Existing RTL fuzzing fails to detect hardware vulnerabilities introduced during synthesis—such as gate-level translation errors and malicious library-mapping backdoors. Method: We propose the first gate-level netlist fuzzing framework, featuring: (i) a synthesis-aware gate-level coverage metric; (ii) differential fuzzing to identify anomalous behavior in library components; (iii) the CLiMA attack model to assess library-level adversarial risks; and (iv) joint optimization of EDA tool parameters with formal verification for comparative analysis. Contributions/Results: Our framework discovers seven previously unknown synthesis-stage vulnerabilities in open-source processors and IP cores; successfully executes malicious library-mapping attacks that evade Cadence Conformal equivalence checking; and empirically demonstrates its effectiveness in complementing industrial-grade formal verification. This work bridges a critical gap in hardware fuzzing by extending coverage from RTL to the gate level.

In the evolving landscape of integrated circuit (IC) design, the increasing complexity of modern processors and intellectual property (IP) cores has introduced new challenges in ensuring design correctness and security. The recent advancements in hardware fuzzing techniques have shown their efficacy in detecting hardware bugs and vulnerabilities at the RTL abstraction level of hardware. However, they suffer from several limitations, including an inability to address vulnerabilities introduced during synthesis and gate-level transformations. These methods often fail to detect issues arising from library adversaries, where compromised or malicious library components can introduce backdoors or unintended behaviors into the design. In this paper, we present a novel hardware fuzzer, SynFuzz, designed to overcome the limitations of existing hardware fuzzing frameworks. SynFuzz focuses on fuzzing hardware at the gate-level netlist to identify synthesis bugs and vulnerabilities that arise during the transition from RTL to the gate-level. We analyze the intrinsic hardware behaviors using coverage metrics specifically tailored for the gate-level. Furthermore, SynFuzz implements differential fuzzing to uncover bugs associated with EDA libraries. We evaluated SynFuzz on popular open-source processors and IP designs, successfully identifying 7 new synthesis bugs. Additionally, by exploiting the optimization settings of EDA tools, we performed a compromised library mapping attack (CLiMA), creating a malicious version of hardware designs that remains undetectable by traditional verification methods. We also demonstrate how SynFuzz overcomes the limitations of the industry-standard formal verification tool, Cadence Conformal, providing a more robust and comprehensive approach to hardware verification.