BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU

Rihui Sun; Jin Wu; Hanyin Liu; Zikang Tao; Gang Qu; Dongsheng Wang; Yongqiang Lyu; Jian Dong

doi:10.1109/DAC63849.2025.11133085

BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU

Rihui Sun
, Jin Wu
, Hanyin Liu
, Zikang Tao
, Gang Qu
, Dongsheng Wang
, Yongqiang Lyu
, Jian Dong^*

^*Corresponding author for this work

Faculty of Computing

Harbin Institute of Technology
University of Maryland, College Park
Tsinghua University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

This paper presents BPUFuzzer, a fuzz testing tool for detecting branching transient execution vulnerabilities in CPU RTL design. BPUFuzzer addresses two key challenges: generating testcases that capture complex control flows, and extracting essential data from vast hardware states to guide testcase selection. Utilizing a control flow graph-based testcase generation strategy with anomaly detection and employing fitness and coverage metrics, BPUFuzzer works on testcases that cover broader program flows and deliberately selects testcases to discover transient execution vulnerabilities effectively. When applied on RISC-V Boom v3, BPUFuzzer uncovered more Spectre types than the state-of-the-arts, including a previously unidentified variant, named Spectre-LOOP.

Original language	English
Title of host publication	2025 62nd ACM/IEEE Design Automation Conference, DAC 2025
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331503048
DOIs	https://doi.org/10.1109/DAC63849.2025.11133085
State	Published - 2025
Event	62nd ACM/IEEE Design Automation Conference, DAC 2025 - San Francisco, United States Duration: 22 Jun 2025 → 25 Jun 2025

Publication series

Name	Proceedings - Design Automation Conference
ISSN (Print)	0738-100X

Conference

Conference	62nd ACM/IEEE Design Automation Conference, DAC 2025
Country/Territory	United States
City	San Francisco
Period	22/06/25 → 25/06/25

Access to Document

10.1109/DAC63849.2025.11133085

Cite this

Sun, R., Wu, J., Liu, H., Tao, Z., Qu, G., Wang, D., Lyu, Y., & Dong, J. (2025). BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU. In 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025 (Proceedings - Design Automation Conference). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DAC63849.2025.11133085

@inproceedings{4489bebf04354a98b1222d2d402655d6,

title = "BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU",

abstract = "This paper presents BPUFuzzer, a fuzz testing tool for detecting branching transient execution vulnerabilities in CPU RTL design. BPUFuzzer addresses two key challenges: generating testcases that capture complex control flows, and extracting essential data from vast hardware states to guide testcase selection. Utilizing a control flow graph-based testcase generation strategy with anomaly detection and employing fitness and coverage metrics, BPUFuzzer works on testcases that cover broader program flows and deliberately selects testcases to discover transient execution vulnerabilities effectively. When applied on RISC-V Boom v3, BPUFuzzer uncovered more Spectre types than the state-of-the-arts, including a previously unidentified variant, named Spectre-LOOP.",

author = "Rihui Sun and Jin Wu and Hanyin Liu and Zikang Tao and Gang Qu and Dongsheng Wang and Yongqiang Lyu and Jian Dong",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 62nd ACM/IEEE Design Automation Conference, DAC 2025 ; Conference date: 22-06-2025 Through 25-06-2025",

year = "2025",

doi = "10.1109/DAC63849.2025.11133085",

language = "英语",

series = "Proceedings - Design Automation Conference",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2025 62nd ACM/IEEE Design Automation Conference, DAC 2025",

address = "美国",

}

Sun, R, Wu, J, Liu, H, Tao, Z, Qu, G, Wang, D, Lyu, Y & Dong, J 2025, BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU. in 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025. Proceedings - Design Automation Conference, Institute of Electrical and Electronics Engineers Inc., 62nd ACM/IEEE Design Automation Conference, DAC 2025, San Francisco, United States, 22/06/25. https://doi.org/10.1109/DAC63849.2025.11133085

BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU. / Sun, Rihui; Wu, Jin; Liu, Hanyin et al.
2025 62nd ACM/IEEE Design Automation Conference, DAC 2025. Institute of Electrical and Electronics Engineers Inc., 2025. (Proceedings - Design Automation Conference).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - BPUFuzzer

T2 - 62nd ACM/IEEE Design Automation Conference, DAC 2025

AU - Sun, Rihui

AU - Wu, Jin

AU - Liu, Hanyin

AU - Tao, Zikang

AU - Qu, Gang

AU - Wang, Dongsheng

AU - Lyu, Yongqiang

AU - Dong, Jian

PY - 2025

Y1 - 2025

N2 - This paper presents BPUFuzzer, a fuzz testing tool for detecting branching transient execution vulnerabilities in CPU RTL design. BPUFuzzer addresses two key challenges: generating testcases that capture complex control flows, and extracting essential data from vast hardware states to guide testcase selection. Utilizing a control flow graph-based testcase generation strategy with anomaly detection and employing fitness and coverage metrics, BPUFuzzer works on testcases that cover broader program flows and deliberately selects testcases to discover transient execution vulnerabilities effectively. When applied on RISC-V Boom v3, BPUFuzzer uncovered more Spectre types than the state-of-the-arts, including a previously unidentified variant, named Spectre-LOOP.

AB - This paper presents BPUFuzzer, a fuzz testing tool for detecting branching transient execution vulnerabilities in CPU RTL design. BPUFuzzer addresses two key challenges: generating testcases that capture complex control flows, and extracting essential data from vast hardware states to guide testcase selection. Utilizing a control flow graph-based testcase generation strategy with anomaly detection and employing fitness and coverage metrics, BPUFuzzer works on testcases that cover broader program flows and deliberately selects testcases to discover transient execution vulnerabilities effectively. When applied on RISC-V Boom v3, BPUFuzzer uncovered more Spectre types than the state-of-the-arts, including a previously unidentified variant, named Spectre-LOOP.

UR - https://www.scopus.com/pages/publications/105017791688

U2 - 10.1109/DAC63849.2025.11133085

DO - 10.1109/DAC63849.2025.11133085

M3 - 会议稿件

AN - SCOPUS:105017791688

T3 - Proceedings - Design Automation Conference

BT - 2025 62nd ACM/IEEE Design Automation Conference, DAC 2025

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 June 2025 through 25 June 2025

ER -

BPUFuzzer: Effective Fuzz Testing for Branching Transient Execution Vulnerabilities of RISC-V CPU

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this