Modern processors face scalability challenges in side-channel security verification, and hardware fuzzing struggles to detect information leaks (e.g., Spectre). To address this, we propose a coverage-guided hardware-software leakage-contract fuzzing methodology. Our approach introduces three key contributions: (1) a self-composition framework that explicitly exposes microarchitectural state divergences to characterize information leakage; (2) SCD (Self-Composition Deviation), the first security-oriented coverage metric, which guides the fuzzer toward execution paths violating the leakage contract; and (3) integration into a RISC-V microarchitecture simulator, with empirical validation on Rocket and BOOM cores. Compared to unguided fuzzing, our method significantly improves vulnerability detection efficiency. It bridges a critical gap between functional testing and formal verification, enabling scalable, practical, and security-aware microarchitectural validation.

Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees of modern processors, yet verifying that a complex hardware design complies with its contract remains a major challenge. While verification provides strong guarantees, current verification approaches struggle to scale to industrial-sized designs. Conversely, prevalent hardware fuzzing approaches are designed to find functional correctness bugs, but are blind to information leaks like Spectre. To bridge this gap, we introduce a novel and scalable approach: coverage-guided hardware-software contract fuzzing. Our methodology leverages a self-compositional framework to make information leakage directly observable as microarchitectural state divergence. The core of our contribution is a new, security-oriented coverage metric, Self-Composition Deviation (SCD), which guides the fuzzer to explore execution paths that violate the leakage contract. We implemented this approach and performed an extensive evaluation on two open-source RISC-V cores: the in-order Rocket Core and the complex out-of-order BOOM core. Our results demonstrate that coverage-guided strategies outperform unguided fuzzing and that increased microarchitectural coverage leads to a faster discovery of security vulnerabilities in the BOOM core.