{"id":19984505,"url":"https://github.com/intellabs/presifuzz","last_synced_at":"2025-08-20T14:31:07.258Z","repository":{"id":64056401,"uuid":"572116075","full_name":"IntelLabs/PreSiFuzz","owner":"IntelLabs","description":"Pre-Silicon Hardware Fuzzing Toolkit","archived":false,"fork":false,"pushed_at":"2024-10-22T15:56:41.000Z","size":4027,"stargazers_count":54,"open_issues_count":1,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-12-06T01:51:37.386Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IntelLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSES/Apache-2.0.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-29T15:31:42.000Z","updated_at":"2024-11-21T17:31:53.000Z","dependencies_parsed_at":"2024-04-12T16:43:51.929Z","dependency_job_id":"d5034b9a-78f5-4520-84e8-54df43857995","html_url":"https://github.com/IntelLabs/PreSiFuzz","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IntelLabs%2FPreSiFuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IntelLabs%2FPreSiFuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IntelLabs%2FPreSiFuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IntelLabs%2FPreSiFuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IntelLabs","download_url":"https://codeload.github.com/IntelLabs/PreSiFuzz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230431100,"owners_count":18224655,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T04:19:13.865Z","updated_at":"2025-08-20T14:31:07.251Z","avatar_url":"https://github.com/IntelLabs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!--\nSPDX-FileCopyrightText: 2022 Intel Corporation\n\nSPDX-License-Identifier: Apache-2.0\n--\u003e\n\n# Disclaimer\nAll components are provided for research and validation purposes only. Use at your own risk.\n\n# Pre-Silicon Hardware Fuzzing Toolkit\nFrom CPU to GPU, and IPU, the complexity of digital hardware design is\nincreasing rapidly. This makes it more difficult to verify and/or test.\nHowever, detecting bugs before the hardware design is manufactured is a serious\nconcern. This is because silicon chips often have no upgrade capability, making\nbugs persistent. In this repository, we provide building blocks to apply \nadvanced software testing techniques to pre-silicon hardware testing.\nThese blocks are based on LibAFL, a modern framework for building software\nfuzzer.\n\n# Supported OS\n\nThis tool has only been tested on Linux based OS, and especially Ubuntu 20.04 LTS.\n\n# Dependencies\n\nThis framework relies on the VCS simulator to simulate hardware design and\nVERDI to extract coverage information. Please, refer to the official\ndocumentation to install the tool. Please, note that some of these tools may\nrequire specific license scheme.\n\n# Installation\n\nThis library is mostly designed around the RUST language. \nFor this reason, the initial step is to install 'Cargo'. \nThis can be easily done with the following command:\n```\ncurl https://sh.rustup.rs -sSf | sh\n```\n\nThen, let's clone and build this tool: \n```\ngit clone https://github.com/IntelLabs/PreSiFuzz PreSiFuzz\n\ncd PreSiFuzz\n\ncargo build\n```\n\n# Fuzzing Example\n\nTo start playing with the tool, the secworks example is a good candidate.\nYou can quickly get it running using the following commands:\n```\ncd secworks-vcs\ncargo build\nAFL_LAUNCHER_CLIENT=1 ./target/debug/secworks-vcs\n```\n*Note: AFL_LAUNCHER_CLIENT is an environment variable required to start a unique fuzzer instance.\nStarting the fuzzer with this environment variable undefined starts a monitor only.\n\n# Example targets\n\nThe target directory contains examples of design to demonstrate the approach.\n\n* [OpenTitan](/doc/opentitan.md)\n* [CVA6](/fuzzers/cva6-vcs-fuzzer/README.md)\n* [Chipyard with Rocket](/fuzzers/chipyard-vcs-fuzzer/README.md)\n\n\n# Documentation Components Overview\n\nThis documentation describes the various components used in our system, including Observers, Feedback, Mutators, Schedulers, and Stages. Each component plays a critical role in the overall functioning and efficiency of the system. Below is a detailed description of each component:\n![Overview of typical execution flow for LibAFL/PreSiFuzz](./doc/overview.jpg)\n\n## Observers\n\nObservers collect information after the execution of test cases by the simulator(s) or emulator(s). The different types of observers available in `libpresifuzz_observers` include:\n\n- **`verdi_xml_observer`**: This observer extracts code coverage information from XML files produced by VCS. The generated bitmap assigns one bit per coverage point, with 0 indicating uncovered and 1 indicating covered points.\n- **`trace_observer`**: This observer parses execution trace logs from various tools, including Spike and simulated Rocket cores. The collected information can be used for additional coverage guidance or for identifying trace mismatches (see `differential_feedback`).\n\n## Feedback\n\nFeedback components analyze the extracted information from the observers and return a single boolean signal indicating whether the feedback is interesting or not. Some feedback options include:\n\n- **`verdi_xml_feedback`**: Used for coverage feedback, it tracks any code coverage metrics for VCS. You can also track `assert` coverage and use it as an objective for bug detection.\n\n## Mutators\n\nWe have extended LibAFL mutators with RISCV-specific mutators. These mutators can delete, insert, or change opcodes and operands of instructions in a test case. Although their behavior is quite generic, the ISA definition is automatically generated using `riscv-opcodes`. This ISA layer is saved in `libpresifuzz_riscv/cpu_profile.rs`. Use the `parse.py` script to generate a new `cpu_profile` using `riscv-opcodes`.\n![Example of RISCV mutations](./doc/mutation.jpg)\n\n## Schedulers\n\nWe have implemented a naive minimizer scheduler compatible with our `verdi_xml_observers`. This scheduler computes a subset of test cases from the corpus, aiming to maximize coverage.\n\n## Stages\n\nStages are logical units executed within the fuzzer pipeline. We have extended the LibAFL SyncOnDiskStage to replace the LLMP layer with a simple system-file-based synchronization layer. Since hardware fuzzing has a relatively slow throughput, using system files to synchronize fuzzers is rarely a bottleneck. It also scales easily on servers with NFS available. Fuzzer instances save serialized information into a `sync` directory, which contains observers, test cases, and some statistical information for monitoring. Additionally, we offer a `URGStage` to merge `vdb` reports into system files during fuzzing campaigns, saving disk space over time.\n\n## Event Communication (EC) Library\n\nThe EC library is a replacement for LLMP, providing an event manager to handle fired events. It simply saves new test case events into the system file and ignores other events.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintellabs%2Fpresifuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fintellabs%2Fpresifuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintellabs%2Fpresifuzz/lists"}