Lost in Translation: Enabling Confused Deputy Attacks on EDA Software with TransFuzz
Flavien Solt
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Hardware Security 2
In the realm of hardware security, ensuring the integrity and functionality of integrated circuits is paramount. This talk, "Lost in Translation: Enabling Confused Deputy Attacks on EDA Software with TransFuzz," presented by Flavien Solt, delves into a critical and often overlooked vulnerability in the electronic design automation (EDA) toolchain. Solt exposes how bugs within RTL synthesizers and simulators can be maliciously exploited to inject hardware backdoors that are exceptionally difficult, if not practically impossible, to detect using conventional verification methods. The core premise revolves around the "unsoundness" of EDA software, where tools might misinterpret hardware descriptions, leading to a discrepancy between the verified design and the actual synthesized hardware.
AI review
Solt found a genuinely novel attack surface — bugs in EDA tooling weaponized as confused deputy attacks that either inject backdoors post-verification or blind the verifier entirely. Two credible PoCs against CVA6 and OpenTitan seal it. This is the kind of work that makes hardware verification teams lose sleep.