SimFuzz: Similarity-guided Block-level Mutation for RISC-V Processor Fuzzing
Hao Lyu, Jingzheng Wu, Xiang Ling, Yicheng Zhong, Zhiyuan Li, Tianyue Luo
TL;DR
SimFuzz tackles the security verification gap in open RISC-V processors by eschewing traditional coverage-driven mutation in favor of similarity-guided, block-level mutation anchored on a high-quality seed corpus built from real bug-triggering inputs. It preserves seed control-flow while expanding the input space via a four-faceted instruction similarity metric, and it relies on differential testing to reveal RTL-ISA inconsistencies. The approach yields up to $73.22\%$ mux coverage on historical seeds and discovers 17 bugs, including 14 previously unknown issues and 7 CVEs, across Rocket, BOOM, and XiangShan, highlighting cross-processor bug patterns and practical verification gains. These results demonstrate that real-world bug samples, coupled with semantic-aware mutation, can significantly enhance functional verification and security auditing for modern RISCV processors.
Abstract
The Instruction Set Architecture (ISA) defines processor operations and serves as the interface between hardware and software. As an open ISA, RISC-V lowers the barriers to processor design and encourages widespread adoption, but also exposes processors to security risks such as functional bugs. Processor fuzzing is a powerful technique for automatically detecting these bugs. However, existing fuzzing methods suffer from two main limitations. First, their emphasis on redundant test case generation causes them to overlook cross-processor corner cases. Second, they rely too heavily on coverage guidance. Current coverage metrics are biased and inefficient, and become ineffective once coverage growth plateaus. To overcome these limitations, we propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs and employs similarity-guided, block-level mutation to efficiently explore the processor input space. By introducing instruction similarity, SimFuzz expands the input space around seeds while preserving control-flow structure, enabling deeper exploration without relying on coverage feedback. We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan, and discover 17 bugs in total, including 14 previously unknown issues, 7 of which have been assigned CVE identifiers. These bugs affect the decode and memory units, cause instruction and data errors, and can lead to kernel instability or system crashes. Experimental results show that SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus. Our findings highlight critical security bugs in mainstream RISC-V processors and offer actionable insights for improving functional verification.
