A curated list of research and repositories on the novel technique of hardware fuzzing. For various reasons, most of existing works target RISC-V, with some exceptions.
The Emergence of Hardware Fuzzing: A Critical Review of its Significance
The Fuzz Odyssey: A Survey on Hardware Fuzzing Frameworks for Hardware Design Verification
Fuzzing Hardware Like Software | source code
Encarsia: Evaluating CPU Fuzzers via Automatic Bug Injection | source code
Cascade: CPU Fuzzing via Intricate Program Generation | source code
Phantom Trails: Practical Pre-Silicon Discovery of Transient Data Leaks | source code and artifacts and this repo and PoCs
Lost and Found in Speculation: Hybrid Speculative Vulnerability Detection | Note: hardware fuzzing + IFT (Specure, not yet opensource)
SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities | source code
Revizor: Testing Black-box CPUs against Speculation Contracts | source code
Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing | source code
Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions | source code and artifact
Testing side-channel security of cryptographic implementations against future microarchitectures | source code
SpecFuzz: Bringing Spectre-type vulnerabilities to the surface | source code
Blacksmith: Scalable Rowhammering in the Frequency Domain | source code
ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms | source code
RISC-H: Rowhammer Attacks on RISC-V
TEESec: Pre-Silicon Vulnerability Discovery for Trusted Execution Environments | source code
SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities | source code
Rubicon: Precise Microarchitectural Attacks with Page-Granular Massaging | source code and Rubicon-enhanced Blacksmith Rowhammer fuzzer
TRRespass: Exploiting the Many Sides of Target Row Refresh | source code and modified TRRespass and another fork and another inspired work and Sledgehammer paper
RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzing | source code for GhostWrite PoC
SIGFuzz: A Framework for Discovering Microarchitectural Timing Side Channels | source code
WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors | artifacts
SurgeFuzz: Surge-Aware Directed Fuzzing for CPU Designs | source code
GenFuzz: GPU-accelerated Hardware Fuzzing using Genetic Algorithm with Multiple Inputs | source code
ProcessorFuzz: Guiding Processor Fuzzing using Control and Status Registers | source code
DIFUZZ RTL: Differential Fuzz Testing to Find CPU Bugs | source code
MorFuzz: Fuzzing Processor via Runtime Instruction Morphing Enhanced Synchronizable Co-simulation | source code
DejaVuzz: Disclosing Transient Execution Bugs with Dynamic Swappable Memory and Differential Information Flow Tracking assisted Processor Fuzzing | source code
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis | source code
Effective Processor Verification with Logic Fuzzer Enhanced Co-simulation | source code for dromajo
NoCFuzzer: Automating NoC Verification in UVM | source code
VerilogReader: LLM-Aided Hardware Test Generation | source code
Bridging the Gap between Hardware Fuzzing and Industrial Verification | source code
Pre-Silicon Hardware Fuzzing Toolkit | source code
Sandsifter: the x86 processor fuzzer | source code, python3 port, test runs repo, fork with some fixes, Black Hat talk
Work inspired by sandsifter: vmsifter, sandsifterOS, baresifter
Uncovering Hidden Instructions in Armv8-A Implementations | source code for Armshaker
Osiris: Automated Discovery of Microarchitectural Side Channels | source code
Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels | source code for Plumber
ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures | source code
TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution | source code
SiliFuzz: Fuzzing CPUs by proxy | source code, Reptar CPU vulnerability
PathFuzz: Broadening Fuzzing Horizons with Footprint Memory for CPUs | source code
Functional Verification for Agile Processor Development: A Case for Workflow Integration | source code
SSFuzz: Generating syntactic and semantic seeds for RISC-V Processors | source code (not yet opensource?)
