Overview

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation presents MorFuzz, a processor fuzzing framework aimed at efficiently detecting software-triggerable hardware bugs in RISC-V processors. The paper frames MorFuzz around three main mechanisms: stimulus templates, instruction morphing, and synchronizable co-simulation. Together, these mechanisms generate diverse instruction streams from runtime feedback, execute them on both the device under test (DUT) and a simulator, and compare architectural state after each instruction.

Motivation

The paper identifies implementation differences between hardware and software reference models as a problem for previous processor fuzzers. Prior fuzzers commonly compare processor state against a reference model and treat mismatches as bugs, but the paper notes that software reference models are inherently different from hardware and that not every difference is a bug. These false positives can misguide fuzzers and keep them from reaching deeper processor states.

Architecture

MorFuzz’s core idea is to dynamically mutate instructions based on runtime feedback. Its architecture uses three techniques:

1. Stimulus template: an input structure for generating meaningful instruction streams and exposing runtime mutation primitives.
2. Instruction morphing: a runtime technique that mutates only instructions that are about to execute, using contextual information from the processor.
3. Synchronizable co-simulation: a comparison and synchronization framework that runs the morphed instruction stream on both the DUT and simulator, identifies mismatches, synchronizes legal differences, and reports other differences as potential bugs.

The workflow described in the paper is:

1. MorFuzz uses seeds to generate stimulus templates.
2. It dynamically morphs the template using runtime information.
3. It executes the morphed instruction stream simultaneously on the DUT and simulator.
4. After each instruction, it compares architectural state between the two models.
5. It synchronizes legal difference states to the simulator and reports other mismatches as potential bugs.

Stimulus template

Unlike fuzzers that directly generate instruction streams as stimuli, MorFuzz uses a stimulus template to generate diverse and meaningful instruction streams. The stimulus template provides runtime mutation primitives at multiple levels:

• processor state level,
• instruction field level,
• program semantic level.

The paper states that this design helps explore the processor input space comprehensively. The stimulus template also lets the fuzzer communicate with the DUT to manage test-case control flow, allowing it to skip duplicate instructions and focus on instruction sequences of interest.

The template consists of two parts:

• a runtime-morphable fuzzing payload, which contains the runtime mutation primitives;
• a read-only fuzzing execution environment, which acts as system firmware responsible for setup tasks such as initializing general-purpose registers and memory, configuring address translation mode, and switching to the target environment.

Runtime instruction morphing

MorFuzz proposes instruction morphing, which collects contextual runtime information from the processor and uses it to mutate instructions with valid formats and meaningful semantics. The paper emphasizes that instruction morphing mutates only instructions that are going to be executed. Because all mutations are executed, the resulting coverage reflects the effect of the mutations and supports more efficient mutation guidance.

Synchronizable co-simulation

MorFuzz extends co-simulation with state synchronization. During testing, it compares the architectural state of the DUT and simulator after each instruction, which allows it to locate the instruction that caused a mismatched state. MorFuzz then analyzes whether the difference is legal. If the difference is legal, it synchronizes the correct state from the DUT to the simulator to eliminate the mismatch; otherwise, the mismatch is reported as a potential bug.

The paper argues that this synchronizable co-simulation framework automatically mitigates implementation differences and enables the simulator to co-simulate synchronously with the DUT, helping the fuzzer cover deeper processor states.

Evaluation and availability

The paper reports that MorFuzz achieved 4.4× higher coverage than DifuzzRTL and 1.6× higher coverage than riscv-dv. It also describes MorFuzz as a generic RISC-V processor fuzzer compatible with various microarchitectures, evaluated on CVA6, Rocket, and BOOM. In that evaluation, MorFuzz discovered 17 new bugs, with 13 CVEs assigned. The paper also states that the MorFuzz source code was released at https://github.com/sycuricon/MorFuzz.

Scope

The paper states that transient execution bugs caused by microarchitecture mistakes are out of scope.