Fuzzing Hardware Like Software Timothy Trippel, Kang G. Shin Alex Chernyakhovsky, Garret Kelly, Matthew Hicks Computer Science & Engineering Dominic Rizzo Computer Science University of Michigan OpenTitan Virginia Tech Ann Arbor, MI Google, LLC Blacksburg, VA ftrippel,
[email protected] Cambridge, MA
[email protected] fachernya,gdk,
[email protected] Abstract—Hardware flaws are permanent and potent: hard- Software Hardware ware cannot be patched once fabricated, and any flaws may undermine even formally verified software executing on top. Custom Consequently, verification time dominates implementation time. Test Coverage The gold standard in hardware Design Verification (DV) is Generator concentrated at two extremes: random dynamic verification and Tracing TB DUT formal verification. Both techniques struggle to root out the PriorWork subtle flaws in complex hardware that often manifest as security vulnerabilities. The root problem with random verification is its undirected nature, making it inefficient, while formal verification Software SW is constrained by the state-space explosion problem, making it Fuzzer à infeasible to apply to complex designs. What is needed is a HW HW Generic TB solution that is directed, yet under-constrained. Fuzzing HW DUT Model DUT Instead of making incremental improvements to existing hard- ware verification approaches, we leverage the observation that =Inject Coverage Tracing Instrumentation existing software fuzzers already provide such a solution; we adapt it for hardware verification, thus leveraging existing—more Fig. 1. Fuzzing Hardware Like Software. Unlike prior Coverage Directed Test Generation (CDG) techniques [15]–[18], we advocate for fuzzing soft- advanced—software verification tools. Specifically, we translate ware models of hardware directly, with a generic harness (testbench) and RTL hardware to a software model and fuzz that model.