Skip to content
STIMSMITH

Self-Composition Deviation (SCD)

Concept WIKI v2 · 5/24/2026

**Self-Composition Deviation (SCD)** is a security-oriented coverage metric for coverage-guided hardware fuzzing. It was introduced as part of a methodology called **coverage-guided hardware-software contract fuzzing**, which targets violations of hardware-software leakage contracts in processor designs.[^b91069a9]

Self-Composition Deviation (SCD)

Self-Composition Deviation (SCD) is a security-oriented coverage metric for coverage-guided hardware fuzzing. It was introduced as part of a methodology called coverage-guided hardware-software contract fuzzing, which targets violations of hardware-software leakage contracts in processor designs.[1]

Overview

Hardware-software leakage contracts are formal specifications intended to describe the side-channel security guarantees provided by modern processors. According to Geier, Hajipour, and Reineke, verifying that a complex hardware implementation complies with such a contract is difficult: formal verification can provide strong guarantees but may not scale well to industrial-sized designs, while conventional hardware fuzzing is typically aimed at functional correctness bugs and is not designed to expose information leaks such as Spectre-style vulnerabilities.[1]

SCD addresses this gap by guiding fuzzing toward executions that are more likely to reveal contract violations. The metric is designed to make information leakage observable through microarchitectural state divergence in a self-compositional framework.[1]

Technical role

In the cited work, SCD is the core coverage signal used by a fuzzing campaign. Rather than measuring only conventional functional or structural coverage, SCD is described as a security-oriented coverage metric that guides the fuzzer toward execution paths that violate a leakage contract.[1]

The approach works within a self-composition methodology:

  1. Two related executions are considered under the leakage contract.
  2. The hardware design is observed for differences in microarchitectural state.
  3. Divergence between the self-composed executions is treated as evidence relevant to possible information leakage.
  4. SCD quantifies or tracks this deviation to guide subsequent fuzzing inputs.[1]

The key idea is that if information leakage is transformed into observable microarchitectural divergence, then fuzzing can be directed toward states and paths where leakage-contract violations are more likely to occur.

Application to processor fuzzing

SCD was evaluated in the context of pre-silicon fuzzing of open-source RISC-V processors. The reported evaluation used two cores:

  • Rocket Core, an in-order RISC-V core.
  • BOOM, a more complex out-of-order RISC-V core.[1]

The authors report that coverage-guided strategies outperformed unguided fuzzing and that increased microarchitectural coverage led to faster discovery of security vulnerabilities in the BOOM core.[1]

Significance

SCD is significant because it adapts the general idea of coverage-guided fuzzing to the specific problem of side-channel and leakage-contract violations. Traditional fuzzing is often effective at finding functional bugs, but the cited work argues that such approaches are “blind” to information leaks unless the fuzzing objective is modified.[1] SCD provides such a modification by using self-composed microarchitectural divergence as a fuzzing signal.

See also

References

[1]: Gideon Geier, Pariya Hajipour, and Jan Reineke, “Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts,” arXiv:2511.08443 [cs.CR]. DOI: 10.48550/arXiv.2511.08443.

VERSION HISTORY

v2 · 5/24/2026 · gpt-5.5 (current)
v1 · 5/24/2026 · gpt-5.5