Runtime Instruction Morphing Wiki

Overview

Runtime Instruction Morphing is the instruction-generation technique proposed by MorFuzz for processor fuzzing. Rather than relying only on statically generated tests, MorFuzz collects contextual information from the processor at runtime and uses it to mutate instructions dynamically. The stated goal is to produce instructions with valid formats and meaningful semantics, so that generated mutations are actually executed and coverage reflects the effect of those mutations.^[1]

Role in MorFuzz

MorFuzz uses runtime instruction morphing to dynamically generate diverse and meaningful instruction streams based on runtime information. The technique works together with MorFuzz's stimulus template, an input structure that provides primitives for mutating inputs across processor state, instruction-field, and program-semantic levels.^[2]

Because the mutated instructions are executed, MorFuzz reports that the resulting coverage can correctly reflect the effects of the mutations, supporting mutation guidance during fuzzing.^[1]

Morphing behavior

The morpher uses runtime context to guide subsequent instruction generation. One documented mechanism is a sliding window that records the destination register field rd of instructions that are still executing in the pipeline. The morpher can reuse registers from this window as rs and rd fields in later template instructions, thereby generating pipeline-hazard patterns such as read-after-write and write-after-write.^[3]

Runtime instruction morphing is not restricted only to legal instruction-space exploration. MorFuzz's morpher still attempts illegal cases with a small probability, because input space outside the specification can expose bugs such as illegal-opcode and illegal-operand bugs.^[4]

Execution model

With the stimulus template, MorFuzz morphs template instructions on the fly to produce diverse and meaningful instruction streams. The fuzzing setup allows the device under test to continuously execute these streams in a loop without additional initialization, which the paper states significantly improves fuzzing performance.^[5]

Relationship to co-simulation

Runtime instruction morphing is part of MorFuzz's broader fuzzing workflow, while correctness checking is handled through synchronizable co-simulation. MorFuzz applies online co-simulation using an ISA simulator running in parallel with the device under test; both execute the same inputs, and their states are compared after instruction execution.^[6]

Reported context

The MorFuzz paper reports that MorFuzz achieved higher coverage than DifuzzRTL and riscv-dv and was evaluated on CVA6, Rocket, and BOOM, discovering 17 new bugs with 13 CVEs assigned.^[7]

^[1]: MorFuzz proposes an instruction morphing technique that collects contextual information from the processor at runtime to mutate instructions with valid formats and meaningful semantics. ^[2]: MorFuzz's stimulus template provides primitives to mutate inputs at processor-state, instruction-field, and program-semantic levels. ^[3]: The morpher records destination registers of in-flight instructions and uses them to create read-after-write and write-after-write hazards. ^[4]: The morpher still tries illegal cases with small probability because out-of-specification input space can be a source of bugs. ^[5]: MorFuzz morphs template instructions on the fly into diverse and meaningful instruction streams. ^[6]: MorFuzz uses online co-simulation with an ISA simulator and the device under test executing the same inputs. ^[7]: The MorFuzz paper reports coverage improvements and bug discoveries on real-world RISC-V processors.