Logic Solver Guided Directed Fuzzing for Hardware Designs
Raghul Saravanan, Sai Manoj P D
TL;DR
The paper tackles the verification bottleneck in increasingly complex RTL designs by proposing TargetFuzz, a SAT-based targeted fuzzing framework that operates at the native hardware abstraction level. By converting gate-level netlists to SAT-amenable representations and defining target sites and states, TargetFuzz generates specialized input seeds that efficiently drive specified regions to desired states. The approach yields high target-site and target-state coverage with significantly faster convergence than conventional CGF, demonstrated across diverse benchmarks including AES, DSP, and PicoRV32. This hardware-centric, scalable methodology integrates with standard IC design flows, offering substantial reductions in verification time and improved fault exposure in critical regions. Overall, TargetFuzz advances directed hardware fuzzing by leveraging SAT to produce precise, region-focused test stimuli while preserving hardware characteristics and visibility through industry-standard metrics.
Abstract
The ever-increasing complexity of design specifications for processors and intellectual property (IP) presents a formidable challenge for early bug detection in the modern IC design cycle. The recent advancements in hardware fuzzing have proven effective in detecting bugs in RTL designs of cutting-edge processors. The modern IC design flow involves incremental updates and modifications to the hardware designs necessitating rigorous verification and extending the overall verification period. To accelerate this process, directed fuzzing has emerged focusing on generating targeted stimuli for specific regions of the design, avoiding the need for exhaustive, full-scale verification. However, a significant limitation of these hardware fuzzers lies in their reliance on an equivalent SW model of the hardware which fails to capture intrinsic hardware characteristics. To circumvent the aforementioned challenges, this work introduces TargetFuzz, an innovative and scalable targeted hardware fuzzing mechanism. It leverages SAT-based techniques to focus on specific regions of the hardware design while operating at its native hardware abstraction level, ensuring a more precise and comprehensive verification process. We evaluated this approach across a diverse range of RTL designs for various IP cores. Our experimental results demonstrate its capability to effectively target and fuzz a broad spectrum of sites within these designs, showcasing its extensive coverage and precision in addressing targeted regions. TargetFuzz demonstrates its capability to effectively scale 30x greater in terms of handling target sites, achieving 100% state coverage and 1.5x faster in terms of site coverage, and shows 90x improvement in target state coverage compared to Coverage-Guided Fuzzing, demonstrating its potential to advance the state-of-the-art in directed hardware fuzzing.