Table of Contents
Fetching ...

GoldenFuzz: Generative Golden Reference Hardware Fuzzing

Lichao Wu, Mohamadreza Rostami, Huimin Li, Nikhilesh Singh, Ahmad-Reza Sadeghi

TL;DR

GoldenFuzz addresses the inefficiencies of traditional hardware fuzzing by introducing a two-stage framework that first refines test-case generation in a fast Golden Reference Model (GRM) and then applies the learned policy to the DUT, achieving deeper architectural exploration with lower overhead. It leverages a language-model-based fuzzer trained on RISC-V instructions, a block-wise generation strategy, and a dual intra-/inter-test scoring system coupled with Simple Preference Optimization to drive policy updates. Differential testing against the GRM and DUT enables efficient vulnerability discovery, yielding multiple new, high-severity vulnerabilities across open-source and commercial cores, while maintaining robust performance across cores and reducing computational cost. The results demonstrate substantial improvements in hardware coverage, shorter test-case lengths, and practical impact for pre-silicon hardware security verification, making GoldenFuzz a scalable tool for industrial security testing and verification.

Abstract

Modern hardware systems, driven by demands for high performance and application-specific functionality, have grown increasingly complex, introducing large surfaces for bugs and security-critical vulnerabilities. Fuzzing has emerged as a scalable solution for discovering such flaws. Yet, existing hardware fuzzers suffer from limited semantic awareness, inefficient test refinement, and high computational overhead due to reliance on slow device simulation. In this paper, we present GoldenFuzz, a novel two-stage hardware fuzzing framework that partially decouples test case refinement from coverage and vulnerability exploration. GoldenFuzz leverages a fast, ISA-compliant Golden Reference Model (GRM) as a ``digital twin'' of the Device Under Test (DUT). It fuzzes the GRM first, enabling rapid, low-cost test case refinement, accelerating deep architectural exploration and vulnerability discovery on DUT. During the fuzzing pipeline, GoldenFuzz iteratively constructs test cases by concatenating carefully chosen instruction blocks that balance the subtle inter- and intra-instructions quality. A feedback-driven mechanism leveraging insights from both high- and low-coverage samples further enhances GoldenFuzz's capability in hardware state exploration. Our evaluation of three RISC-V processors, RocketChip, BOOM, and CVA6, demonstrates that GoldenFuzz significantly outperforms existing fuzzers in achieving the highest coverage with minimal test case length and computational overhead. GoldenFuzz uncovers all known vulnerabilities and discovers five new ones, four of which are classified as highly severe with CVSS v3 severity scores exceeding seven out of ten. It also identifies two previously unknown vulnerabilities in the commercial BA51-H core extension.

GoldenFuzz: Generative Golden Reference Hardware Fuzzing

TL;DR

GoldenFuzz addresses the inefficiencies of traditional hardware fuzzing by introducing a two-stage framework that first refines test-case generation in a fast Golden Reference Model (GRM) and then applies the learned policy to the DUT, achieving deeper architectural exploration with lower overhead. It leverages a language-model-based fuzzer trained on RISC-V instructions, a block-wise generation strategy, and a dual intra-/inter-test scoring system coupled with Simple Preference Optimization to drive policy updates. Differential testing against the GRM and DUT enables efficient vulnerability discovery, yielding multiple new, high-severity vulnerabilities across open-source and commercial cores, while maintaining robust performance across cores and reducing computational cost. The results demonstrate substantial improvements in hardware coverage, shorter test-case lengths, and practical impact for pre-silicon hardware security verification, making GoldenFuzz a scalable tool for industrial security testing and verification.

Abstract

Modern hardware systems, driven by demands for high performance and application-specific functionality, have grown increasingly complex, introducing large surfaces for bugs and security-critical vulnerabilities. Fuzzing has emerged as a scalable solution for discovering such flaws. Yet, existing hardware fuzzers suffer from limited semantic awareness, inefficient test refinement, and high computational overhead due to reliance on slow device simulation. In this paper, we present GoldenFuzz, a novel two-stage hardware fuzzing framework that partially decouples test case refinement from coverage and vulnerability exploration. GoldenFuzz leverages a fast, ISA-compliant Golden Reference Model (GRM) as a ``digital twin'' of the Device Under Test (DUT). It fuzzes the GRM first, enabling rapid, low-cost test case refinement, accelerating deep architectural exploration and vulnerability discovery on DUT. During the fuzzing pipeline, GoldenFuzz iteratively constructs test cases by concatenating carefully chosen instruction blocks that balance the subtle inter- and intra-instructions quality. A feedback-driven mechanism leveraging insights from both high- and low-coverage samples further enhances GoldenFuzz's capability in hardware state exploration. Our evaluation of three RISC-V processors, RocketChip, BOOM, and CVA6, demonstrates that GoldenFuzz significantly outperforms existing fuzzers in achieving the highest coverage with minimal test case length and computational overhead. GoldenFuzz uncovers all known vulnerabilities and discovers five new ones, four of which are classified as highly severe with CVSS v3 severity scores exceeding seven out of ten. It also identifies two previously unknown vulnerabilities in the commercial BA51-H core extension.
Paper Structure (29 sections, 8 equations, 4 figures, 1 algorithm)

This paper contains 29 sections, 8 equations, 4 figures, 1 algorithm.

Figures (4)

  • Figure 1: An Overview of the GoldenFuzz framework.
  • Figure 2: An Overview of the GoldenFuzz Pipeline.
  • Figure 3: Coverage Benchmark.
  • Figure 4: Ablation and Hyperparameter Studies on Critical Settings.