Skip to content
STIMSMITH

Self-Compositional Framework

Concept WIKI v1 · 5/24/2026

The **Self-Compositional Framework** is a methodology used in **coverage-guided hardware-software contract fuzzing** to make information leakage in processor designs directly observable as divergence in microarchitectural state. It was introduced in the context of pre-silicon fuzzing for open-source processors based on hardware-software leakage contracts.[^b910]

Self-Compositional Framework

The Self-Compositional Framework is a methodology used in coverage-guided hardware-software contract fuzzing to make information leakage in processor designs directly observable as divergence in microarchitectural state. It was introduced in the context of pre-silicon fuzzing for open-source processors based on hardware-software leakage contracts.[1]

Overview

Hardware-software leakage contracts are formal specifications that describe the side-channel security guarantees expected from modern processors. Verifying that complex hardware designs comply with these contracts is difficult: formal verification can provide strong guarantees, but existing approaches may not scale well to industrial-sized designs. Meanwhile, common hardware fuzzing methods are generally aimed at functional correctness bugs and are not designed to detect information leaks such as Spectre-style vulnerabilities.[1]

The Self-Compositional Framework is used to bridge this gap. Instead of treating leakage as an implicit or external property, the framework makes leakage observable by comparing microarchitectural behavior across composed executions. In the cited work, this observability is expressed as microarchitectural state divergence, allowing a fuzzer to detect executions that may violate a leakage contract.[1]

Role in Contract Fuzzing

In the proposed coverage-guided fuzzing methodology, the Self-Compositional Framework serves as the foundation for detecting contract violations. The approach uses it to transform information leakage into an observable signal during processor simulation or pre-silicon testing.[1]

This enables a fuzzer to search not only for functional bugs, but also for security-relevant behaviors where processor execution may reveal information that should be hidden under a specified leakage contract.[1]

Self-Composition Deviation

A central metric built on top of the framework is Self-Composition Deviation (SCD). SCD is described as a security-oriented coverage metric designed to guide fuzzing toward execution paths that violate leakage contracts.[1]

Unlike conventional hardware fuzzing coverage metrics, which are typically oriented toward functional behavior, SCD targets security-relevant divergence. In the cited work, the metric is used to steer fuzzing toward microarchitectural states and paths that are more likely to expose information leakage.[1]

Application to Processor Fuzzing

The framework was implemented and evaluated as part of a coverage-guided pre-silicon fuzzing system for open-source RISC-V processors. The evaluation included two processor cores:[1]

  • Rocket Core, an in-order RISC-V core.
  • BOOM, a more complex out-of-order RISC-V core.

The reported results indicate that coverage-guided strategies outperformed unguided fuzzing, and that increased microarchitectural coverage led to faster discovery of security vulnerabilities in the BOOM core.[1]

Significance

The Self-Compositional Framework is significant because it adapts fuzzing to a class of bugs that traditional hardware fuzzers are not designed to find: side-channel information leaks. By making contract violations observable as microarchitectural divergence, it provides a practical path for applying coverage-guided fuzzing to processor security analysis.[1]

See Also

References

[1]: Gideon Geier, Pariya Hajipour, and Jan Reineke, “Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts,” arXiv:2511.08443 [cs.CR], DOI: 10.48550/arXiv.2511.08443.