INSTILLER: Towards Efficient and Realistic RTL Fuzzing

TL;DR

INSTILLER is an RTL fuzzing framework that uses ant colony optimization to generate shorter, more effective inputs, improving bug detection coverage and speed in CPU hardware testing.

Contribution

The paper introduces INSTILLER, a novel RTL fuzzing approach that employs VACO for input distillation, realistic interruption simulation, and hardware-based seed strategies, enhancing efficiency and effectiveness.

Findings

29.4% more coverage than DiFuzzRTL

17.0% more bug mismatches detected

79.3% shorter input instructions generated

Abstract

Bugs exist in hardware, such as CPU. Unlike software bugs, these hardware bugs need to be detected before deployment. Previous fuzzing work in CPU bug detection has several disadvantages, e.g., the length of RTL input instructions keeps growing, and longer inputs are ineffective for fuzzing. In this paper, we propose INSTILLER (Instruction Distiller), an RTL fuzzer based on ant colony optimization (ACO). First, to keep the input instruction length short and efficient in fuzzing, it distills input instructions with a variant of ACO (VACO). Next, related work cannot simulate realistic interruptions well in fuzzing, and INSTILLER solves the problem of inserting interruptions and exceptions in generating the inputs. Third, to further improve the fuzzing performance of INSTILLER, we propose hardware-based seed selection and mutation strategies. We implement a prototype and conduct extensive experiments against state-of-the-art fuzzing work in real-world target CPU cores. In experiments, INSTILLER has 29.4% more coverage than DiFuzzRTL. In addition, 17.0% more mismatches are detected by INSTILLER. With the VACO algorithm, INSTILLER generates 79.3% shorter input instructions than DiFuzzRTL, demonstrating its effectiveness in distilling the input instructions. In addition, the distillation leads to a 6.7% increase in execution speed on average.