Lichao Wu (Technical University of Darmstadt), Mohamadreza Rostami (Technical University of Darmstadt), Huimin Li (Technical University of Darmstadt), Nikhilesh Singh (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)

Modern hardware systems, driven by demands for high performance and application-specific functionality, have grown increasingly complex, introducing large surfaces for bugs and security-critical vulnerabilities. Fuzzing has emerged as a scalable solution for discovering such flaws. Yet, existing hardware fuzzers suffer from limited semantic awareness, inefficient test refinement, and high computational overhead due to reliance on slow device simulation.

In this paper, we present GoldenFuzz, a novel two-stage hardware fuzzing framework that partially decouples test case refinement from coverage and vulnerability exploration. GoldenFuzz leverages a fast, ISA-compliant Golden Reference Model (GRM) as a “digital twin” of the Device Under Test (DUT). It fuzzes the GRM first, enabling rapid, low-cost test case refinement, accelerating deep architectural exploration and vulnerability discovery on DUT. During the fuzzing pipeline, GoldenFuzz iteratively constructs test cases by concatenating carefully chosen instruction blocks that balance the subtle inter- and intra-instructions quality. A feedback-driven mechanism leveraging insights from both high- and low-coverage samples further enhances GoldenFuzz’s capability in hardware state exploration. Our evaluation of three RISC-V processors, RocketChip, BOOM, and CVA6, demonstrates that GoldenFuzz significantly outperforms existing fuzzers in achieving the highest coverage with minimal test case length and computational overhead. GoldenFuzz uncovers all known vulnerabilities and discovers five new ones, four of which are classified as highly severe with CVSS v3 severity scores exceeding seven out of ten. It also identifies two previously unknown vulnerabilities in the commercial BA51-H core extension.

View More Papers

Enabling Research Extensions in Matter via Custom Clusters

Ravindra Mangar (Dartmouth College, Hanover), Jared Chandler (Dartmouth College, Hanover), Timothy J. Pierson (Dartmouth College, Hanover), David Kotz (Dartmouth College, Hanover)

Read More

A Usability Evaluation Method for SOC Tools Using a...

Yukina Okazawa (Toho University), Akira Kanaoka (Toho University), Takumi Yamamoto (Mitsubishi Electric Corporation)

Read More

Cross-Cache Attacks for the Linux Kernel via PCP Massaging

Claudio Migliorelli (IBM Research Europe - Zurich), Andrea Mambretti (IBM Research Europe - Zurich), Alessandro Sorniotti (IBM Research Europe - Zurich), Vittorio Zaccaria (Politecnico di Milano), Anil Kurmus (IBM Research Europe - Zurich)

Read More