George Mason University | Department of Electrical and Computer Engineering

PROFUZZ: Directed Graybox Fuzzing via Module Selection and ATPG-Guided Seed Generation

PROFUZZ is a directed graybox fuzzing framework for hardware designs that aims to maximize activation of deep internal signals in RTL and gate-level netlists. Unlike DirectFuzz, which relies on software-translated RTL, PROFUZZ operates natively on hardware, supports hierarchical module-level targeting, and integrates ATPG-guided seed generation to systematically drive internal nodes and boost target-site coverage. PROFUZZ is fully compatible with industry-standard Electronic Design Automation (EDA) tools, ensuring seamless integration into existing design and verification flows. Experimental results show that PROFUZZ outperforms DirectFuzz with 30x greater scalability in terms of handling target sites, 11.66% higher coverage, and 2.76x faster execution, demonstrating its potential to advance the state-of-the-art in directed hardware fuzzing.

The paper will be presented at ICCAD, 2025 and the framework can be found here

PROFUZZ Flow

PROFUZZ operates in three coordinated stages to achieve deep signal activation in hardware designs. First, the RTL or gate-level circuit is converted into a hypergraph, and PROFUZZ identifies high-value internal signals to target using configurable selection strategies. Next, it performs conflict and fan-in analysis on these target nets and leverages ATPG to generate activation patterns. Compatible patterns are merged into compact, high-quality seed vectors that maximize mutation potential. Finally, PROFUZZ enters a directed fuzzing loop where these seeds are mutated, applied to the design, and evaluated through hardware simulation. Seeds that successfully trigger new internal signal activities are retained and evolved, enabling systematic exploration and progressive coverage improvement across the design until the defined coverage goal or timeout is reached.

How are the Target Sites Selected?

PROFUZZ offers two modes for target site selection : 1) Random Selection of Target Signals 2) Cost Function based selection of Target Signals including logic depth, fan-in conee size, edge connectivity etc

Can PROFUZZ detect bugs ?

No, PROFUZZ does not aim to detect bugs. It is a directed seed-generation and coverage-enhancement framework like DirectFuzz, that leverages ATPG and guided fuzzing to systematically activate deep internal signals in RTL and gate-level designs.

Is PROFUZZ scalable ?

PROFUZZ can handle 2x-30x more target site signals than DirectFuzz

How does PROFUZZ handle overheads for Target Sites in large designs ?

PROFUZZ reduces overhead by isolating a submodule containing the selected target signals and generating directed seeds for it first. These seeds are then applied to the full design iteratively. This two-step flow minimizes instrumentation and simulation costs while preserving high target-site coverage on large designs.