pith. sign in

arxiv: 2606.12011 · v1 · pith:MQ6IA6VCnew · submitted 2026-06-10 · 💻 cs.CR

InjectV: Modeling Fault Injection Attacks in RISC-V Simulation Environment

Pith reviewed 2026-06-27 08:59 UTC · model grok-4.3

classification 💻 cs.CR
keywords fault injection attacksRISC-Vgem5 simulatorhardware securityvulnerability assessmenttransient faultsFISSC benchmarkspre-silicon evaluation
0
0 comments X

The pith

InjectV models fault injection attacks on RISC-V using the gem5 simulator to identify vulnerabilities at critical execution points.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces InjectV as a framework for simulating fault injection attacks in RISC-V systems within the gem5 environment. It targets precise injection at points like control-flow decisions, counters, and comparisons while supporting transient faults in registers and memory. This approach aims to replace expensive and limited physical fault experiments with a systematic, white-box simulation method during pre-silicon design. Results on FISSC suite benchmarks, including hardened VerifyPIN variants, show effective detection of injection points along with major reductions in analysis time.

Core claim

InjectV provides a gem5-based platform that enables guided transient fault injection into RISC-V registers and memory at security-critical locations, allowing developers to systematically explore attack vectors on benchmarks from the FISSC suite and achieve identification of vulnerable points with substantially lower effort than physical testing methods.

What carries the argument

gem5 simulator extended for precise, guided transient fault injection at control-flow decisions, counters, and comparisons in RISC-V.

If this is right

  • Developers can assess system resilience to fault attacks earlier in the design cycle without physical prototypes.
  • Systematic testing becomes feasible for multiple attack scenarios involving registers and memory.
  • Hardened code variants like those in FISSC can be evaluated for remaining weaknesses in simulation.
  • Time required for vulnerability discovery drops significantly compared to traditional physical injection.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same modeling approach could be applied to evaluate countermeasures in other processor architectures if ported.
  • Automated tools might later use InjectV outputs to suggest code or hardware modifications that close identified gaps.
  • Accuracy checks against multiple real RISC-V chips would strengthen confidence in the simulation results for production use.

Load-bearing premise

The gem5 simulator accurately reproduces the effects of real transient faults on physical RISC-V hardware.

What would settle it

Direct comparison of InjectV-identified vulnerable points and attack success rates against equivalent experiments performed on physical RISC-V hardware.

Figures

Figures reproduced from arXiv: 2606.12011 by Alessandro Savino, Giorgio Fardo, Niccol\`o Lentini, Stefano Di Carlo.

Figure 1
Figure 1. Figure 1: Execution workflow of the proposed fault injection attack framework. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Campaign Manager workflow. If this instruction distance falls within a user-defined window, the location is considered a valid candidate injection point. Differential Execution Divergence: When a divergent ex￾ecution trace is provided, the framework compares it with the golden trace to identify the first diverging execution point and correlates it with the corresponding instruction and simulation tick, e.g… view at source ↗
Figure 3
Figure 3. Figure 3: Relative Outcomes Distribution. ploitability and allows campaign outcomes to be interpreted in terms of security impact. To assess the guided preprocessing stage, we compared it with random exploration campaigns that uniformly sample the fault space in time and space. To ensure a fair comparison, random campaigns used the same number of injections and the same register/memory fault mode distribution as the… view at source ↗
Figure 5
Figure 5. Figure 5: Spatial Distribution of memory injections. [PITH_FULL_IMAGE:figures/full_fig_p004_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Spatial Distribution of register injections. [PITH_FULL_IMAGE:figures/full_fig_p004_6.png] view at source ↗
read the original abstract

