A curated list of research and repositories on the novel technique of hardware fuzzing. For various reasons, most of existing works target RISC-V, with some exceptions.
The Emergence of Hardware Fuzzing: A Critical Review of its Significance
The Fuzz Odyssey: A Survey on Hardware Fuzzing Frameworks for Hardware Design Verification
Fuzzing Hardware Like Software | source code
HWFuzz: An FPGA-Accelerated Fuzzing Framework for Efficient RISC-V Verification
TurboFuzz: FPGA Accelerated Hardware Fuzzing for Processor Agile Verification | source code
MileSan: Detecting Exploitable Microarchitectural Leakage via Differential Hardware-Software Taint Tracking | source code
ExfilState: Automated Discovery of Timer-Free Cache Side Channels on ARM CPUs | source code and artifacts
RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs | source code and artifacts
GoldenFuzz: Generative Golden Reference Hardware Fuzzing
ReFuzz: Reusing Tests for Processor Fuzzing with Contextual Bandits
DiveFuzz: Enhancing CPU Fuzzing via Diverse Instruction Construction | source code
Fuzzitizer: Hardware Sanitizer-Assisted Fuzzing for Automated SoC Vulnerability Detection (Asia CCS 2026)
Advanced Hybrid Hardware Fuzzing (DATE 2026)
What the Fuzz! Pushing Beyond Randomness in Hardware Security with Generative AI (DATE 2026)
Fuzzilicon - A Post-Silicon Microcode-Guided x86 CPU Fuzzer | source code zenodo
PORTRUSH: Detect Write Port Contention Side-Channel Vulnerabilities via Hardware Fuzzing
Encarsia: Evaluating CPU Fuzzers via Automatic Bug Injection | source code
Cascade: CPU Fuzzing via Intricate Program Generation | source code
FeedbackFuzz: Fuzzing Processors via Intricate Program Generation with Feedback Engine
SymbFuzz: Symbolic Execution Guided Hardware Fuzzing
BMCFuzz: Hybrid Verification of Processors by Synergistic Integration of Bound Model Checking and Fuzzing | source code
SynFuzz: Leveraging Fuzzing of Netlist to Detect Synthesis Bugs
PROFUZZ: Directed Graybox Fuzzing via Module Selection and ATPG-Guided Seed Generation | source code
Invited Paper: CURE-Fuzz: Curiosity-Driven Reinforcement Learning for Agile Hardware Testing
FuSS: Coverage-Directed Hardware Fuzzing with Selective Symbolic Execution
TREVEX: A Black-Box Detection Framework For Data-Flow Transient Execution Vulnerabilities | source code
Phantom Trails: Practical Pre-Silicon Discovery of Transient Data Leaks | source code and artifacts and this repo and PoCs
Lost and Found in Speculation: Hybrid Speculative Vulnerability Detection | Note: hardware fuzzing + IFT (Specure, not yet opensource)
SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities | source code
Revizor: Testing Black-box CPUs against Speculation Contracts | source code
Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing | source code
AMuLeT: Automated Design-Time Testing of Secure Speculation Countermeasures | source code
Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions | source code and artifact
Testing side-channel security of cryptographic implementations against future microarchitectures | source code
SpecFuzz: Bringing Spectre-type vulnerabilities to the surface | source code
Blacksmith: Scalable Rowhammering in the Frequency Domain | source code
A Rowhammer Reproduction Study Using the Blacksmith Fuzzer
ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms | source code
RISC-H: Rowhammer Attacks on RISC-V
TEESec: Pre-Silicon Vulnerability Discovery for Trusted Execution Environments | source code
SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities | source code
Rubicon: Precise Microarchitectural Attacks with Page-Granular Massaging | source code and Rubicon-enhanced Blacksmith Rowhammer fuzzer
TRRespass: Exploiting the Many Sides of Target Row Refresh | source code and modified TRRespass and another fork and another inspired work and Sledgehammer paper
RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzing | source code for GhostWrite PoC
SIGFuzz: A Framework for Discovering Microarchitectural Timing Side Channels | source code
WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors | artifacts
SurgeFuzz: Surge-Aware Directed Fuzzing for CPU Designs | source code
GenFuzz: GPU-accelerated Hardware Fuzzing using Genetic Algorithm with Multiple Inputs | source code
ProcessorFuzz: Guiding Processor Fuzzing using Control and Status Registers | source code and derived project Fine-Grained Code Analysis for Processor Fuzzing
DIFUZZ RTL: Differential Fuzz Testing to Find CPU Bugs | source code
MorFuzz: Fuzzing Processor via Runtime Instruction Morphing Enhanced Synchronizable Co-simulation | source code
DejaVuzz: Disclosing Transient Execution Bugs with Dynamic Swappable Memory and Differential Information Flow Tracking assisted Processor Fuzzing | source code
Sonar: A Hardware Fuzzing Framework to Uncover Contention Side Channels in Processors
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis | source code
Effective Processor Verification with Logic Fuzzer Enhanced Co-simulation | source code for dromajo
NoCFuzzer: Automating NoC Verification in UVM | source code
VerilogReader: LLM-Aided Hardware Test Generation | source code
Bridging the Gap between Hardware Fuzzing and Industrial Verification | source code
Pre-Silicon Hardware Fuzzing Toolkit | source code
TestRIG - Testing processors with Random Instruction Generation | paper blogpost
Sandsifter: the x86 processor fuzzer | source code, python3 port, test runs repo, fork with some fixes, Black Hat talk
Work inspired by sandsifter: vmsifter, sandsifterOS, baresifter
Uncovering Hidden Instructions in Armv8-A Implementations | source code for Armshaker
iScanU: A Portable Scanner for Undocumented Instructions on RISC Processors | source code
InstrSem: Automatically and Generically Inferring Semantics of (Undocumented) CPU Instructions | source code and artifact
Osiris: Automated Discovery of Microarchitectural Side Channels | source code
Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels | source code for Plumber
ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures | source code
TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution | source code
SiliFuzz: Fuzzing CPUs by proxy | source code, Reptar CPU vulnerability
PathFuzz: Broadening Fuzzing Horizons with Footprint Memory for CPUs | source code
Functional Verification for Agile Processor Development: A Case for Workflow Integration | source code
SSFuzz: Generating syntactic and semantic seeds for RISC-V Processors
Symbolic Simulation Enhanced Coverage-Directed Fuzz Testing of RTL Design | slides
Grammar-based fuzz testing for microprocessor RTL design
UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching
Hot Fuzz: Assisting verification by fuzz testing microelectronic hardware
HyperFuzzing for SoC Security Validation | source code
Beyond Random Inputs: A Novel ML-Based Hardware Fuzzing
RLFuzz: Accelerating Hardware Fuzzing with Deep Reinforcement Learning alt link | also see HYDRANOS project
TaintFuzzer: SoC Security Verification using Taint Inference-enabled Fuzzing
SoCFuzzer: SoC Vulnerability Detection using Cost Function enabled Fuzz Testing
Detection of Hardware Trojans in SystemC HLS Designs via Coverage-guided Fuzzing
MABFuzz: Multi-Armed Bandit Algorithms for Fuzzing Processors
DirectFuzz: Automated Test Generation for RTL Designs using Directed Graybox Fuzzing
RFUZZ: Coverage-Directed Fuzz Testing of RTL on FPGAs | source code
HyPFuzz: Formal-Assisted Processor Fuzzing
RTLFUZZLAB: Building A Modular Open-Source Hardware Fuzzing Framework | source code
PSOFuzz: Fuzzing Processors with Particle Swarm Optimization
FormalFuzzer: Formal Verification Assisted Fuzz Testing for SoC Vulnerability Detection
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
Fuzzing Hardware: Faith or Reality?
HScheduler: An execution history-based seed scheduling strategy for hardware fuzzing
FuzzWiz - Fuzzing Framework for Efficient Hardware Coverage
GenHuzz: An Efficient Generative Hardware Fuzzer | source code
HFL: Hardware Fuzzing Loop with Reinforcement Learning | source code TBD?
