To address the limited microarchitectural controllability and observability in transient-execution vulnerability detection for pre-silicon processors, this paper proposes a Dynamic Swappable Memory (DSM) mechanism to achieve instruction-flow isolation within the same address space. We design a guided fuzzing framework leveraging a taint coverage matrix and liveness-aware annotation, integrated with differential information-flow tracking and microarchitectural-level sensitive-data propagation modeling to precisely identify exploitable leaks. Compared to SpecDoctor, our approach activates broader transient execution windows, reduces training overhead, and improves taint coverage by 4.7×. Evaluated on BOOM and XiangShan RISC-V cores, it discovers five previously unknown vulnerabilities—assigned six CVEs—demonstrating both effectiveness and practicality in pre-silicon security validation.

Transient execution vulnerabilities have emerged as a critical threat to modern processors. Hardware fuzzing testing techniques have recently shown promising results in discovering transient execution bugs in large-scale out-of-order processor designs. However, their poor microarchitectural controllability and observability prevent them from effectively and efficiently detecting transient execution vulnerabilities. This paper proposes DejaVuzz, a novel pre-silicon stage processor transient execution bug fuzzer. DejaVuzz utilizes two innovative operating primitives: dynamic swappable memory and differential information flow tracking, enabling more effective and efficient transient execution vulnerability detection. The dynamic swappable memory enables the isolation of different instruction streams within the same address space. Leveraging this capability, DejaVuzz generates targeted training for arbitrary transient windows and eliminates ineffective training, enabling efficient triggering of diverse transient windows. The differential information flow tracking aids in observing the propagation of sensitive data across the microarchitecture. Based on taints, DejaVuzz designs the taint coverage matrix to guide mutation and uses taint liveness annotations to identify exploitable leakages. Our evaluation shows that DejaVuzz outperforms the state-of-the-art fuzzer SpecDoctor, triggering more comprehensive transient windows with lower training overhead and achieving a 4.7x coverage improvement. And DejaVuzz also mitigates control flow over-tainting with acceptable overhead and identifies 5 previously undiscovered transient execution vulnerabilities (with 6 CVEs assigned) on BOOM and XiangShan.