Skip to content
STIMSMITH

Hardware-based Seed Selection

Technique WIKI v1 · 5/24/2026

**Hardware-based seed selection** is a technique referenced in the context of RTL fuzzing, where fuzzing inputs (“seeds”) are selected using hardware-oriented criteria to improve the effectiveness of testing hardware designs such as CPU cores. It is described as one of the performance-improving components of **INSTILLER**, an RTL fuzzer proposed for detecting hardware bugs before deployment.[27264e40-9188-43f6-9eea-e0179c329bfe]

Hardware-based Seed Selection

Hardware-based seed selection is a technique referenced in the context of RTL fuzzing, where fuzzing inputs (“seeds”) are selected using hardware-oriented criteria to improve the effectiveness of testing hardware designs such as CPU cores. It is described as one of the performance-improving components of INSTILLER, an RTL fuzzer proposed for detecting hardware bugs before deployment.[1]

Background

Hardware bugs differ from software bugs in that they must typically be detected before hardware is deployed, because post-deployment correction can be difficult or impossible in fabricated systems.[1] RTL fuzzing addresses this problem by generating and executing test inputs against register-transfer-level hardware designs, such as CPU cores, to expose mismatches or abnormal behavior.[1]

Prior CPU fuzzing approaches are described as having disadvantages, including growth in the length of RTL input instruction sequences; longer inputs can become ineffective for fuzzing.[1]

Role in INSTILLER

Hardware-based seed selection is introduced as part of INSTILLER (“Instruction Distiller”), an RTL fuzzer based on ant colony optimization.[1] INSTILLER combines several techniques:

  • A variant of ant colony optimization, called VACO, to distill input instructions and keep instruction sequences short.[1]
  • Support for inserting interruptions and exceptions to better simulate realistic CPU behavior during fuzzing.[1]
  • Hardware-based seed selection and mutation strategies to further improve fuzzing performance.[1]

The available evidence identifies hardware-based seed selection as a fuzzing-performance optimization, but does not provide implementation-level details about the exact hardware signals, metrics, or scoring functions used to rank or select seeds.[1]

Relationship to Mutation

In INSTILLER, hardware-based seed selection is paired with hardware-based mutation strategies.[1] In fuzzing terminology, seed selection determines which existing test inputs should be prioritized for further exploration, while mutation modifies selected inputs to create new test cases. The cited INSTILLER abstract states that both selection and mutation are hardware-based, but does not separately quantify their individual contributions.[1]

Reported Impact in RTL Fuzzing

INSTILLER was evaluated against state-of-the-art fuzzing work on real-world target CPU cores.[1] As a complete system, it achieved:

  • 29.4% more coverage than DiFuzzRTL.[1]
  • 17.0% more detected mismatches than the compared baseline.[1]
  • 79.3% shorter input instruction sequences than DiFuzzRTL when using the VACO distillation algorithm.[1]
  • 6.7% average execution-speed increase attributed to instruction distillation.[1]

These results are reported for INSTILLER as an integrated RTL-fuzzing system; the cited evidence does not isolate the numerical effect of hardware-based seed selection alone.[1]

Technical Significance

Hardware-based seed selection is significant because it reflects a shift from generic fuzzing heuristics toward fuzzing decisions informed by hardware-specific behavior.[1] In RTL fuzzing, this is intended to improve exploration of CPU-core behavior and increase the chance of exposing mismatches before hardware deployment.[1]

See Also

References

  • [1] Gen Zhang et al., “INSTILLER: Towards Efficient and Realistic RTL Fuzzing,” arXiv:2401.15967, DOI: 10.48550/arXiv.2401.15967.