Fuzz Wars: The Voltage Awakens - Voltage-Guided Blackbox Fuzzing on FPGAs

The growing complexity and size of hardware designs necessitates novel, scalable approaches to verification, as latent bugs and security flaws have devastating impact. This is especially critical since bugs in hardware designs cannot be patched after manufacturing. Currently, dynamic verification is the predominant methodology for detecting hardware design flaws, where detection efficiency is primarily determined by the choice of (random) inputs to the design under test. More elaborate recent methods adapt principles from greybox software fuzzing to achieve high coverage in short time. However, these existing greybox methods rely on heavy instrumentation or software conversion, which requires access to the design source code. Fuzing of blackbox hardware designs has only been possible with random, undirected input generation up until now, which requires a long time to cover the majority of possible hardware states. In this work, we propose FUZZ-E, a novel scalable method for coverage-guided hardware design fuzzing, where coverage is indirectly estimated through on-chip voltage measurements on FPGAs. The side-channel-based FUZZ-E approach enables testing blackbox hardware designs without requiring access to any internal signals. We provide an extensive analysis of the correlation between hardware design coverage and voltage fluctuations, and show how FUZZ-E significantly reduces the verification time required to achieve desirable design coverage.