SOURCE ARCHIVE
EXTRACTED CONTENT
2,062 chars[Submitted on 11 Nov 2025 (
), last revised 16 Nov 2025 (this version, v2)]
Title:Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts
View a PDF of the paper titled Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts, by Gideon Geier and 2 other authors
Abstract:Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors, yet verifying that a complex hardware design complies with its contract remains a major challenge. While verification provides strong guarantees, current verification approaches struggle to scale to industrial-sized designs. Conversely, prevalent hardware fuzzing approaches are designed to find functional correctness bugs, but are blind to information leaks like Spectre.
To bridge this gap, we introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing. Our methodology leverages a self-compositional framework to make information leakage directly observable as microarchitectural state divergence. The core of our contribution is a new, security-oriented coverage metric, Self-Composition Deviation (SCD), which guides the fuzzer to explore execution paths that violate the leakage contract. We implemented this approach and performed an extensive evaluation on two open-source RISC-V cores: the in-order Rocket Core and the complex out-of-order BOOM core. Our results demonstrate that coverage-guided strategies outperform unguided fuzzing and that increased microarchitectural coverage leads to a faster discovery of security vulnerabilities in the BOOM core.
Submission history
From: Jan Reineke [
]
Tue, 11 Nov 2025 16:46:35 UTC (188 KB)
[v2]
Sun, 16 Nov 2025 16:40:10 UTC (188 KB)