In hardware fuzzing, existing directed gray-box approaches suffer from limited HDL support, poor scalability to large-scale circuits, and semantic mismatches between RTL descriptions and test abstraction layers. This paper proposes PROFUZZ, the first framework that tightly integrates ATPG-driven precise seed generation with structure-aware submodule analysis to enable coverage-guided directed fuzzing. Its core innovations include (1) leveraging ATPG to synthesize high-value seeds satisfying path constraints, and (2) exploiting submodule boundary information for fine-grained, target-oriented stimulation. Experimental evaluation demonstrates that, in multi-target scenarios, PROFUZZ achieves a 30× improvement in scalability, an 11.66% increase in coverage, and a 2.76× speedup in execution time over DirectFuzz—significantly enhancing vulnerability discovery efficacy for critical modules within complex SoCs.

Hardware Fuzzing emerged as one of the crucial techniques for finding security flaws in modern hardware designs by testing a wide range of input scenarios. One of the main challenges is creating high-quality input seeds that maximize coverage and speed up verification. Coverage-Guided Fuzzing (CGF) methods help explore designs more effectively, but they struggle to focus on specific parts of the hardware. Existing Directed Gray-box Fuzzing (DGF) techniques like DirectFuzz try to solve this by generating targeted tests, but it has major drawbacks, such as supporting only limited hardware description languages, not scaling well to large circuits, and having issues with abstraction mismatches. To address these problems, we introduce a novel framework, PROFUZZ, that follows the DGF approach and combines fuzzing with Automatic Test Pattern Generation (ATPG) for more efficient fuzzing. By leveraging ATPG's structural analysis capabilities, PROFUZZ can generate precise input seeds that target specific design regions more effectively while maintaining high fuzzing throughput. Our experiments show that PROFUZZ scales 30x better than DirectFuzz when handling multiple target sites, improves coverage by 11.66%, and runs 2.76x faster, highlighting its scalability and effectiveness for directed fuzzing in complex hardware systems.