pith. sign in

arxiv: 2602.16309 · v2 · submitted 2026-02-18 · 💻 cs.CR · cs.AI

The Weight of a Bit: EMFI Sensitivity Analysis of Embedded Deep Learning Models

Jakub Breier , \v{S}tefan Ku\v{c}er\'ak , Xiaolu Hou This is my paper

Pith reviewed 2026-05-15 21:26 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords electromagnetic fault injectionembedded neural networksnumber representationsfault tolerancedeep learning securityinteger quantizationimage classification
0
0 comments X

The pith

Integer weight formats keep embedded neural networks accurate after electromagnetic fault injection while floating-point formats collapse.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests four number representations for neural network weights—32-bit and 16-bit floating-point plus 8-bit and 4-bit integers—on four image classifiers deployed to an embedded memory chip. It applies electromagnetic fault injection from a low-cost platform and measures resulting accuracy loss along with the underlying fault patterns such as bit error locations and byte value distributions. Floating-point models lose nearly all top-1 and top-5 accuracy after one injection, whereas 8-bit integers on VGG-11 retain roughly 70 percent top-1 and 90 percent top-5 accuracy. The work shows that representation choice directly shapes resilience because integer formats tolerate the observed byte corruptions better than floating-point ones.

Core claim

Floating-point representations of model parameters suffer almost complete accuracy degradation after a single electromagnetic fault injection, whereas integer representations provide better resistance overall; in particular the 8-bit format on VGG-11 retains approximately 70 percent top-1 accuracy and 90 percent top-5 accuracy. The study also maps the injected faults by bit error rate, spatial distribution of corrupted bytes, and prevalence of 0xFE and 0xFF values to identify why the formats differ in resilience.

What carries the argument

Direct comparison of electromagnetic fault resilience across 32-bit float, 16-bit float, 8-bit integer, and 4-bit integer weight representations, measured by post-injection classification accuracy and characterized by bit-level error patterns and byte-value statistics.

If this is right

  • Integer weight formats allow models to retain usable accuracy after attacks that destroy floating-point accuracy.
  • Larger networks such as VGG-11 exhibit stronger retention with 8-bit integers than the smaller ResNet variants.
  • Floating-point formats are especially vulnerable to the specific byte corruptions (high 0xFE/0xFF rates) produced by the tested EMFI platform.
  • Bit error rate and spatial fault distribution differ systematically by representation and explain the measured resilience ordering.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Quantization to 8-bit integers may serve as a low-overhead defense layer for embedded AI against physical fault attacks.
  • Similar representation-dependent resilience could appear under other low-cost physical attacks such as voltage glitching.
  • Security testing of deployed neural networks should treat number format as a first-class variable rather than an afterthought.

Load-bearing premise

Observed accuracy differences after faults stem primarily from number representation rather than from model-specific memory layout or other deployment details on the embedded chip.

What would settle it

Repeat the EMFI experiments after forcing identical memory layouts across all four number formats and check whether the accuracy gap between floating-point and integer versions disappears.

Figures

Figures reproduced from arXiv: 2602.16309 by Jakub Breier, \v{S}tefan Ku\v{c}er\'ak, Xiaolu Hou.

Figure 1
Figure 1. Figure 1: Overview of the EMFI analysis done in this paper. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Experimental electromagnetic fault injection setup overview. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: NewAE ChipSHOUTER EMFI device mounted on the Ender-3 3D [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Detail of the EM probe above the SRAM chip. [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Surface scan showing the success rate at each point, expressed as the [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Logical memory map of EMFI effects on a 4 MB weight buffer. Red indicates corrupted memory locations. A significant decrease in fault density is observed after the 2 MB offset, suggesting either a boundary transition in the memory controller’s handling of burst data or a physical proximity limit of the EM probe. sequence of addresses rather than the physical topology of the RAM cells. A significant transit… view at source ↗
Figure 8
Figure 8. Figure 8: Proportion of bytes taking the value 0xFE or 0xFF per injected chunk. Although integer formats receive a higher fraction of 0xFE/0xFF bytes than floating-point formats, they exhibit far lower accuracy degradation. the EM pulse and the memory controller’s burst-access logic, rather than to a stochastic noise-floor effect. B. Floating-Point Corruption Statistics To quantify the extent of the NaN and range-ex… view at source ↗
Figure 7
Figure 7. Figure 7: Bit error rate (BER) per architecture and weight representation. Error [PITH_FULL_IMAGE:figures/full_fig_p008_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Binary comparison of a weight chunk before (left) and after (right) a single EMFI pulse. Entire rows are overwritten with [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Floating-point weight corruption statistics per chunk. (a) In FP32, [PITH_FULL_IMAGE:figures/full_fig_p009_10.png] view at source ↗
Figure 12
Figure 12. Figure 12: Classification accuracy under fault injection for ResNet-18, ResNet-34, ResNet-50, and VGG-11. Each marker corresponds to the Top-1 (blue) or [PITH_FULL_IMAGE:figures/full_fig_p010_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: VGG-11 architecture, illustrating the contrast between the shapes of the convolutional and fully connected layers. [PITH_FULL_IMAGE:figures/full_fig_p012_13.png] view at source ↗
read the original abstract

Fault injection attacks on embedded neural network models have been shown as a potent threat. Numerous works studied resilience of models from various points of view. As of now, there is no comprehensive study that would evaluate the influence of number representations used for model parameters against electromagnetic fault injection (EMFI) attacks. In this paper, we investigate how four different number representations influence the success of an EMFI attack on embedded neural network models. We chose two common floating-point representations (32-bit, and 16-bit), and two integer representations (8-bit, and 4-bit). We deployed four common image classifiers, ResNet-18, ResNet-34, ResNet-50, and VGG-11, on an embedded memory chip, and utilized a low-cost EMFI platform to trigger faults. Beyond accuracy evaluation, we characterize the injected fault pattern by analyzing the bit error rate, the spatial distribution of corrupted bytes, and the prevalence of 0xFE/0xFF byte values across formats, identifying the mechanisms responsible for the observed differences in resilience. Our results show that while floating-point representations exhibit almost a complete degradation in accuracy (Top-1 and Top-5) after a single fault injection, integer representations offer better resistance overall. In particular, the 8-bit representation on a relatively large network (VGG-11) retains Top-1 accuracy of around 70% and Top-5 at around 90%.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents an empirical study evaluating the electromagnetic fault injection (EMFI) resilience of four embedded image classification models (ResNet-18, ResNet-34, ResNet-50, VGG-11) when deployed with four number representations: FP32, FP16, INT8, and INT4. Using a low-cost EMFI platform on an embedded memory chip, the authors inject single faults, measure resulting Top-1 and Top-5 accuracy degradation, and characterize the injected faults via bit error rate, spatial distribution of corrupted bytes, and prevalence of 0xFE/0xFF values. The central claim is that floating-point formats suffer near-complete accuracy collapse after one fault while integer formats are substantially more resistant, with the 8-bit representation on VGG-11 retaining approximately 70% Top-1 and 90% Top-5 accuracy.

Significance. If the accuracy differences are driven by number representation rather than deployment artifacts, the work fills a stated gap by providing concrete, format-specific guidance for hardening embedded neural networks against physical attacks. The direct experimental measurements and fault-pattern characterization are strengths; however, the low-cost platform and absence of layout-isolation controls limit the strength of causal attribution to representation alone.

major comments (2)
  1. [Methods] Methods / Experimental Setup: The characterization of fault patterns (bit error rate, spatial distribution, 0xFE/0xFF prevalence) is performed after deployment but does not include an explicit control that equalizes memory layout, padding, alignment, or address mapping across floating-point and integer formats. Because EMFI faults are spatially correlated, observed accuracy gaps could arise from which parameter bytes land in fault-prone locations rather than from intrinsic numerical properties.
  2. [Results] Results: The abstract and results report specific retained accuracies (e.g., ~70% Top-1 and ~90% Top-5 for 8-bit VGG-11) without error bars, number of independent trials, or statistical significance tests. This makes it impossible to judge whether the claimed resilience advantage is robust or could be explained by run-to-run variability in fault injection.
minor comments (2)
  1. [Abstract] Abstract: The claim that integer representations 'offer better resistance overall' should be qualified by noting that the advantage is observed under the specific low-cost EMFI platform and single-fault regime used.
  2. [Discussion] The paper would benefit from a brief discussion of how model-specific memory layouts (e.g., weight packing in the embedded deployment) were verified to be comparable across the four formats.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments on our manuscript. We address each major comment below and indicate how we will revise the paper to strengthen it.

read point-by-point responses

  1. Referee: [Methods] Methods / Experimental Setup: The characterization of fault patterns (bit error rate, spatial distribution, 0xFE/0xFF prevalence) is performed after deployment but does not include an explicit control that equalizes memory layout, padding, alignment, or address mapping across floating-point and integer formats. Because EMFI faults are spatially correlated, observed accuracy gaps could arise from which parameter bytes land in fault-prone locations rather than from intrinsic numerical properties.

    Authors: We acknowledge that the original experiments did not include an explicit control to equalize or randomize memory layouts across number formats. All models were deployed using the same embedded toolchain and standard memory allocation on the target platform, so layouts followed the natural alignment and padding rules for each data type. The resilience differences appear consistently across four distinct model architectures, which would be improbable if driven purely by coincidental spatial placement of vulnerable bytes. In the revision we will expand the Methods section to describe the deployment process and memory mapping in greater detail, add an explicit discussion of possible layout effects as a limitation, and note that future work could incorporate layout-isolation controls. We believe these additions will clarify the attribution to numerical representation while remaining faithful to the experimental constraints. revision: partial

  2. Referee: [Results] Results: The abstract and results report specific retained accuracies (e.g., ~70% Top-1 and ~90% Top-5 for 8-bit VGG-11) without error bars, number of independent trials, or statistical significance tests. This makes it impossible to judge whether the claimed resilience advantage is robust or could be explained by run-to-run variability in fault injection.

    Authors: We agree that reporting variability, trial counts, and statistical tests is necessary for assessing robustness. The current manuscript presents representative accuracy figures without these supporting statistics. In the revised version we will state the number of independent fault-injection trials performed for each model-format pair, add error bars (standard deviation across trials) to all accuracy plots and tables, and include appropriate statistical significance tests comparing retention rates between floating-point and integer formats. These changes will allow readers to evaluate the reliability of the observed differences. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical fault-injection measurements

full rationale

The paper reports direct experimental results from EMFI attacks on deployed models (ResNet-18/34/50, VGG-11) using four number formats. Accuracy, bit-error rates, spatial fault distributions, and 0xFE/0xFF prevalence are measured after physical fault injection on an embedded memory chip. No equations, fitted parameters, predictions derived from prior fits, or self-citation chains appear in the derivation of the central claims. The observed accuracy gaps are presented as empirical outcomes, not as outputs of any self-referential model or theorem. The study is self-contained against external benchmarks and contains no load-bearing steps that reduce to their own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

This is an empirical hardware-security study with no mathematical derivations. No free parameters are fitted to produce the central claim, no new physical entities are postulated, and the only background assumptions are standard neural-network behavior and standard fault-injection measurement practices.

axioms (1)
  • domain assumption Standard ResNet and VGG architectures achieve expected baseline accuracy on image classification when no faults are injected.
    Implicit baseline for measuring degradation after fault injection.

pith-pipeline@v0.9.0 · 5572 in / 1230 out tokens · 39449 ms · 2026-05-15T21:26:34.861385+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

44 extracted references · 44 canonical work pages · 2 internal anchors

  1. [1]

    Tiny machine learning: Progress and futures [feature],

    J. Lin, L. Zhu, W.-M. Chen, W.-C. Wang, and S. Han, “Tiny machine learning: Progress and futures [feature],”IEEE Circuits and Systems Magazine, vol. 23, no. 3, pp. 8–34, 2023

    work page 2023

  2. [2]

    Pruning and quantization for deep neural network acceleration: A survey,

    T. Liang, J. Glossner, L. Wang, S. Shi, and X. Zhang, “Pruning and quantization for deep neural network acceleration: A survey,”Neuro- computing, vol. 461, pp. 370–403, 2021

    work page 2021

  3. [3]

    How practical are fault injection attacks, really?

    J. Breier and X. Hou, “How practical are fault injection attacks, really?” IEEE Access, vol. 10, pp. 113 122–113 130, 2022

    work page 2022

  4. [4]

    Electromagnetic fault injection: How faults occur,

    M. Dumont, M. Lisart, and P. Maurine, “Electromagnetic fault injection: How faults occur,” in2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 2019, pp. 9–16

    work page 2019

  5. [5]

    Investigation of em fault injection on emerging lightweight neural network hardware,

    B. Goswami, R. Chetry, C. Moorthii, and M. Suri, “Investigation of em fault injection on emerging lightweight neural network hardware,” inApplied Cryptography and Network Security Workshops (ACNS). Springer, 2025, pp. 113–123

    work page 2025

  6. [6]

    Under- standing the impact of precision quantization on the accuracy and energy of neural networks,

    S. Hashemi, N. Anthony, H. Tann, R. I. Bahar, and S. Reda, “Under- standing the impact of precision quantization on the accuracy and energy of neural networks,” inDesign, Automation & Test in Europe Conference & Exhibition (DATE), 2017. IEEE, 2017, pp. 1474–1479

    work page 2017

  7. [7]

    A White Paper on Neural Network Quantization

    M. Nagel, M. Fournarakis, R. A. Amjad, Y . Bondarenko, M. Van Baalen, and T. Blankevoort, “A white paper on neural network quantization,” arXiv preprint arXiv:2106.08295, 2021

    work page internal anchor Pith review arXiv 2021

  8. [8]

    Fault tolerance in quantized and pruned convolutional neural networks,

    W. Guillem ´e, A. Kritikakou, Y . Helen, C. Killian, and D. Chillet, “Fault tolerance in quantized and pruned convolutional neural networks,” in IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS), 2025, pp. 1–7

    work page 2025

  9. [9]

    Termi- nal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,

    S. Hong, P. Frigo, Y . Kaya, C. Giuffrida, and T. Dumitras ,, “Termi- nal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,” in28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 497–514

    work page 2019

  10. [10]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” inProceedings of the IEEE conference on computer vision and pattern recognition (CVPR), 2016, pp. 770–778

    work page 2016

  11. [11]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,”arXiv preprint arXiv:1409.1556, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  12. [12]

    Imagenet: A large-scale hierarchical image database,

    J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet: A large-scale hierarchical image database,” in2009 IEEE conference on computer vision and pattern recognition. Ieee, 2009, pp. 248–255

    work page 2009

  13. [13]

    Bit-flip attack: Crushing neural network with progressive bit search,

    A. S. Rakin, Z. He, and D. Fan, “Bit-flip attack: Crushing neural network with progressive bit search,” inProceedings of the IEEE/CVF International Conference on Computer Vision, 2019, pp. 1211–1220

    work page 2019

  14. [14]

    Sniff: Reverse engineering of neural networks with fault attacks,

    J. Breier, D. Jap, X. Hou, S. Bhasin, and Y . Liu, “Sniff: Reverse engineering of neural networks with fault attacks,”IEEE Transactions on Reliability, vol. PP, no. 99, pp. 1–13, 2021

    work page 2021

  15. [15]

    Un- derstanding the impact of quantization, accuracy, and radiation on the reliability of convolutional neural networks on fpgas,

    F. Libano, B. Wilson, M. Wirthlin, P. Rech, and J. Brunhaver, “Un- derstanding the impact of quantization, accuracy, and radiation on the reliability of convolutional neural networks on fpgas,”IEEE Transac- tions on Nuclear Science, vol. 67, no. 7, pp. 1402–1410, 2020

    work page 2020

  16. [16]

    Fault injection on embedded neural networks: Impact of a single instruction skip,

    C. Gaine, P.-A. Moellic, O. Potin, and J.-M. Dutertre, “Fault injection on embedded neural networks: Impact of a single instruction skip,” in2023 26th Euromicro Conference on Digital System Design (DSD). IEEE, 2023, pp. 317–324

    work page 2023

  17. [17]

    Tinyml: Enabling of inference deep learning models on ultra-low-power iot edge devices for ai applications,

    N. N. Alajlan and D. M. Ibrahim, “Tinyml: Enabling of inference deep learning models on ultra-low-power iot edge devices for ai applications,” Micromachines, vol. 13, no. 6, p. 851, 2022

    work page 2022

  18. [18]

    Tensorflow lite micro: Embedded machine learning for tinyml systems,

    R. David, J. Duke, A. Jain, V . Janapa Reddi, N. Jeffries, J. Li, N. Kreeger, I. Nappier, M. Natraj, T. Wanget al., “Tensorflow lite micro: Embedded machine learning for tinyml systems,”Proceedings of machine learning and systems, vol. 3, pp. 800–811, 2021

    work page 2021

  19. [19]

    Parhami,Computer arithmetic

    B. Parhami,Computer arithmetic. Oxford university press Oxford, 1999, vol. 20, no. 00

    work page 1999

  20. [20]

    On the importance of checking cryptographic protocols for faults,

    D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” inAdvances in Cryptol- ogy—EUROCRYPT’97: International Conference on the Theory and Application of Cryptographic Techniques Konstanz, Germany, May 11– 15, 1997 Proceedings. Springer, 1997, pp. 37–51

    work page 1997

  21. [21]

    Breier, X

    J. Breier, X. Hou, and S. Bhasin,Automated Methods in Cryptographic Fault Analysis. Springer, 2019

    work page 2019

  22. [22]

    Fault injection attacks on deep neural networks: Lessons learned,

    Y . Liuet al., “Fault injection attacks on deep neural networks: Lessons learned,” inDesign Automation Conference (DAC), 2017

    work page 2017

  23. [23]

    Physical security of deep learning on edge devices: Comprehensive evaluation of fault injection attack vectors,

    X. Hou, J. Breier, D. Jap, L. Ma, S. Bhasin, and Y . Liu, “Physical security of deep learning on edge devices: Comprehensive evaluation of fault injection attack vectors,”Microelectronics Reliability, vol. 120, p. 114116, 2021. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 13

    work page 2021

  24. [24]

    Practical fault attack on deep neural networks,

    J. Breier, X. Hou, D. Jap, L. Ma, S. Bhasin, and Y . Liu, “Practical fault attack on deep neural networks,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 2204–2206

    work page 2018

  25. [25]

    T- bfa: Targeted bit-flip adversarial weight attack,

    A. S. Rakin, Z. He, J. Li, F. Yao, C. Chakrabarti, and D. Fan, “T- bfa: Targeted bit-flip adversarial weight attack,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 11, pp. 7928– 7939, 2021

    work page 2021

  26. [26]

    Foobar: Fault fooling backdoor attack on neural network training,

    J. Breier, X. Hou, M. Ochoa, and J. Solano, “Foobar: Fault fooling backdoor attack on neural network training,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 3, pp. 1895–1908, 2022

    work page 1908

  27. [27]

    Deep- bar: Fault backdoor attack on deep neural network layers,

    C. Mart ´ınez-Mej´ıa, J. Solano, J. Breier, D. Bucko, and X. Hou, “Deep- bar: Fault backdoor attack on deep neural network layers,”arXiv preprint arXiv:2407.21220, 2024

    work page arXiv 2024

  28. [28]

    Tbt: Targeted neural network attack with bit trojan,

    A. S. Rakin, Z. He, and D. Fan, “Tbt: Targeted neural network attack with bit trojan,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp. 13 198–13 207

    work page 2020

  29. [29]

    Emfi: Electromagnetic fault injection on micro- controllers,

    S. Habibi and et al., “Emfi: Electromagnetic fault injection on micro- controllers,” inInternational Conference on Security and Cryptography (SECRYPT), 2021

    work page 2021

  30. [30]

    Testing feasibility of back-side laser fault injection on a microcontroller,

    J. Breier and D. Jap, “Testing feasibility of back-side laser fault injection on a microcontroller,” inProceedings of the WESS’15: Workshop on Embedded Systems Security, 2015, pp. 1–6

    work page 2015

  31. [31]

    Hou and J

    X. Hou and J. Breier,Cryptography and Embedded Systems Security. Springer, 2024

    work page 2024

  32. [32]

    Faraday’s law,

    K. Kuehn, “Faraday’s law,” inA Student’s Guide Through the Great Physics Texts: Volume III: Electricity, Magnetism and Light. Springer, 2015, pp. 331–344

    work page 2015

  33. [33]

    New probe design for hardware characterization by electromagnetic fault injection,

    C. Gaine, J.-P. Nikolovski, D. Aboulkassimi, and J.-M. Dutertre, “New probe design for hardware characterization by electromagnetic fault injection,” in2022 International Symposium on Electromagnetic Compatibility–EMC Europe. IEEE, 2022, pp. 299–304

    work page 2022

  34. [34]

    Xilinx/brevitas,

    G. Franco, A. Pappalardo, and N. J. Fraser, “Xilinx/brevitas,” 2025. [Online]. Available: https://doi.org/10.5281/zenodo.3333552

    work page doi:10.5281/zenodo.3333552 2025

  35. [35]

    A survey on fault attacks on symmetric key cryptosystems,

    A. Baksi, S. Bhasin, J. Breier, D. Jap, and D. Saha, “A survey on fault attacks on symmetric key cryptosystems,”ACM Computing Surveys, vol. 55, no. 4, pp. 1–34, 2022

    work page 2022

  36. [36]

    Efficiency of a glitch detector against electromagnetic fault injection,

    L. Zussa, A. Dehbaoui, K. Tobich, J.-M. Dutertre, P. Maurine, L. Guillaume-Sage, J. Clediere, and A. Tria, “Efficiency of a glitch detector against electromagnetic fault injection,” in2014 Design, Au- tomation & Test in Europe Conference & Exhibition (DATE). IEEE, 2014, pp. 1–6

    work page 2014

  37. [37]

    An electromagnetic fault injection sen- sor using hogge phase-detector,

    J. Breier, S. Bhasin, and W. He, “An electromagnetic fault injection sen- sor using hogge phase-detector,” in2017 18th International Symposium on Quality Electronic Design (ISQED). IEEE, 2017, pp. 307–312

    work page 2017

  38. [38]

    Recomputing with permuted operands: A concur- rent error detection approach,

    X. Guo and R. Karri, “Recomputing with permuted operands: A concur- rent error detection approach,”IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 32, no. 10, pp. 1595– 1608, 2013

    work page 2013

  39. [39]

    On evaluating fault resilient encoding schemes in software,

    J. Breier, X. Hou, and Y . Liu, “On evaluating fault resilient encoding schemes in software,”IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1065–1079, 2019

    work page 2019

  40. [40]

    A countermeasure against statistical ineffective fault analysis,

    J. Breier, M. Khairallah, X. Hou, and Y . Liu, “A countermeasure against statistical ineffective fault analysis,”IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 67, no. 12, pp. 3322–3326, 2020

    work page 2020

  41. [41]

    DeepDyve: Dynamic verification for deep neural networks,

    Y . Li, M. Li, B. Luo, Y . Tian, and Q. Xu, “DeepDyve: Dynamic verification for deep neural networks,” inProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 101–112

    work page 2020

  42. [42]

    Radar: Run- time adversarial weight attack detection and accuracy recovery,

    J. Li, A. S. Rakin, Z. He, D. Fan, and C. Chakrabarti, “Radar: Run- time adversarial weight attack detection and accuracy recovery,” in2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2021, pp. 790–795

    work page 2021

  43. [43]

    Hashtag: Hash signatures for online detection of fault-injection attacks on deep neural networks,

    M. Javaheripi and F. Koushanfar, “Hashtag: Hash signatures for online detection of fault-injection attacks on deep neural networks,” in2021 IEEE/ACM International Conference On Computer Aided Design (IC- CAD). IEEE, 2021, pp. 1–9

    work page 2021

  44. [44]

    Alert: A lightweight defense mechanism for enhancing dnn robustness against t-bfa,

    X. Wei, X. Wang, Y . Yan, N. Jiang, and H. Yue, “Alert: A lightweight defense mechanism for enhancing dnn robustness against t-bfa,”Journal of Systems Architecture, vol. 152, p. 103160, 2024

    work page 2024