Symbolic Simulation Enhanced Coverage-Directed Fuzz Testing of RTL Design | slides
Grammar-based fuzz testing for microprocessor RTL design
UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching
Hot Fuzz: Assisting verification by fuzz testing microelectronic hardware
HyperFuzzing for SoC Security Validation | source code
Beyond Random Inputs: A Novel ML-Based Hardware Fuzzing
RLFuzz: Accelerating Hardware Fuzzing with Deep Reinforcement Learning | also see HYDRANOS project
TaintFuzzer: SoC Security Verification using Taint Inference-enabled Fuzzing
SoCFuzzer: SoC Vulnerability Detection using Cost Function enabled Fuzz Testing
Detection of Hardware Trojans in SystemC HLS Designs via Coverage-guided Fuzzing
MABFuzz: Multi-Armed Bandit Algorithms for Fuzzing Processors
DirectFuzz: Automated Test Generation for RTL Designs using Directed Graybox Fuzzing
RFUZZ: Coverage-Directed Fuzz Testing of RTL on FPGAs | source code
HyPFuzz: Formal-Assisted Processor Fuzzing
RTLFUZZLAB: Building A Modular Open-Source Hardware Fuzzing Framework | source code
PSOFuzz: Fuzzing Processors with Particle Swarm Optimization
FormalFuzzer: Formal Verification Assisted Fuzz Testing for SoC Vulnerability Detection
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
Fuzzing Hardware: Faith or Reality?
HScheduler: An execution history-based seed scheduling strategy for hardware fuzzing
FuzzWiz - Fuzzing Framework for Efficient Hardware Coverage
GenHuzz: An Efficient Generative Hardware Fuzzer | source code
HFL: Hardware Fuzzing Loop with Reinforcement Learning | source code TBD?
Accelerating Hardware Verification with Graph Models | Note: unrelated to the same-name GraphFuzz here and here
Fuzzerfly Effect: Hardware Fuzzing for Memory Safety
Trusting the Trust Anchor: Towards Detecting Cross-Layer Vulnerabilities with Hardware Fuzzing
PCBleed: Fuzzing for CPU Bugs Through Use of Performance Counters
Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries | source code for ANABLEPS
JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing | source code
SPINALFUZZ: Coverage-Guided Fuzzing for SpinalHDL Designs | source code
Core Fuzzing - A Versatile Platform for Security Verification
Verification of Chisel Hardware Designs with ChiselVerify | source code
Towards Functional Coverage-Driven Fuzzing for Chisel Designs | source code
Exploring Coverage Metrics in Hardware Fuzzing: A Comprehensive Analysis
Unified HW/SW Coverage: A Novel Metric to Boost Coverage-guided Fuzzing for Virtual Prototype based HW/SW Co-Verification | source code for RISC-V virtual prototype
Directed Test Generation for Hardware Validation: A Survey
Verismith: Verilog hardware synthesis tool fuzzer
Lost in Translation: Enabling Confused Deputy Attacks on EDA Software with TransFuzz | source code
cpufuzz is a dumb, simple and portable CPU fuzzer
CrossFire: Fuzzing macOS Cross-XPU Memory on Apple Silicon | source code
Fuzzing on a ChipWhisperer-Nano
ChipFuzzer: Towards Fuzzing Matter-based IoT Devices for Vulnerability Detection | source code
Evaluation of Hardware Fuzzing thesis proposal
Genesys-Pro: Innovations in Test Program Generation for Functional Processor Verification old paper
Other methodologies (honestly they deserve their own separate list because it's often not directly related to fuzzing but since I found them while researching fuzzing approaches I include them here for comparison sake and for my own convenience)
TIUP : Effective Processor Verification with Tautology-Induced Universal Properties | source code
Isadora: Auromated information-flow property generation for hardware security verification
Isadora: Automated Information Flow Property Generation for Hardware Designs | source code
CellIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL | source code
HardFails: Insights into Software-Exploitable Hardware Bugs
CheckMate: Automated Synthesis of Hardware Exploits and Security Litmus Tests | source code
AutoSVA: Democratizing Formal Verification of RTL Module Interactions | source code
A Survey on Assertion-based Hardware Verification
Synthesizing Hardware-Software Leakage Contracts for RISC-V Open-Source Processors | source code and artifact
A Symbolic Approach to Detecting Hardware Trojans Triggered by Don’t Care Transitions | source code
Specification and Verification of Side-channel Security for Open-source Processors via Leakage Contracts | source code
SHarPen: SoC Security Verification by Hardware Penetration Test
Hardware Support to Improve Fuzzing Performance and Precision | source code
A Methodology for Testing CPU Emulators | source code
End-to-End Automated Exploit Generation for Validating the Security of Processor Designs | source code
RTL-ConTest: Concolic Testing on RTL for Detecting Security Vulnerabilities | source code
RTL Verification for Secure Speculation Using Contract Shadow Logic | source code