The hardware security community has made significant advances in detecting Hardware Trojan vulnerabilities using software fuzzing-inspired automated analysis. However, the Electronic Design Automation (EDA) code base itself remains under-examined by the same techniques. Our experiments in fuzzing EDA tools demonstrate that, indeed, they are prone to software bugs. As a consequence, this paper unveils HeisenTrojan attacks, a new hardware attack that does not generate harmful hardware, but rather, exploits software vulnerabilities in the EDA tools themselves. A key feature of HeisenTrojan attacks is that they are capable of deploying a malicious payload on the system hosting the EDA tools without triggering verification tools because HeisenTrojan attacks do not rely on superfluous or malicious hardware that would otherwise be noticeable. The aim of a HeisenTrojan attack is to execute arbitrary code on the system on which the vulnerable EDA tool is hosted, thereby establishing a permanent presence and providing a beachhead for intrusion into that system. Our analysis reveals 83% of the EDA tools analyzed have exploitable bugs. In what follows, we demonstrate an end- to-end attack and provide analysis on the existing capabilities of fuzzers to find HeisenTrojan attacks in order to emphasize their practicality and the need to secure EDA tools against them.

翻译：硬件安全社区已通过软件模糊测试启发的自动化分析在检测硬件木马漏洞方面取得显著进展。然而，电子设计自动化（EDA）代码库本身尚未经受相同技术的充分检验。我们对EDA工具进行的模糊测试实验表明，这些工具确实存在软件缺陷。为此，本文揭示了一种新型硬件攻击——HeisenTrojan攻击，该攻击不生成有害硬件，而是利用EDA工具自身的软件漏洞。HeisenTrojan攻击的关键特征在于：其无需依赖本可被发现的冗余或恶意硬件，即可在承载EDA工具的系统中部署恶意负载，且不会触发验证工具。此类攻击旨在受漏洞EDA工具所在的系统上执行任意代码，从而建立持久驻留并构建入侵该系统的滩头阵地。分析表明，83%的受测EDA工具存在可利用漏洞。下文将演示端到端攻击流程，并评估现有模糊测试工具检测HeisenTrojan攻击的能力，以强调其现实威胁性及加固EDA工具防御的迫切性。