Accelerating Hardware Verification with Graph Models | Note: unrelated to the same-name GraphFuzz here and here
Fuzzerfly Effect: Hardware Fuzzing for Memory Safety
Trusting the Trust Anchor: Towards Detecting Cross-Layer Vulnerabilities with Hardware Fuzzing
PCBleed: Fuzzing for CPU Bugs Through Use of Performance Counters
Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries | source code for ANABLEPS
JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing | source code
SPINALFUZZ: Coverage-Guided Fuzzing for SpinalHDL Designs | source code
Core Fuzzing - A Versatile Platform for Security Verification
Verification of Chisel Hardware Designs with ChiselVerify | source code
Towards Functional Coverage-Driven Fuzzing for Chisel Designs | source code
Exploring Coverage Metrics in Hardware Fuzzing: A Comprehensive Analysis
Unified HW/SW Coverage: A Novel Metric to Boost Coverage-guided Fuzzing for Virtual Prototype based HW/SW Co-Verification | source code for RISC-V virtual prototype
Directed Test Generation for Hardware Validation: A Survey
Achieving Last-Mile Functional Coverage in Testing Chip Design Software Implementations | repo
Verismith: Verilog hardware synthesis tool fuzzer
Bottom-Up Generation of Verilog Designs for Testing EDA Tools | source for ChiGen Verilog fuzzer with type inference and gradual code injection
Finding and Understanding Bugs in FPGA Place-and-Route Engines | source code for FUZNET
Pfuzz: go module for fuzzing Verilog simulators and synthesizers
Lost in Translation: Enabling Confused Deputy Attacks on EDA Software with TransFuzz | source code
cpufuzz is a dumb, simple and portable CPU fuzzer
CrossFire: Fuzzing macOS Cross-XPU Memory on Apple Silicon | source code
Fuzzing on a ChipWhisperer-Nano
ChipFuzzer: Towards Fuzzing Matter-based IoT Devices for Vulnerability Detection | source code
Evaluation of Hardware Fuzzing thesis proposal
Increasing Efficiency and Explainability of Hardware Verification with Fuzzing Techniques thesis proposal
Genesys-Pro: Innovations in Test Program Generation for Functional Processor Verification old paper
StressTest: an automatic approach to test generation via activity monitors old paper
EMFuzz: Use Electromagnetic Fuzzing for Automated Attack Surface Assessment of Actuators
Other methodologies (honestly they deserve their own separate list because it's often not directly related to fuzzing but since I found them while researching fuzzing approaches I include them here for comparison sake and for my own convenience)
TIUP : Effective Processor Verification with Tautology-Induced Universal Properties | source code
µRL: Discovering Transient Execution Vulnerabilities Using Reinforcement Learning
Isadora: Auromated information-flow property generation for hardware security verification
Isadora: Automated Information Flow Property Generation for Hardware Designs | source code
CellIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL | source code
Validation of Side-Channel Models via Observation Refinement | source code
Shesha: Multi-head Microarchitectural Leakage Discovery in new-generation Intel Processors | source code
HardFails: Insights into Software-Exploitable Hardware Bugs
CheckMate: Automated Synthesis of Hardware Exploits and Security Litmus Tests | source code
AutoSVA: Democratizing Formal Verification of RTL Module Interactions | source code
A Survey on Assertion-based Hardware Verification
Synthesizing Hardware-Software Leakage Contracts for RISC-V Open-Source Processors | source code and artifact
A Symbolic Approach to Detecting Hardware Trojans Triggered by Don’t Care Transitions | source code
Specification and Verification of Side-channel Security for Open-source Processors via Leakage Contracts | source code
SHarPen: SoC Security Verification by Hardware Penetration Test
Hardware Support to Improve Fuzzing Performance and Precision | source code
A Methodology for Testing CPU Emulators | source code
RVISmith: Fuzzing Compilers for RVV Intrinsics | source code and artifacts
End-to-End Automated Exploit Generation for Validating the Security of Processor Designs | source code
RTL-ConTest: Concolic Testing on RTL for Detecting Security Vulnerabilities | source code
Automatic Test Generator for SystemVerilog based on concolic testing
RTL Verification for Secure Speculation Using Contract Shadow Logic | source code
Processor Verification by Equivalent Program Execution
PhyFuzz: Detecting Sensor Vulnerabilities with Physical Signal Fuzzing
mchammer - synthesizing hardware machine check exceptions for processor exploitation and privilege escalation | toolkit includes machine check synthesis kernel module and Northbridge MCE fuzzer
Education materials:
Secure hardware design course at MIT has a CPU fuzzing lab: