Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HeisenTrojans: They Are Not There Until They Are Triggered

Akshita Reddy Mavurapu, Haoqi Shan, Xiaolong Guo, Orlando Arias, Dean Sullivan

TL;DR

The work addresses a practical gap by showing that EDA tools themselves harbor exploitable software bugs, enabling HeisenTrojan attacks that compromise host systems without generating harmful hardware. It applies coverage-guided fuzzing to a suite of open-source EDA tools, revealing exploitable bugs in $83\%$ of them and presenting an end-to-end attack chain that uses a manipulated HDL payload to trigger code execution. Key contributions include defining HeisenTrojan attacks, demonstrating a concrete exploit across multiple tools, and analyzing fuzzing effectiveness and coverage in the highly structured EDA domain, followed by mitigation discussions. The findings highlight a real and actionable threat surface in EDA tooling, urging integration of fuzzing workflows, improved tool robustness, and memory-safety-focused defenses to protect design and manufacturing ecosystems.

Abstract

The hardware security community has made significant advances in detecting Hardware Trojan vulnerabilities using software fuzzing-inspired automated analysis. However, the Electronic Design Automation (EDA) code base itself remains under-examined by the same techniques. Our experiments in fuzzing EDA tools demonstrate that, indeed, they are prone to software bugs. As a consequence, this paper unveils HeisenTrojan attacks, a new hardware attack that does not generate harmful hardware, but rather, exploits software vulnerabilities in the EDA tools themselves. A key feature of HeisenTrojan attacks is that they are capable of deploying a malicious payload on the system hosting the EDA tools without triggering verification tools because HeisenTrojan attacks do not rely on superfluous or malicious hardware that would otherwise be noticeable. The aim of a HeisenTrojan attack is to execute arbitrary code on the system on which the vulnerable EDA tool is hosted, thereby establishing a permanent presence and providing a beachhead for intrusion into that system. Our analysis reveals 83% of the EDA tools analyzed have exploitable bugs. In what follows, we demonstrate an end- to-end attack and provide analysis on the existing capabilities of fuzzers to find HeisenTrojan attacks in order to emphasize their practicality and the need to secure EDA tools against them.

HeisenTrojans: They Are Not There Until They Are Triggered

TL;DR

The work addresses a practical gap by showing that EDA tools themselves harbor exploitable software bugs, enabling HeisenTrojan attacks that compromise host systems without generating harmful hardware. It applies coverage-guided fuzzing to a suite of open-source EDA tools, revealing exploitable bugs in of them and presenting an end-to-end attack chain that uses a manipulated HDL payload to trigger code execution. Key contributions include defining HeisenTrojan attacks, demonstrating a concrete exploit across multiple tools, and analyzing fuzzing effectiveness and coverage in the highly structured EDA domain, followed by mitigation discussions. The findings highlight a real and actionable threat surface in EDA tooling, urging integration of fuzzing workflows, improved tool robustness, and memory-safety-focused defenses to protect design and manufacturing ecosystems.

Abstract

The hardware security community has made significant advances in detecting Hardware Trojan vulnerabilities using software fuzzing-inspired automated analysis. However, the Electronic Design Automation (EDA) code base itself remains under-examined by the same techniques. Our experiments in fuzzing EDA tools demonstrate that, indeed, they are prone to software bugs. As a consequence, this paper unveils HeisenTrojan attacks, a new hardware attack that does not generate harmful hardware, but rather, exploits software vulnerabilities in the EDA tools themselves. A key feature of HeisenTrojan attacks is that they are capable of deploying a malicious payload on the system hosting the EDA tools without triggering verification tools because HeisenTrojan attacks do not rely on superfluous or malicious hardware that would otherwise be noticeable. The aim of a HeisenTrojan attack is to execute arbitrary code on the system on which the vulnerable EDA tool is hosted, thereby establishing a permanent presence and providing a beachhead for intrusion into that system. Our analysis reveals 83% of the EDA tools analyzed have exploitable bugs. In what follows, we demonstrate an end- to-end attack and provide analysis on the existing capabilities of fuzzers to find HeisenTrojan attacks in order to emphasize their practicality and the need to secure EDA tools against them.
Paper Structure (18 sections, 4 figures, 3 tables)

This paper contains 18 sections, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Contributions
  4. Background
  5. EDA Tools
  6. Fuzzing
  7. Related Works
  8. Building a HeisenTrojan
  9. Adversarial Model and Assumptions
  10. Finding an Exploitable Bug
  11. Preparing, Deploying, and Synthesizing the HDL
  12. A Word about Full System Compromise
  13. On Fuzzing EDA Tools
  14. Experimental Tools
  15. Experiment Setup
  16. ...and 3 more sections

Figures (4)

  • Figure 1: Borrowing from the famous double slit experiment, a HeisenTrojan projected onto an EDA tool exhibits benign properties if the EDA tool is safe, but is malicious if the EDA tool is vulnerable.
  • Figure 2: The HeisenTrojan makes use of standard HDL workflows in the industry. Malicious HDL is packed as part of an IP core. This HDL does not aim to generate malicious hardware. Instead, it triggers and exploits bugs in an HDL synthesis or simulation tool in order to comprome the system where the tool runs. If fabricated, ICs including HeisenTrojan affected IP cores do not exhibit malicious behavior.
  • Figure 3: Coverage plots for evaluated EDA tools.
  • Figure 4: Number of timeouts per fuzzing interval for z3