Fault Injection Attacks (FIAs) are a significant threat to hardware security, capable of compromising systems by inducing malicious faults in computation or storage. Evaluating resilience against such attacks is challenging due to the high cost, complexity, and limited availability of physical fault experiments, particularly during pre-silicon development. Architectural-level simulation offers a developer-oriented, white-box perspective for systematic vulnerability assessment. This paper introduces InjectV, a fault injection attack framework for RISC-V platforms built on the gem5 simulator. InjectV enables precise, guided fault injection at security-critical execution points, such as control-flow decisions, counters, and comparisons, allowing systematic exploration of attack vectors. It currently supports transient fault attacks in registers and memory, broadening its ability to simulate diverse attack scenarios. Experimental results on security benchmarks from the FISSC suite, including hardened variants of the VerifyPIN application, demonstrate InjectV's ability to effectively identify fault-injection points, achieving a 95.8% time-saving advantage over traditional fault injection approaches.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper presents InjectV, a fault-injection framework built on the gem5 simulator for RISC-V platforms. It supports precise transient fault injection into registers and memory at security-critical points (control-flow decisions, counters, comparisons) and reports experiments on FISSC benchmarks including hardened VerifyPIN variants that identify injection points while claiming a 95.8% time-saving advantage over traditional fault-injection approaches.

Significance. A validated gem5-based framework could provide a useful white-box, pre-silicon tool for systematic FIA assessment when physical experiments are costly or unavailable. The reported time-saving and attack-point identification results, however, rest on an unvalidated assumption that gem5 fault propagation matches silicon behavior; without calibration data the claimed advantage and security findings remain simulation-specific.

major comments (2)
  1. [Experimental results] Experimental results section: the headline 95.8% time-saving claim is stated without any description of measurement methodology, chosen baselines, number of trials, or error quantification, rendering the performance advantage unverifiable.
  2. [Experimental setup and results] Experimental setup and results: no calibration data, no comparison against laser/voltage-glitch results on the same RISC-V core, and no quantification of timing or masking discrepancies are supplied to support the assumption that gem5-injected transient faults produce the same observable outcomes as physical faults; this assumption is load-bearing for the claim that identified attack points are transferable.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the detailed feedback on InjectV. The comments highlight important gaps in experimental documentation and validation assumptions. We address each point below and indicate planned revisions.

read point-by-point responses
  1. Referee: [Experimental results] Experimental results section: the headline 95.8% time-saving claim is stated without any description of measurement methodology, chosen baselines, number of trials, or error quantification, rendering the performance advantage unverifiable.

    Authors: We agree that the 95.8% time-saving figure requires supporting methodological details to be verifiable. The revised manuscript will add an explicit subsection in the Experimental Results section describing the baseline (exhaustive traditional fault injection without guided selection), the measurement process (wall-clock simulation time across FISSC benchmarks), the number of trials, and any observed variance or error quantification. revision: yes

  2. Referee: [Experimental setup and results] Experimental setup and results: no calibration data, no comparison against laser/voltage-glitch results on the same RISC-V core, and no quantification of timing or masking discrepancies are supplied to support the assumption that gem5-injected transient faults produce the same observable outcomes as physical faults; this assumption is load-bearing for the claim that identified attack points are transferable.

    Authors: The manuscript frames InjectV as a pre-silicon simulation tool and does not assert that gem5 fault outcomes are identical to physical silicon behavior. We will revise the text to explicitly state the modeling assumptions, add a dedicated Limitations subsection discussing the lack of physical calibration, potential timing/masking differences, and the simulation-specific nature of the identified attack points. No physical hardware experiments or calibration data are available in the current study. revision: partial

standing simulated objections not resolved
  • No physical calibration data or direct comparisons to laser/voltage-glitch experiments on RISC-V hardware are available to validate gem5 fault propagation equivalence.

Circularity Check

0 steps flagged

No circularity: framework description with no derivations or fitted predictions

full rationale

The paper presents InjectV as a gem5-based fault-injection framework for RISC-V, with experimental results on FISSC benchmarks. No equations, parameter fitting, uniqueness theorems, or self-citation chains appear in the provided text. Claims rest on software implementation and benchmark runs rather than any derivation that reduces to its own inputs. This is a standard tool-building contribution whose validity is independent of the circularity patterns listed.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The paper's contribution rests on the unexamined fidelity of the gem5 simulator for fault modeling and the representativeness of the chosen benchmarks; no free parameters or new physical entities are introduced.

