MorFuzz

Tool

MorFuzz is a processor-fuzzing tool described in the USENIX Security 2023 paper "MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation." The available evidence characterizes it by binary-level field-aware mutation, runtime state monitoring, dynamic instruction morphing, operand randomization, and bug discovery across RISC-V processor implementations and Spike.

First seen 5/27/2026

Last seen 6/6/2026

Evidence 38 chunks

Wiki v1

WIKI

Overview

MorFuzz is a processor-fuzzing tool described by the paper MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation. The paper situates processor fuzzing as a dynamic verification approach in which fuzzers generate instruction streams, mutate them based on coverage from prior runs, simulate the hardware, collect coverage, and verify architectural state against expected behavior. ^[1]

MorFuzz's distinguishing mechanisms in the provided evidence are its binary-level field-aware mutation and its use of runtime DUT state to dynamically morph instructions and randomize operands. These mechanisms are presented as ways to explore corner-case instruction formats and to construct complex execution environments that earlier methods may miss. ^[2] ^[3]

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

50 connections

DiFuzzRTL ← compares with 100% 6e

MorFuzz is compared against DifuzzRTL in terms of coverage and performance.

Testing Block uses → 100% 6e

MorFuzz generates different testing blocks to cover various hardware functional modules of the processor.

riscv-dv compares with → 100% 5e

MorFuzz is compared against riscv-dv in terms of coverage and performance.

State Synchronization uses → 100% 4e

MorFuzz uses state synchronization to eliminate legal differences between DUT and simulator.

Morpher uses → 100% 4e

MorFuzz inserts a morpher into the DUT to perform runtime instruction morphing.

Processor Fuzzing implements → 100% 4e

MorFuzz implements processor fuzzing to discover hardware bugs.

Instruction Stream Generation implements → 100% 4e

MorFuzz uses runtime information to generate diverse and meaningful instruction streams.

CVA6 evaluates → 100% 4e

MorFuzz is evaluated on the CVA6 RISC-V processor and discovers bugs in it.

Fuzzing Execution Environment uses → 100% 4e

MorFuzz integrates a fuzzing execution environment into the stimulus template.

Runtime Instruction Morphing implements → 100% 4e

MorFuzz implements runtime instruction morphing as a core technique.

BOOM evaluates → 100% 4e

MorFuzz is evaluated on the BOOM RISC-V processor and discovers bugs in it.

Rocket evaluates → 100% 4e

MorFuzz is evaluated on the Rocket RISC-V processor and discovers bugs in it.

Stimulus Template uses → 100% 4e

MorFuzz uses stimulus templates as a novel input structure.

Synchronizable Co-simulation implements → 100% 4e

MorFuzz implements synchronizable co-simulation for state verification.

TheHuzz compares with → 85% 3e

MorFuzz is compared against TheHuzz as a prior processor fuzzer.

Watchpoint Instruction uses → 100% 3e

MorFuzz uses watchpoint instructions inserted at specific locations to enhance observability of the DUT's internal state.

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation ← introduces 100% 3e

The paper introduces MorFuzz as its primary contribution.

spike uses → 100% 3e

MorFuzz uses the spike ISA simulator as the reference model for co-simulation.

Control Register Coverage uses → 100% 3e

MorFuzz uses control register coverage as its hardware coverage matrix.

riscv-torture compares with → 90% 3e

MorFuzz is compared against riscv-torture in terms of bug reproduction time.

State Coverage evaluates → 100% 2e

MorFuzz is evaluated in terms of state coverage achieved.

Design Under Test uses → 95% 2e

MorFuzz fuzzes a design under test (DUT) comparing its state to a reference model.

simulation-based verification uses → 90% 2e

MorFuzz uses simulation-based verification as its verification approach.

formal verification mentions → 90% 2e

MorFuzz paper mentions formal verification as an alternative approach with limitations.

Implementation Differences mentions → 100% 2e

MorFuzz addresses the challenge of implementation differences between the hardware DUT and software reference models.

Instruction Morphing uses → 100% 2e

MorFuzz uses the instruction morphing technique to dynamically mutate instructions.

Stimulus Template uses → 100% 2e

MorFuzz introduces a stimulus template structure to provide multi-level runtime mutation primitives.

Synchronizable Co-simulation uses → 100% 2e

MorFuzz extends the co-simulation framework with the synchronizable co-simulation technique.

State Synchronization uses → 100% 2e

MorFuzz uses state synchronization to eliminate implementation differences between the DUT and the reference model.

Runtime Instruction Morphing uses → 100% 2e

MorFuzz uses runtime instruction morphing to dynamically generate diverse instruction streams.

Field Level Mutation uses → 100% 2e

MorFuzz uses field level mutation as part of its instruction morphing process.

Semantic Level Mutation uses → 100% 2e

MorFuzz uses semantic level mutation to generate meaningful operands.

