Flavien Solt and Kaveh Razavi, ETH Zurich
We introduce MIRTL, a confused deputy attack on EDA software such as simulators or synthesizers. MIRTL relies on gadgets that exploit vulnerabilities in the EDA software's translation of RTL to lower-level representations. Invisible to white-box testing and verification methods, MIRTL gadgets harden traditional hardware trojans, enabling unprecedentedly stealthy attacks. To discover translation bugs, our new fuzzer, called TRANSFUZZ, generates randomized RTL designs containing many operators with complex interconnections for triggering translation bugs. The expressiveness of RTL, however, makes the construction of a golden RTL model for detecting deviations due to translation bugs challenging. To address this, TRANSFUZZ relies on comparing signal outputs from multiple RTL simulators for detecting vulnerabilities. TRANSFUZZ uncovers 20 translation vulnerabilities among 31 new bugs (25 CVEs) in four popular open-source EDA applications. We show how MIRTL gadgets harden traditional backdoors against white-box countermeasures and demonstrate a real-world instance of a MIRTL-hardened backdoor in the CVA6 RISC-V core.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