axioms (1)
  • domain assumption gem5 provides sufficient fidelity for modeling transient faults in RISC-V registers and memory for security evaluation purposes
    The entire framework is built on gem5 and the experimental claims depend on this modeling accuracy.
invented entities (1)
  • InjectV framework no independent evidence
    purpose: To provide guided fault injection at security-critical points in simulation
    New software artifact introduced by the authors; no independent evidence of correctness outside the paper is supplied.

pith-pipeline@v0.9.1-grok · 5707 in / 1253 out tokens · 21341 ms · 2026-06-27T08:59:40.754213+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

26 extracted references · 2 canonical work pages

  1. [1]

    A systematic review of fault injection attacks on iot systems,

    A. Gangolli, Q. H. Mahmoud, and A. Azim, “A systematic review of fault injection attacks on iot systems,”Electronics, vol. 11, no. 13, p. 2023, 2022

  2. [2]

    Countermeasures against fault injection attacks in processors: A review,

    R. Boulifa, G. Di Natale, and P. Maistri, “Countermeasures against fault injection attacks in processors: A review,”Information, vol. 16, no. 4, p. 293, 2025

  3. [3]

    Alternatives to fault injections for early safety/security evaluations,

    M. Portolan, A. Savino, R. Leveugle, S. Di Carlo, A. Bosio, and G. Di Natale, “Alternatives to fault injections for early safety/security evaluations,” in2019 IEEE European Test Symposium (ETS), 2019, pp. 1–10

  4. [4]

    Side-channel and fault-injection attacks over lattice-based post-quantum schemes (kyber, dilithium): Survey and new results,

    P. Ravi, S. S. Roy, S. Bhasin, and A. Chattopadhyay, “Side-channel and fault-injection attacks over lattice-based post-quantum schemes (kyber, dilithium): Survey and new results,”ACM Transactions on Embedded Computing Systems, vol. 23, no. 2, pp. 1–54, 2024

  5. [5]

    Plundervolt: Software-based fault injection attacks against intel sgx,

    K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss, and F. Piessens, “Plundervolt: Software-based fault injection attacks against intel sgx,” in41st IEEE Symposium on Security and Privacy (S&P), 2020

  6. [6]

    The gem5 Simulator: Version 20.0+,

    J. Lowe-Power, E. Carmean, M. Hsuet al., “The gem5 simulator: Version 20.0+,”arXiv preprint arXiv:2007.03152, 2020

  7. [7]

    Protecting risc-v processors against physical attacks,

    M. Werner, R. Schilling, T. Unterluggauer, and S. Mangard, “Protecting risc-v processors against physical attacks,” in2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2019, pp. 1136– 1141

  8. [8]

    A security risc: Microarchitectural attacks on hardware risc-v cpus,

    L. Gerlach, D. Weber, R. Zhang, and M. Schwarz, “A security risc: Microarchitectural attacks on hardware risc-v cpus,” in2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 2321–2338

  9. [9]

    A survey of recent developments in testability, safety and security of risc-v processors,

    J. Anders, P. Andreu, B. Becker, S. Becker, R. Cantoro, N. I. Deligiannis, N. Elhamawy, T. Faller, C. Hernandez, N. Mentens, M. N. Rizi, I. Polian, A. Sajadi, M. Sauer, D. Schwachhofer, M. S. Reorda, T. Stefanov, I. Tuzov, S. Wagner, and N. Zidari ˇc, “A survey of recent developments in testability, safety and security of risc-v processors,” in2023 IEEE E...

  10. [10]

    Power side-channel vulnerabilities of a risc-v cryptography accelerator integrated into cva6 via core-v extension interface (cv-x-if),

    B. Farnaghinejad, D. Bellizia, A. Dolmeta, G. Masera, A. Porsia, A. Ruospo, S. Di Carlo, A. Savino, and E. Sanchez, “Power side-channel vulnerabilities of a risc-v cryptography accelerator integrated into cva6 via core-v extension interface (cv-x-if),” in2025 IEEE International Test Conference (ITC), 2025, pp. 233–242

  11. [11]

    On the importance of checking cryptographic protocols for faults,

    D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” inAdvances in Cryptology — EUROCRYPT ’97, ser. Lecture Notes in Computer Science, vol. 1233. Springer, 1997, pp. 37–51

