Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts

TL;DR

This paper presents a scalable fuzzing approach guided by a new coverage metric to detect side-channel leaks in open-source processors, effectively identifying security vulnerabilities in complex hardware designs.

Contribution

It introduces a novel coverage-guided fuzzing methodology using Self-Composition Deviation (SCD) for security contract verification in hardware designs.

Findings

Coverage-guided fuzzing outperforms unguided methods.

Increased microarchitectural coverage accelerates vulnerability discovery.

Effective detection of side-channel leaks in RISC-V cores.

Abstract

Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors, yet verifying that a complex hardware design complies with its contract remains a major challenge. While verification provides strong guarantees, current verification approaches struggle to scale to industrial-sized designs. Conversely, prevalent hardware fuzzing approaches are designed to find functional correctness bugs, but are blind to information leaks like Spectre. To bridge this gap, we introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing. Our methodology leverages a self-compositional framework to make information leakage directly observable as microarchitectural state divergence. The core of our contribution is a new, security-oriented coverage metric, Self-Composition Deviation (SCD), which guides the fuzzer to explore execution paths that violate the leakage contract. We implemented this approach and performed an extensive evaluation on two open-source RISC-V cores: the in-order Rocket Core and the complex out-of-order BOOM core. Our results demonstrate that coverage-guided strategies outperform unguided fuzzing and that increased microarchitectural coverage leads to a faster discovery of security vulnerabilities in the BOOM core.