Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Intelligent Graybox Fuzzing via ATPG-Guided Seed Generation and Submodule Analysis

Raghul Saravanan, Sudipta Paria, Aritra Dasgupta, Swarup Bhunia, Sai Manoj P D

TL;DR

PROFUZZ addresses the challenge of efficiently fuzzing modern hardware by combining Directed Gray-box Fuzzing with ATPG-guided seed generation to target specific design regions. It operates at native hardware abstractions, preserving semantics and enabling precise activation patterns via ATPG, including conflict-aware merging to maximize mutation potential. The framework demonstrates substantial scalability and throughput gains over prior approaches, achieving up to a 30x increase in target-site coverage and a 2.76x speedup, with an average coverage improvement of $11.66\%$. Integrated into mainstream EDA tool flows, PROFUZZ enables practical, cross-module verification and scalable fuzzing for complex hardware designs.

Abstract

Hardware Fuzzing emerged as one of the crucial techniques for finding security flaws in modern hardware designs by testing a wide range of input scenarios. One of the main challenges is creating high-quality input seeds that maximize coverage and speed up verification. Coverage-Guided Fuzzing (CGF) methods help explore designs more effectively, but they struggle to focus on specific parts of the hardware. Existing Directed Gray-box Fuzzing (DGF) techniques like DirectFuzz try to solve this by generating targeted tests, but it has major drawbacks, such as supporting only limited hardware description languages, not scaling well to large circuits, and having issues with abstraction mismatches. To address these problems, we introduce a novel framework, PROFUZZ, that follows the DGF approach and combines fuzzing with Automatic Test Pattern Generation (ATPG) for more efficient fuzzing. By leveraging ATPG's structural analysis capabilities, PROFUZZ can generate precise input seeds that target specific design regions more effectively while maintaining high fuzzing throughput. Our experiments show that PROFUZZ scales 30x better than DirectFuzz when handling multiple target sites, improves coverage by 11.66%, and runs 2.76x faster, highlighting its scalability and effectiveness for directed fuzzing in complex hardware systems.

Intelligent Graybox Fuzzing via ATPG-Guided Seed Generation and Submodule Analysis

TL;DR

PROFUZZ addresses the challenge of efficiently fuzzing modern hardware by combining Directed Gray-box Fuzzing with ATPG-guided seed generation to target specific design regions. It operates at native hardware abstractions, preserving semantics and enabling precise activation patterns via ATPG, including conflict-aware merging to maximize mutation potential. The framework demonstrates substantial scalability and throughput gains over prior approaches, achieving up to a 30x increase in target-site coverage and a 2.76x speedup, with an average coverage improvement of . Integrated into mainstream EDA tool flows, PROFUZZ enables practical, cross-module verification and scalable fuzzing for complex hardware designs.

Abstract

Hardware Fuzzing emerged as one of the crucial techniques for finding security flaws in modern hardware designs by testing a wide range of input scenarios. One of the main challenges is creating high-quality input seeds that maximize coverage and speed up verification. Coverage-Guided Fuzzing (CGF) methods help explore designs more effectively, but they struggle to focus on specific parts of the hardware. Existing Directed Gray-box Fuzzing (DGF) techniques like DirectFuzz try to solve this by generating targeted tests, but it has major drawbacks, such as supporting only limited hardware description languages, not scaling well to large circuits, and having issues with abstraction mismatches. To address these problems, we introduce a novel framework, PROFUZZ, that follows the DGF approach and combines fuzzing with Automatic Test Pattern Generation (ATPG) for more efficient fuzzing. By leveraging ATPG's structural analysis capabilities, PROFUZZ can generate precise input seeds that target specific design regions more effectively while maintaining high fuzzing throughput. Our experiments show that PROFUZZ scales 30x better than DirectFuzz when handling multiple target sites, improves coverage by 11.66%, and runs 2.76x faster, highlighting its scalability and effectiveness for directed fuzzing in complex hardware systems.

Paper Structure

This paper contains 23 sections, 1 equation, 7 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Fuzzing in Hardware: CGF and DGF
  4. Categorizing Hardware Fuzzing Frameworks
  5. Direct Use of Software Fuzzers on Hardware
  6. Fuzzing Hardware as Software
  7. Fuzzing Hardware as Hardware
  8. Prevailing Challenges of Directed Gray-box Fuzzing
  9. Software-Level Abstraction
  10. Misaligned Coverage Metrics
  11. Lack of Scalability
  12. Lack of Cross-Module Verification
  13. PROFuzz Methodology
  14. Target Site Identifier
  15. Seed Generator
  16. ...and 8 more sections

Figures (7)

  • Figure 1: Overview of Coverage Graybox Fuzzing (CGF).
  • Figure 2: Overview of Directed Graybox Fuzzing (DGF).
  • Figure 3: Overview of PROFUZZ methodology highlighting major steps.
  • Figure 4: Integrating PROFUZZ into the commercial EDA tool flow.
  • Figure 5: Coverage(%) and the number of target signals (#Target Signals) for seven benchmarks with varying sizes where the target sites are selected based on cost functions: (1) $\mathcal{C}_i \ge 0.3$ and (2) $\mathcal{C}_i \in P_{10}$.
  • ...and 2 more figures