (a small RISC-V CPU with 1,300 flip-flops) over 104 cycles of boot code takes 1.3 seconds with rtlv, while SymbiYosys cannot finish within 12 hours; rtlv scales linearly while SymbiYosys scales exponentially. rtlv: push-button verification of software on hardware
[4] rtlv scales to a 4,300-flip-flop RISC-V SoC (MicroTitan, an OpenTitan derivative) using the Ibex CPU, 8KB ROM, 8KB RAM, and UART/SPI/USB peripherals, where verifying the state-clearing property requires modeling over 20,000 cycles of software on hardware. rtlv: push-button verification of software on hardware
[5] Formal verification with rtlv helped find and fix violations of the deterministic-start property in the baseline hardware. rtlv: push-button verification of software on hardware
[6] The LIBRISCV EDSL in Haskell consists of 26 primitives for formally describing instruction semantics, and focuses on user-level instruction semantics in isolation, without formally describing memory behavior, microarchitectural details, or instruction decoding. Minimally Invasive Generation of RISC-V
[7] The authors enhanced LIBRISCV with new primitives (decodeRD, decodeRS1, decodeImmI) so that instruction semantics can be expressed over the instruction opcode rather than over already-decoded components, enabling direct code generation. Minimally Invasive Generation of RISC-V
[8] A custom simulator-agnostic interface model provides a generic C/C++ API (read_register, write_register, load_byte, load_half, load_word) mapped per-simulator to internal interfaces; the Spike and RISC-V VP integration took less than a day for a programmer with domain knowledge. Minimally Invasive Generation of RISC-V
[9] Spike is a high-simulation-speed RISC-V simulator developed by UC Berkeley with limited SystemC/peripheral support; RISC-V VP is a SystemC-based virtual prototype providing full hardware platform models (e.g., SiFive HiFive1, SiFive HiFive Unleashed). Minimally Invasive Generation of RISC-V
[10] The LIBRISCV-generated ISS passes the official RISC-V tests, and Embench benchmarks (19 applications, 25 executions each) show that the generated ISS has either slightly lower or the same execution time as the manually written baseline. Minimally Invasive Generation of RISC-V
[11] Sail is an ISA-semantics DSL used to model RISC-V, ARM-v8, and CHERI-MIPS, generating code in C, OCaml, Coq, Isabelle, and HOL4; it aims for completeness (including address translation and decoding) which makes it complex to integrate into existing simulators. Minimally Invasive Generation of RISC-V
[12] RISC-V is described in the provided public sources as a free and open instruction-set architecture standard based on RISC design principles, important in embedded and IoT processors and a target for security research. A Survey on RISC-V Security: Hardware and Architecture
[13] RISC-V ROP can perform Turing-complete computation and arbitrary function calls using gadgets found in a version of the GNU libc library; the paper also describes a compiler that converts programs written in a Turing-complete language into RISC-V ROP chains using techniques such as self-modifying ROP chains and algorithmic ROP chain generation. Return-Oriented Programming in RISC-V
[14] TestRIG's single-implementation mode can detect processor lockups by requiring an RVFI report for every injected DII instruction within a timeout, and found lockups in Toooba caused by mis-decoding of illegal instructions and by a rare branch-prediction issue in the fetch stage. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[15] Combining model-coverage transformations with QuickCheckVEngine's shrinking mechanism generates very short (single-digit instruction count) targeted architectural tests by introducing only a single difference at a time. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection