Skip to main content

Combined software and hardware fault injection vulnerability detection


Fault injection is a well-known method to test the robustness and security vulnerabilities of software. Software-based and hardware-based approaches have been used to detect fault injection vulnerabilities. Software-based approaches typically rely upon simulations that can provide broad and rapid coverage, but may not correlate with genuine hardware vulnerabilities. Hardware-based experiments are indisputable in their results, but rely upon expensive expert knowledge and manual testing yielding ad hoc and extremely limited results. Further, there is very limited connection between software-based simulation results and hardware-based experiments. This work bridges software-based and hardware-based fault injection vulnerability detection by contrasting results of both approaches. This demonstrates that: not all software-based vulnerabilities can be reproduced in hardware; prior conjectures on the fault model for electromagnetic pulse attacks may not be accurate; and that there is a co-relation between software-based and hardware-based approaches. Further, combining both approaches can yield a vastly more accurate and efficient approach to detecting genuine fault injection vulnerabilities.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. 1.

    ArmL is a translation tool that translates from ARM-v7 binaries to RML models.

  2. 2.

    The SimFI tool is a tool that simulates a wide variety of fault injection attacks on binaries. The tool takes a binary as an input (regardless of the binary’s architecture). Based on the chosen fault model, a mutant binary is generated, representing the simulation of the chosen fault injection attack.

  3. 3.

    Each clock cycle is approximately 40 ns.


  1. 1.

    Ademaj A, Grillinger P, Herout P, Hlavicka J (2002) Fault tolerance evaluation using two software based fault injection methods. In: On-line testing workshop, 2002. Proceedings of the eighth IEEE international. IEEE, pp 21–25

  2. 2.

    Alur R, Henzinger TA (1999) Reactive modules. Form Methods Syst Des 15(1):7–48

    Article  Google Scholar 

  3. 3.

    Anceau S, Bleuet P, Clédière J, Maingault L, Rainard Jl, Tucoulou R (2017) Nanofocused X-ray beam to reprogram secure circuits. In: International conference on cryptographic hardware and embedded systems. Springer, pp 175–188

  4. 4.

    Arlat J, Crouzet Y, Karlsson J, Folkesson P, Fuchs E, Leber GH (2003) Comparison of physical and software-implemented fault injection techniques. IEEE Trans Comput 52(9):1115–1133

    Article  Google Scholar 

  5. 5.

    Balasch J, Gierlichs B, Verbauwhede I (2011) An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 105–114

  6. 6.

    Bar-El H, Choukri H, Naccache D, Tunstall M, Whelan C (2004) The sorcerer’s apprentice guide to fault attacks. IACR Cryptology ePrint Archive 2004, p 100

  7. 7.

    Barenghi A, Bertoni GM, Breveglieri L, Pelosi G (2013) A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA. J Syst Softw 86(7):1864–1878

    Article  Google Scholar 

  8. 8.

    Berthier M, Bringer J, Chabanne H, Le TH, Rivière L, Servant V (2014) Idea: embedded fault injection simulator on smartcard. In: International symposium on engineering secure software and systems. Springer, pp 222–229

  9. 9.

    Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148

    Article  Google Scholar 

  10. 10.

    Breier J, Hou X, Jap D, Ma L, Bhasin S, Liu Y (2018) Practical fault attack on deep neural networks. arXiv preprint arXiv:1806.05859

  11. 11.

    Bukasa S (2019) Analyse de vulnérabilité des systèmes embarqués face aux attaques physiques. PhD thesis, Rennes 1, Rennes

  12. 12.

    Carreira J, Madeira H, Silva JG et al (1998) Xception: software fault injection and monitoring in processor functional units. Dependable Comput Fault Toler Syst 10:245–266

    Google Scholar 

  13. 13.

    Christofi M, Chetali B, Goubin L (2013) Formal verification of an implementation of CRT-RSA Vigilant’s algorithm. In: PROOFS workshop: pre-proceedings, p 28

  14. 14.

    Cortex A (2006) Cortex-M3 technical reference manual. Rev. r1p1

  15. 15.

    Czeck EW, Siewiorek DP, Segall ZZ (1987) Software-implemented fault insertion: an FTMP example

  16. 16.

    Dehbaoui A, Dutertre JM, Robisson B, Orsatelli P, Maurine P, Tria A (2012) Injection of transient faults using electromagnetic pulses-practical results on a cryptographic system. IACR Cryptology EPrint Archive 2012, p 123

  17. 17.

    Dureuil L, Potet ML, de Choudens P, Dumas C, Clédière J (2015) From code review to fault injection attacks: filling the gap using fault model inference. In: International conference on smart card research and advanced applications. Springer, pp 107–124

  18. 18.

    Ecoffet R (2007) In-flight anomalies on electronic devices. In: Velazco R, Fouillat P, Reis R (eds) Radiation effects on embedded systems. Springer, Berlin, pp 31–68

    Chapter  Google Scholar 

  19. 19.

    Entrena L, López-Ongil C, García-Valderas M, Portela-García M, Nicolaidis M (2011) Hardware fault injection. In: Nicolaidis M (ed) Soft errors in modern electronic systems. Springer, Berlin, pp 141–166

    Chapter  Google Scholar 

  20. 20.

    Given-Wilson T, Heuser A, Jafri N, Legay A (2019) An automated and scalable formal process for detecting fault injection vulnerabilities in binaries. Concurr Comput Pract Exp.

    Article  Google Scholar 

  21. 21.

    Given-Wilson T, Jafri N, Lanet J, Legay A (2017) An automated formal process for detecting fault injection vulnerabilities in binaries and case study on PRESENT. In: 2017 IEEE Trustcom/BigDataSE/ICESS, Sydney, Australia, August 1–4, 2017. IEEE, pp 293–300.

  22. 22.

    Hsueh MC, Tsai TK, Iyer RK (1997) Fault injection techniques and tools. Computer 30(4):75–82.

    Article  Google Scholar 

  23. 23.

    Kim Y, Daly R, Kim J, Fallin C, Lee JH, Lee D, Wilkerson C, Lai K, Mutlu O (2014) Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM SIGARCH computer architecture news. IEEE Press, pp 361–372

  24. 24.

    Kinder J, Katzenbeisser S, Schallhart C, Veith H (2010) Proactive detection of computer worms using model checking. IEEE Trans Dependable Secure Comput 7(4):424–438

    Article  Google Scholar 

  25. 25.

    Kooli M, Di Natale G (2014) A survey on simulation-based fault injection tools for complex systems. In: 2014 9th IEEE international conference on design and technology of integrated systems in nanoscale era (DTIS). IEEE, pp 1–6

  26. 26.

    Kwiatkowska M, Norman G, Parker D (2011) Prism 4.0: verifiscation of probabilistic real-time systems. In: International conference on computer aided verification. Springer, pp 585–591

  27. 27.

    Le HM, Herdt V, Große D, Drechsler R (2018) Resilience evaluation via symbolic fault injection on intermediate code. In: Design, automation & test in Europe conference & exhibition (DATE), 2018. IEEE, pp 845–850

  28. 28.

    Legay A, Delahaye B, Bensalem S (2010) Statistical model checking: an overview. In: International conference on runtime verification. Springer, pp 122–135

  29. 29.

    Legay A, Traonouez LM (2017) Plasma lab statistical model checker: architecture, usage and extension. In: 43rd international conference on current trends in theory and practice of computer science

  30. 30.

    Marinescu PD, Candea G (2009) LFI: a practical and general library-level fault injector. In: DSN’09. IEEE/IFIP international conference on dependable systems and networks, 2009. IEEE, pp 379–388

  31. 31.

    May TC, Woods MH (1978) A new physical mechanism for soft errors in dynamic memories. In: 16th annual reliability physics symposium, 1978. IEEE, pp 33–40

  32. 32.

    Moro N (2014) Sécurisation de programmes assembleur face aux attaques visant les processeurs embarqués. PhD thesis, Université Pierre et Marie Curie-Paris VI

  33. 33.

    Moro N, Dehbaoui A, Heydemann K, Robisson B, Encrenaz E (2013) Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 77–88

  34. 34.

    Moro N, Heydemann K, Encrenaz E, Robisson B (2014) Formal verification of a software countermeasure against instruction skip attacks. J Cryptogr Eng 4(3):145–156

    Article  Google Scholar 

  35. 35.

    Pan J, Bhasin S, Zhang F, Ren K (2019) One fault is all it needs: breaking higher-order masking with persistent fault analysis. Cryptology ePrint Archive, Report 2019/008.

  36. 36.

    Pattabiraman K, Nakka N, Kalbarczyk Z, Iyer R (2008) SymPLFIED: symbolic program-level fault injection and error detection framework. In: 2008 IEEE international conference on dependable systems and networks with FTCS and DCC (DSN). IEEE, pp 472–481

  37. 37.

    Piscitelli R, Bhasin S, Regazzoni F (2017) Fault attacks, injection techniques and tools for simulation. In: Sklavos N, Chaves R, Di Natale G, Regazzoni F (eds) Hardware security and trust. Springer, Berlin, pp 27–47

    Chapter  Google Scholar 

  38. 38.

    Portela-Garcia M, Lopez-Ongil C, Garcia-Valderas M, Entrena L (2007) A rapid fault injection approach for measuring SEU sensitivity in complex processors. In: 13th IEEE international on-line testing symposium, 2007. IOLTS 07. IEEE, pp 101–106

  39. 39.

    Potet ML, Mounier L, Puys M, Dureuil L (2014) Lazart: a symbolic approach for evaluation the robustness of secured codes against control flow injections. In: 2014 IEEE seventh international conference on software testing, verification and validation. IEEE, pp 213–222

  40. 40.

    Price C (1995) MIPS IV instruction set

  41. 41.

    Qiao R, Seaborn M (2016) A new approach for rowhammer attacks. In: 2016 IEEE international symposium on hardware oriented security and trust (HOST). IEEE, pp 161–166

  42. 42.

    Rivière L, Bringer J, Le TH, Chabanne H (2015) A novel simulation approach for fault injection resistance evaluation on smart cards. In: 2015 IEEE eighth international conference on software testing, verification and validation workshops (ICSTW). IEEE, pp 1–8

  43. 43.

    Rivière L, Najm Z, Rauzy P, Danger JL, Bringer J, Sauvage L (2015) High precision fault injections on the instruction cache of ARMv7-M architectures. In: 2015 IEEE international symposium on hardware oriented security and trust (HOST). IEEE, pp 62–67

  44. 44.

    Rivière L, Potet ML, Le TH, Bringer J, Chabanne H, Puys M (2014) Combining high-level and low-level approaches to evaluate software implementations robustness against multiple fault injection attacks. In: International symposium on foundations and practice of security. Springer, pp 92–111

  45. 45.

    Roscian C, Dutertre JM, Tria A (2013) Frontside laser fault injection on cryptosystems-application to the AES’ last round. In: 2013 IEEE international symposium on hardware-oriented security and trust (HOST). IEEE, pp 119–124

  46. 46.

    Schmidt JM, Hutter M (2007) Optical and EM fault-attacks on CRT-based RSA: concrete results. na

  47. 47.

    Seaborn M, Dullien T (2015) Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat

  48. 48.

    Sebanjila KB, Lashermes R, Lanet JL, Legay A (2018) Let’s shock our IoT’s heart: ARMv7-M under (fault) attacks

  49. 49.

    Skorobogatov S (2006) Optically enhanced position-locked power analysis. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 61–75

  50. 50.

    Skorobogatov S (2010) Optical fault masking attacks. In: 2010 workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 23–29

  51. 51.

    Standard NF (2001) Announcing the advanced encryption standard (AES). Fed Inf Process Stand Publ 197:1–51

    Google Scholar 

  52. 52.

    Thomas A, Pattabiraman K (2013) LLFI: an intermediate code level fault injector for soft computing applications. In: Workshop on silicon errors in logic system effects (SELSE)

  53. 53.

    Tunstall M, Mukhopadhyay D, Ali S (2011) Differential fault analysis of the advanced encryption standard using a single fault. WISTP 6633:224–233

    Google Scholar 

  54. 54.

    Verbauwhede I, Karaklajic D, Schmidt JM (2011) The fault attack jungle-a classification model to guide you. In: 2011 workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 3–8

  55. 55.

    Wang G, Wang S (2010) Differential fault analysis on PRESENT key schedule. In: 2010 international conference on computational intelligence and security (CIS). IEEE, pp 362–366

  56. 56.

    Yim KS (2016) The rowhammer attack injection methodology. In: 2016 IEEE 35th symposium on reliable distributed systems (SRDS). IEEE, pp 1–10

  57. 57.

    Yuce B, Schaumont P, Witteman M (2018) Fault attacks on secure embedded software: threats, design, and evaluation. J Hardw Syst Secur 2:111–130

    Article  Google Scholar 

  58. 58.

    Ziade H, Ayoubi RA, Velazco R et al (2004) A survey on fault injection techniques. Int Arab J Inf Technol 1(2):171–186

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Thomas Given-Wilson.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Given-Wilson, T., Jafri, N. & Legay, A. Combined software and hardware fault injection vulnerability detection. Innovations Syst Softw Eng 16, 101–120 (2020).

Download citation


  • Fault injection
  • Vulnerability
  • Statistical model checking
  • Formal methods
  • EMP