Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts

Gideon Geier, Pariya Hajipour, Jan Reineke

TL;DR

This work tackles the challenge of verifying hardware-software leakage contracts for complex processors by introducing coverage-guided pre-silicon fuzzing. It combines a self-compositional framework, where two processor instances run in lockstep with different secrets, with a new Self-Composition Deviation (SCD) coverage metric to observe and prioritize potential leakage. The authors design a full fuzzing pipeline, implement contract reasoning in Sail, and validate on two open-source RISC-V cores (Rocket and BOOM), showing that coverage-guided strategies, especially Weighted Feedback, substantially improve state-space exploration and accelerate leak detection in the BOOM core, while revealing that some cores (Rocket) may adhere to the specified contracts. The results demonstrate the practical impact of combining contract-aware modeling with coverage-guided fuzzing to enhance pre-silicon security verification for modern processors.

Abstract

Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors, yet verifying that a complex hardware design complies with its contract remains a major challenge. While verification provides strong guarantees, current verification approaches struggle to scale to industrial-sized designs. Conversely, prevalent hardware fuzzing approaches are designed to find functional correctness bugs, but are blind to information leaks like Spectre. To bridge this gap, we introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing. Our methodology leverages a self-compositional framework to make information leakage directly observable as microarchitectural state divergence. The core of our contribution is a new, security-oriented coverage metric, Self-Composition Deviation (SCD), which guides the fuzzer to explore execution paths that violate the leakage contract. We implemented this approach and performed an extensive evaluation on two open-source RISC-V cores: the in-order Rocket Core and the complex out-of-order BOOM core. Our results demonstrate that coverage-guided strategies outperform unguided fuzzing and that increased microarchitectural coverage leads to a faster discovery of security vulnerabilities in the BOOM core.

Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts

TL;DR

This work tackles the challenge of verifying hardware-software leakage contracts for complex processors by introducing coverage-guided pre-silicon fuzzing. It combines a self-compositional framework, where two processor instances run in lockstep with different secrets, with a new Self-Composition Deviation (SCD) coverage metric to observe and prioritize potential leakage. The authors design a full fuzzing pipeline, implement contract reasoning in Sail, and validate on two open-source RISC-V cores (Rocket and BOOM), showing that coverage-guided strategies, especially Weighted Feedback, substantially improve state-space exploration and accelerate leak detection in the BOOM core, while revealing that some cores (Rocket) may adhere to the specified contracts. The results demonstrate the practical impact of combining contract-aware modeling with coverage-guided fuzzing to enhance pre-silicon security verification for modern processors.

Abstract

Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors, yet verifying that a complex hardware design complies with its contract remains a major challenge. While verification provides strong guarantees, current verification approaches struggle to scale to industrial-sized designs. Conversely, prevalent hardware fuzzing approaches are designed to find functional correctness bugs, but are blind to information leaks like Spectre. To bridge this gap, we introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing. Our methodology leverages a self-compositional framework to make information leakage directly observable as microarchitectural state divergence. The core of our contribution is a new, security-oriented coverage metric, Self-Composition Deviation (SCD), which guides the fuzzer to explore execution paths that violate the leakage contract. We implemented this approach and performed an extensive evaluation on two open-source RISC-V cores: the in-order Rocket Core and the complex out-of-order BOOM core. Our results demonstrate that coverage-guided strategies outperform unguided fuzzing and that increased microarchitectural coverage leads to a faster discovery of security vulnerabilities in the BOOM core.

Paper Structure

This paper contains 34 sections, 12 equations, 1 figure, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Hardware-Software Leakage Contracts
  4. Hardware Fuzzing
  5. Open-source RISC-V Cores and Tools
  6. Coverage-guided Contract Fuzzing
  7. Fuzzing Architecture
  8. Hardware-Software Contracts in Sail
  9. Coverage Generation
  10. Fuzzing Pipeline Implementation and Design Decisions
  11. Test-Case Generation
  12. Program Generation
  13. Data Section Generation
  14. Mutation
  15. Contract Checking
  16. ...and 19 more sections

Figures (1)

  • Figure 1: Fuzzing pipeline