Hardware Fuzzing emerged as one of the crucial techniques for finding security flaws in modern hardware designs by testing a wide range of input scenarios. One of the main challenges is creating high-quality input seeds that maximize coverage and speed up verification. Coverage-Guided Fuzzing (CGF) methods help explore designs more effectively, but they struggle to focus on specific parts of the hardware. Existing Directed Gray-box Fuzzing (DGF) techniques like DirectFuzz try to solve this by generating targeted tests, but it has major drawbacks, such as supporting only limited hardware description languages, not scaling well to large circuits, and having issues with abstraction mismatches. To address these problems, we introduce a novel framework, PROFUZZ, that follows the DGF approach and combines fuzzing with Automatic Test Pattern Generation (ATPG) for more efficient fuzzing. By leveraging ATPG's structural analysis capabilities, PROFUZZ can generate precise input seeds that target specific design regions more effectively while maintaining high fuzzing throughput. Our experiments show that PROFUZZ scales 30x better than DirectFuzz when handling multiple target sites, improves coverage by 11.66%, and runs 2.76x faster, highlighting its scalability and effectiveness for directed fuzzing in complex hardware systems.

翻译：硬件模糊测试已成为通过测试广泛输入场景来发现现代硬件设计中安全漏洞的关键技术之一。其主要挑战在于创建高质量的输入种子，以最大化覆盖范围并加速验证过程。覆盖率引导的模糊测试方法有助于更有效地探索设计，但难以聚焦于硬件的特定部分。现有的定向灰盒模糊测试技术（如DirectFuzz）试图通过生成定向测试来解决此问题，但存在重大缺陷：仅支持有限的硬件描述语言、难以扩展至大型电路，且存在抽象层级不匹配问题。为解决这些问题，我们提出了一种新颖的框架PROFUZZ，该框架遵循定向灰盒模糊测试方法，将模糊测试与自动测试模式生成技术相结合以实现更高效的测试。通过利用ATPG的结构分析能力，PROFUZZ能够生成精确的输入种子，在保持高模糊测试吞吐量的同时，更有效地针对特定设计区域。实验表明，在处理多目标站点时，PROFUZZ的扩展性比DirectFuzz提升30倍，覆盖率提高11.66%，运行速度加快2.76倍，这凸显了其在复杂硬件系统中进行定向模糊测试的可扩展性与有效性。