  12. [12]

    Differential power analysis,

    P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances in Cryptology — CRYPTO ’99, ser. Lecture Notes in Computer Science, vol. 1666. Springer, 1999, pp. 388–397

  13. [13]

    Joye and M

    M. Joye and M. Tunstall,Fault Analysis in Cryptography. Springer, 2012

  14. [14]

    A survey of fault attacks,

    L. Teixeiraet al., “A survey of fault attacks,”ACM Computing Surveys, vol. 52, no. 4, pp. 1–28, 2019

  15. [15]

    Failure identification using model-implemented fault injection with domain knowledge-guided reinforcement learning,

    M. Moradi, B. Van Acker, and J. Denil, “Failure identification using model-implemented fault injection with domain knowledge-guided reinforcement learning,”Sensors, vol. 23, no. 4, 2023. [Online]. Available: https://www.mdpi.com/1424-8220/23/4/2166

  16. [16]

    Special session: Security and ras in the computing continuum,

    M. Alonso, D. Andreu, R. Canal, S. Di Carlo, O. Chatzopoulos, C. Chenet, J. Costa, A. Girones, D. Gizopoulos, G. Papadimitriou, E. Morancho, B. Otero, and A. Savino, “Special session: Security and ras in the computing continuum,” in2024 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), 2024, pp. 1–6

  17. [17]

    Real-time embedded system fault injector framework for micro-architectural state based reliability assessment,

    E. Magliano, A. Savino, and S. Di Carlo, “Real-time embedded system fault injector framework for micro-architectural state based reliability assessment,”Journal of Electronic Testing, vol. 41, no. 2, pp. 193–208,

  18. [18]

    Available: https://doi.org/10.1007/s10836-025-06170-w

    [Online]. Available: https://doi.org/10.1007/s10836-025-06170-w

  19. [19]

    Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures,

    J.-M. Dutertre, A. Menu, O. Potin, J.-B. Rigaud, and J.-L. Danger, “Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures,”Microelectron- ics Reliability, vol. 121, p. 114133, 2021

  20. [20]

    Fault injection and simulation secure collection (fissc),

    FISSC Consortium, “Fault injection and simulation secure collection (fissc),” https://lazart.gricad-pages.univ-grenoble-alpes.fr/fissc/, 2024

  21. [21]

    Formal veri- fication of a software countermeasure against instruction skip attacks,

    N. Moro, K. Heydemann, E. Encrenaz, and B. Robisson, “Formal veri- fication of a software countermeasure against instruction skip attacks,” inProceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 2014, pp. 1–10

  22. [22]

    Gemfi: A fault injection tool for studying the behavior of applications on unreliable substrates,

    K. Parasyris, C. Tziantzoulis, C. Antonopoulos, and N. Bellas, “Gemfi: A fault injection tool for studying the behavior of applications on unreliable substrates,” inProceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2014

  23. [23]

    gemv-tool: A comprehensive soft error reliability estima- tion tool,

    J. Doeet al., “gemv-tool: A comprehensive soft error reliability estima- tion tool,”Electronics, vol. 12, no. 22, 2023

  24. [24]

    gem5-marvel: Microarchitecture-level resilience analysis of heteroge- neous soc architectures,

    O. Chatzopoulos, G. Papadimitriou, V . Karakostas, and D. Gizopoulos, “gem5-marvel: Microarchitecture-level resilience analysis of heteroge- neous soc architectures,” inProceedings of the IEEE International Symposium on High-Performance Computer Architecture (HPCA), 2024

  25. [25]

    A survey of qemu-based fault injection tools & techniques for emulating physical faults,

    Y . B. Bekele, D. B. Limbrick, and J. C. Kelly, “A survey of qemu-based fault injection tools & techniques for emulating physical faults,”IEEE Access, vol. 11, pp. 62 662–62 673, 2023

  26. [26]

    Faultfinder: Lightning-fast, multi-architectural fault injection simulation,

    K. Murdock, M. Thompson, and D. Oswald, “Faultfinder: Lightning-fast, multi-architectural fault injection simulation,” inWorkshop on Attacks and Solutions in Hardware Security (ASHES), 2024