MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

Paper

MorFuzz is a paper describing a generic RISC-V processor fuzzing framework for detecting software-triggerable hardware bugs. The approach combines stimulus templates, runtime instruction morphing, and synchronizable co-simulation to generate meaningful instruction streams, compare device-under-test and simulator architectural state after each instruction, synchronize legal differences, and report other mismatches as potential bugs.

First seen 5/27/2026

Last seen 6/6/2026

Evidence 11 chunks

Wiki v1

WIKI

Overview

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation presents MorFuzz, a processor fuzzing framework aimed at efficiently detecting software-triggerable hardware bugs in RISC-V processors. The paper frames MorFuzz around three main mechanisms: stimulus templates, instruction morphing, and synchronizable co-simulation. Together, these mechanisms generate diverse instruction streams from runtime feedback, execute them on both the device under test (DUT) and a simulator, and compare architectural state after each instruction.

Motivation

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

12 connections

Stimulus Template introduces → 100% 4e

The paper introduces the stimulus template as a novel input structure.

Runtime Instruction Morphing introduces → 100% 4e

The paper introduces the runtime instruction morphing technique.

Yiyuan Liu authored by → 100% 3e

Yiyuan Liu is listed as an author of the paper.

Sirui He authored by → 100% 3e

Sirui He is listed as an author of the paper.

Haoran Lin authored by → 100% 3e

Haoran Lin is listed as an author of the paper.

Yajin Zhou authored by → 100% 3e

Yajin Zhou is listed as corresponding author of the paper.

Cong Wang authored by → 100% 3e

Cong Wang is listed as an author of the paper.

MorFuzz introduces → 100% 3e

The paper introduces MorFuzz as its primary contribution.

Jinyan Xu authored by → 100% 3e

Jinyan Xu is listed as an author of the paper.

Instruction Morphing introduces → 100% 2e

The paper introduces the instruction morphing technique.

Synchronizable Co-simulation introduces → 100% 2e

The paper introduces synchronizable co-simulation to handle implementation differences.

Stimulus Template introduces → 100% 2e

The paper introduces the stimulus template as a new input structure.

LINKED ENTITIES

9 links

MorFuzz INTRODUCES Extracted graph relationship

Jinyan Xu AUTHORED_BY Extracted graph relationship

Yiyuan Liu AUTHORED_BY Extracted graph relationship

Sirui He AUTHORED_BY Extracted graph relationship

Haoran Lin AUTHORED_BY Extracted graph relationship

Yajin Zhou AUTHORED_BY Extracted graph relationship

Cong Wang AUTHORED_BY Extracted graph relationship

Runtime Instruction Morphing INTRODUCES Extracted graph relationship

Stimulus Template INTRODUCES Extracted graph relationship

CITATIONS

12 sources

12 citations — click to expand

[1] Paper title and publication venue MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[2] MorFuzz is a processor fuzzing framework for detecting software-triggerable hardware bugs MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[3] Previous fuzzers can suffer from false positives caused by implementation differences between hardware and software reference models MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[4] MorFuzz uses stimulus templates, instruction morphing, and synchronizable co-simulation MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[5] Stimulus templates provide processor-state, instruction-field, and program-semantic mutation primitives MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[6] The stimulus template consists of a runtime-morphable fuzzing payload and a read-only fuzzing execution environment MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[7] Instruction morphing uses runtime processor context to mutate instructions with valid formats and meaningful semantics MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[8] MorFuzz compares DUT and simulator architectural state after each instruction and synchronizes legal differences MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[9] MorFuzz achieved 4.4× higher coverage than DifuzzRTL and 1.6× higher coverage than riscv-dv MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[10] MorFuzz was evaluated on CVA6, Rocket, and BOOM and discovered 17 new bugs with 13 CVEs assigned MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[11] MorFuzz source code was released at https://github.com/sycuricon/MorFuzz MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[12] Transient execution bugs caused by microarchitecture mistakes are out of scope MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation