Recent research has shown that hardware fuzzers can effectively detect security vulnerabilities in modern processors. However, existing hardware fuzzers do not fuzz well the hard-to-reach design spaces. Consequently, these fuzzers cannot effectively fuzz security-critical control- and data-flow logic in the processors, hence missing security vulnerabilities. To tackle this challenge, we present HyPFuzz, a hybrid fuzzer that leverages formal verification tools to help fuzz the hard-to-reach part of the processors. To increase the effectiveness of HyPFuzz, we perform optimizations in time and space. First, we develop a scheduling strategy to prevent under- or over-utilization of the capabilities of formal tools and fuzzers. Second, we develop heuristic strategies to select points in the design space for the formal tool to target. We evaluate HyPFuzz on five widely-used open-source processors. HyPFuzz detected all the vulnerabilities detected by the most recent processor fuzzer and found three new vulnerabilities that were missed by previous extensive fuzzing and formal verification. This led to two new common vulnerabilities and exposures (CVE) entries. HyPFuzz also achieves 11.68$\times$ faster coverage than the most recent processor fuzzer.

翻译：近期研究表明，硬件模糊测试工具能有效检测现代处理器中的安全漏洞。然而，现有硬件模糊测试工具难以有效覆盖设计空间中的难达部分，导致无法充分测试处理器中安全关键的控制流与数据流逻辑，从而遗漏安全漏洞。为解决这一挑战，我们提出HyPFuzz——一种利用形式化验证工具辅助测试处理器难达部分的混合模糊测试框架。为提升HyPFuzz的有效性，我们从时间与空间两个维度进行优化：首先，设计调度策略以避免形式化工具与模糊测试工具能力的欠利用或过利用；其次，开发启发式策略以选择形式化工具在设计空间中的目标点位。我们在五个广泛使用的开源处理器上评估了HyPFuzz。实验表明，HyPFuzz不仅检测到最新处理器模糊测试工具发现的所有漏洞，还发现了三项此前广泛模糊测试与形式化验证均未发现的漏洞，并因此获得两项通用漏洞披露（CVE）编号。此外，HyPFuzz的覆盖速度相比最新处理器模糊测试工具提升11.68倍。