# HWFuzz: An FPGA-Accelerated FuzzingFramework for **Efficient RISC-V Verification**

Yang Zhong<sup>1,2</sup>, Haoran Wu<sup>3\*</sup>, Yungang Bao<sup>1,2</sup> and Kan Shi<sup>1,2</sup>

<sup>1</sup> State Key Lab of Processors, Institute of Computing Technology, Chinese Academy of Sciences <sup>2</sup> University of Chinese Academy of Sciences <sup>3</sup> University of Cambridge







# Vision & Value

To address the limitations of existing DV ulletframeworks, hardware fuzzing has emerged as a promising approach, inspired by its widespread use in the software testing domain.



(a) Previous Hardware fuzz approaches

#### **Previous methods in Hardware Fuzzing**

#### Software-based

Test stimulus generation is slow due to

#### limited software performance.

DUT execution becomes a bottleneck

because of time-consuming simulations.

Recent advancements in hardware fuzzing have led to the discovery of a significant number of bugs in opensource RISC-V processor cores, such as Rocket Core, BOOM, and CVA6, further demonstrating its practical effectiveness in real-world scenarios.



(b) Proposed FPGA-based approach

Figure 1: Comparison between the previous Hardware Fuzzing approaches and the proposed approach

## The overall architecture



#### **Offload DUT to FPGA**

- Significantly improves DUT execution speed.
- New bottlenecks emerge: Test stimulus

generation still remains slow.

Communication latency between the host

and the FPGA limits overall fuzzing

throughput.

### **Our solution:**

Developed a synthesizable and highly 

configurable hardware fuzzer IP.

Implements a fully automated hardware 

fuzzing-verification loop entirely on FPGA

Detects potential vulnerabilities by comparing

Figure 2: The overall architecture of our proposed method.

### **Stimuli Constraints**

Implement hardware-level constraints on control-flow instruction jump ranges.

**Coverage-Directed Generation** 

- Two Fuzzing Modes: ullet
  - Random Mode: Generates  $\bullet$

instructions purely at random.

- Mutation Mode: Adjusts operands  $\bullet$
- Constraints significantly increase the proportion of generated instructions that can be executed, enhancing overall coverage.

## Stimuli Packing.

Generates both instructions and data,

DUT execution with a software reference

#### model.

# **Evaluation**

Platform: Fidus Sidewinder board

with a Xilinx Zyng UltraScale+ XCZU19EG  $\bullet$ FPGA and two 16GB DDR4 memories.



and context of previously

generated stimuli.

- **Corpus-Guided Mutation:** 
  - Stores stimuli and corresponding  $\bullet$ DUT coverage in a corpus.
  - Selectively mutates high-coverage stimuli to maximize DUT coverage and improve

verification efficiency.

#### stored in DDR.

Random data values are created to  $\bullet$ 

support Load/Store instructions, and

ensuring memory-access operations

- have valid operands.
- A multi-stage pipeline refines raw  $\bullet$ opcodes into executable instructions by adding context, helper instructions, and

operands.