Golden Reference Model uses → 100% 2e

MorFuzz uses an ISA simulator as the golden reference model for co-simulation.

Hardware fuzzing uses → 90% 2e

MorFuzz applies hardware fuzzing techniques to discover processor bugs.

Coverage-guided Fuzzing implements → 95% 2e

MorFuzz is a coverage-guided processor fuzzer.

ISA Simulation uses → 100% 2e

MorFuzz uses an ISA simulator (Spike) as the reference model for co-simulation.

RISC-V Instruction Set Architecture uses → 100% 2e

MorFuzz targets the RISC-V ISA and is implemented on the RISC-V architecture.

Processor State Coverage uses → 95% 2e

MorFuzz achieves higher state coverage than competing tools.

Co-simulation State Verification implements → 100% 2e

MorFuzz implements co-simulation state verification to detect mismatches.

Instruction Field Level Mutation uses → 95% 2e

MorFuzz performs field level mutation on instructions via the morpher.

Program Semantic Level Mutation uses → 95% 2e

MorFuzz provides program semantic level mutation primitives in the stimulus template.

Morpher Hardware Logic Block uses → 100% 2e

MorFuzz inserts a morpher logic block into the DUT to perform instruction morphing.

Random Number Generator uses → 100% 2e

MorFuzz uses a random number generator mounted in the test harness.

Synopsys VCS uses → 100% 2e

MorFuzz compiles hardware modules into a host executable binary through Synopsys VCS RTL simulator.

FIRRTL uses → 100% 2e

MorFuzz uses FIRRTL pass to instrument all control registers for coverage.

Execution Environment Packaging uses → 100% 2e

MorFuzz packages a fuzzing execution environment for processor testing.

Pipeline Hazard Generation uses → 90% 2e

MorFuzz generates pipeline hazards using a sliding window of destination registers.

False Positive Mitigation uses → 100% 2e

MorFuzz mitigates false positives from implementation differences between DUT and ISA simulator.

CVA6 evaluates → 100% 2e

MorFuzz was evaluated on the CVA6 processor.

Rocket evaluates → 100% 2e

MorFuzz was evaluated on the Rocket processor.

LINKED ENTITIES

34 links

FIRRTL USES Extracted graph relationship

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation INTRODUCES Extracted graph relationship

Runtime Instruction Morphing IMPLEMENTS Extracted graph relationship

Synchronizable Co-simulation IMPLEMENTS Extracted graph relationship

Stimulus Template USES Extracted graph relationship

Coverage-guided Fuzzing IMPLEMENTS Extracted graph relationship

Processor Fuzzing IMPLEMENTS Extracted graph relationship

RTL Simulation USES Extracted graph relationship

ISA Simulation USES Extracted graph relationship

RISC-V Instruction Set Architecture USES Extracted graph relationship

Instruction Stream Generation IMPLEMENTS Extracted graph relationship

Processor State Coverage USES Extracted graph relationship

Co-simulation State Verification IMPLEMENTS Extracted graph relationship

Instruction Field Level Mutation USES Extracted graph relationship

Program Semantic Level Mutation USES Extracted graph relationship

Instruction Shuffle USES Extracted graph relationship

Control Register Coverage USES Extracted graph relationship

State Synchronization USES Extracted graph relationship

Morpher Hardware Logic Block USES Extracted graph relationship

Fuzzing Execution Environment USES Extracted graph relationship

Random Number Generator USES Extracted graph relationship

Testing Block USES Extracted graph relationship

Pipeline Hazard Generation USES Extracted graph relationship

Watchpoint Instruction USES Extracted graph relationship

spike USES Extracted graph relationship

Synopsys VCS USES Extracted graph relationship

CVA6 EVALUATES Extracted graph relationship

Rocket EVALUATES Extracted graph relationship

BOOM EVALUATES Extracted graph relationship

DiFuzzRTL COMPARES_WITH Extracted graph relationship

riscv-dv COMPARES_WITH Extracted graph relationship

riscv-torture COMPARES_WITH Extracted graph relationship

TheHuzz COMPARES_WITH Extracted graph relationship

Hardware fuzzing USES Extracted graph relationship

CITATIONS

13 sources

13 citations — click to expand

[1] Processor-fuzzing workflow MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[2] Processor architectural and microarchitectural state model MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[3] Processor verification and simulation-based verification context MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[4] Existing processor-fuzzing coverage metrics MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[5] MorFuzz binary-level field-aware mutation MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[6] MorFuzz runtime state monitoring and instruction morphing MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[7] MorFuzz bug categories MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[8] Rocket bug B1 reported by MorFuzz MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[9] BOOM bugs reported by MorFuzz MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[10] CVA6 bugs reported by MorFuzz MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[11] Spike bug B18 reported by MorFuzz MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[12] Binary-level mutations triggering previously missed bugs MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[13] Related processor-fuzzing tools mentioned in the paper MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation