InjectV: Modeling Fault Injection Attacks in RISC-V Simulation Environment
Pith reviewed 2026-06-27 08:59 UTC · model grok-4.3
The pith
InjectV models fault injection attacks on RISC-V using the gem5 simulator to identify vulnerabilities at critical execution points.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
InjectV provides a gem5-based platform that enables guided transient fault injection into RISC-V registers and memory at security-critical locations, allowing developers to systematically explore attack vectors on benchmarks from the FISSC suite and achieve identification of vulnerable points with substantially lower effort than physical testing methods.
What carries the argument
gem5 simulator extended for precise, guided transient fault injection at control-flow decisions, counters, and comparisons in RISC-V.
If this is right
- Developers can assess system resilience to fault attacks earlier in the design cycle without physical prototypes.
- Systematic testing becomes feasible for multiple attack scenarios involving registers and memory.
- Hardened code variants like those in FISSC can be evaluated for remaining weaknesses in simulation.
- Time required for vulnerability discovery drops significantly compared to traditional physical injection.
Where Pith is reading between the lines
- The same modeling approach could be applied to evaluate countermeasures in other processor architectures if ported.
- Automated tools might later use InjectV outputs to suggest code or hardware modifications that close identified gaps.
- Accuracy checks against multiple real RISC-V chips would strengthen confidence in the simulation results for production use.
Load-bearing premise
The gem5 simulator accurately reproduces the effects of real transient faults on physical RISC-V hardware.
What would settle it
Direct comparison of InjectV-identified vulnerable points and attack success rates against equivalent experiments performed on physical RISC-V hardware.
Figures
read the original abstract
Fault Injection Attacks (FIAs) are a significant threat to hardware security, capable of compromising systems by inducing malicious faults in computation or storage. Evaluating resilience against such attacks is challenging due to the high cost, complexity, and limited availability of physical fault experiments, particularly during pre-silicon development. Architectural-level simulation offers a developer-oriented, white-box perspective for systematic vulnerability assessment. This paper introduces InjectV, a fault injection attack framework for RISC-V platforms built on the gem5 simulator. InjectV enables precise, guided fault injection at security-critical execution points, such as control-flow decisions, counters, and comparisons, allowing systematic exploration of attack vectors. It currently supports transient fault attacks in registers and memory, broadening its ability to simulate diverse attack scenarios. Experimental results on security benchmarks from the FISSC suite, including hardened variants of the VerifyPIN application, demonstrate InjectV's ability to effectively identify fault-injection points, achieving a 95.8% time-saving advantage over traditional fault injection approaches.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents InjectV, a fault-injection framework built on the gem5 simulator for RISC-V platforms. It supports precise transient fault injection into registers and memory at security-critical points (control-flow decisions, counters, comparisons) and reports experiments on FISSC benchmarks including hardened VerifyPIN variants that identify injection points while claiming a 95.8% time-saving advantage over traditional fault-injection approaches.
Significance. A validated gem5-based framework could provide a useful white-box, pre-silicon tool for systematic FIA assessment when physical experiments are costly or unavailable. The reported time-saving and attack-point identification results, however, rest on an unvalidated assumption that gem5 fault propagation matches silicon behavior; without calibration data the claimed advantage and security findings remain simulation-specific.
major comments (2)
- [Experimental results] Experimental results section: the headline 95.8% time-saving claim is stated without any description of measurement methodology, chosen baselines, number of trials, or error quantification, rendering the performance advantage unverifiable.
- [Experimental setup and results] Experimental setup and results: no calibration data, no comparison against laser/voltage-glitch results on the same RISC-V core, and no quantification of timing or masking discrepancies are supplied to support the assumption that gem5-injected transient faults produce the same observable outcomes as physical faults; this assumption is load-bearing for the claim that identified attack points are transferable.
Simulated Author's Rebuttal
We thank the referee for the detailed feedback on InjectV. The comments highlight important gaps in experimental documentation and validation assumptions. We address each point below and indicate planned revisions.
read point-by-point responses
-
Referee: [Experimental results] Experimental results section: the headline 95.8% time-saving claim is stated without any description of measurement methodology, chosen baselines, number of trials, or error quantification, rendering the performance advantage unverifiable.
Authors: We agree that the 95.8% time-saving figure requires supporting methodological details to be verifiable. The revised manuscript will add an explicit subsection in the Experimental Results section describing the baseline (exhaustive traditional fault injection without guided selection), the measurement process (wall-clock simulation time across FISSC benchmarks), the number of trials, and any observed variance or error quantification. revision: yes
-
Referee: [Experimental setup and results] Experimental setup and results: no calibration data, no comparison against laser/voltage-glitch results on the same RISC-V core, and no quantification of timing or masking discrepancies are supplied to support the assumption that gem5-injected transient faults produce the same observable outcomes as physical faults; this assumption is load-bearing for the claim that identified attack points are transferable.
Authors: The manuscript frames InjectV as a pre-silicon simulation tool and does not assert that gem5 fault outcomes are identical to physical silicon behavior. We will revise the text to explicitly state the modeling assumptions, add a dedicated Limitations subsection discussing the lack of physical calibration, potential timing/masking differences, and the simulation-specific nature of the identified attack points. No physical hardware experiments or calibration data are available in the current study. revision: partial
- No physical calibration data or direct comparisons to laser/voltage-glitch experiments on RISC-V hardware are available to validate gem5 fault propagation equivalence.
Circularity Check
No circularity: framework description with no derivations or fitted predictions
full rationale
The paper presents InjectV as a gem5-based fault-injection framework for RISC-V, with experimental results on FISSC benchmarks. No equations, parameter fitting, uniqueness theorems, or self-citation chains appear in the provided text. Claims rest on software implementation and benchmark runs rather than any derivation that reduces to its own inputs. This is a standard tool-building contribution whose validity is independent of the circularity patterns listed.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption gem5 provides sufficient fidelity for modeling transient faults in RISC-V registers and memory for security evaluation purposes
invented entities (1)
-
InjectV framework
no independent evidence
Reference graph
Works this paper leans on
-
[1]
A systematic review of fault injection attacks on iot systems,
A. Gangolli, Q. H. Mahmoud, and A. Azim, “A systematic review of fault injection attacks on iot systems,”Electronics, vol. 11, no. 13, p. 2023, 2022
2023
-
[2]
Countermeasures against fault injection attacks in processors: A review,
R. Boulifa, G. Di Natale, and P. Maistri, “Countermeasures against fault injection attacks in processors: A review,”Information, vol. 16, no. 4, p. 293, 2025
2025
-
[3]
Alternatives to fault injections for early safety/security evaluations,
M. Portolan, A. Savino, R. Leveugle, S. Di Carlo, A. Bosio, and G. Di Natale, “Alternatives to fault injections for early safety/security evaluations,” in2019 IEEE European Test Symposium (ETS), 2019, pp. 1–10
2019
-
[4]
Side-channel and fault-injection attacks over lattice-based post-quantum schemes (kyber, dilithium): Survey and new results,
P. Ravi, S. S. Roy, S. Bhasin, and A. Chattopadhyay, “Side-channel and fault-injection attacks over lattice-based post-quantum schemes (kyber, dilithium): Survey and new results,”ACM Transactions on Embedded Computing Systems, vol. 23, no. 2, pp. 1–54, 2024
2024
-
[5]
Plundervolt: Software-based fault injection attacks against intel sgx,
K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss, and F. Piessens, “Plundervolt: Software-based fault injection attacks against intel sgx,” in41st IEEE Symposium on Security and Privacy (S&P), 2020
2020
-
[6]
The gem5 Simulator: Version 20.0+,
J. Lowe-Power, E. Carmean, M. Hsuet al., “The gem5 simulator: Version 20.0+,”arXiv preprint arXiv:2007.03152, 2020
-
[7]
Protecting risc-v processors against physical attacks,
M. Werner, R. Schilling, T. Unterluggauer, and S. Mangard, “Protecting risc-v processors against physical attacks,” in2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2019, pp. 1136– 1141
2019
-
[8]
A security risc: Microarchitectural attacks on hardware risc-v cpus,
L. Gerlach, D. Weber, R. Zhang, and M. Schwarz, “A security risc: Microarchitectural attacks on hardware risc-v cpus,” in2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 2321–2338
2023
-
[9]
A survey of recent developments in testability, safety and security of risc-v processors,
J. Anders, P. Andreu, B. Becker, S. Becker, R. Cantoro, N. I. Deligiannis, N. Elhamawy, T. Faller, C. Hernandez, N. Mentens, M. N. Rizi, I. Polian, A. Sajadi, M. Sauer, D. Schwachhofer, M. S. Reorda, T. Stefanov, I. Tuzov, S. Wagner, and N. Zidari ˇc, “A survey of recent developments in testability, safety and security of risc-v processors,” in2023 IEEE E...
2023
-
[10]
Power side-channel vulnerabilities of a risc-v cryptography accelerator integrated into cva6 via core-v extension interface (cv-x-if),
B. Farnaghinejad, D. Bellizia, A. Dolmeta, G. Masera, A. Porsia, A. Ruospo, S. Di Carlo, A. Savino, and E. Sanchez, “Power side-channel vulnerabilities of a risc-v cryptography accelerator integrated into cva6 via core-v extension interface (cv-x-if),” in2025 IEEE International Test Conference (ITC), 2025, pp. 233–242
2025
-
[11]
On the importance of checking cryptographic protocols for faults,
D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” inAdvances in Cryptology — EUROCRYPT ’97, ser. Lecture Notes in Computer Science, vol. 1233. Springer, 1997, pp. 37–51
1997
-
[12]
Differential power analysis,
P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances in Cryptology — CRYPTO ’99, ser. Lecture Notes in Computer Science, vol. 1666. Springer, 1999, pp. 388–397
1999
-
[13]
Joye and M
M. Joye and M. Tunstall,Fault Analysis in Cryptography. Springer, 2012
2012
-
[14]
A survey of fault attacks,
L. Teixeiraet al., “A survey of fault attacks,”ACM Computing Surveys, vol. 52, no. 4, pp. 1–28, 2019
2019
-
[15]
Failure identification using model-implemented fault injection with domain knowledge-guided reinforcement learning,
M. Moradi, B. Van Acker, and J. Denil, “Failure identification using model-implemented fault injection with domain knowledge-guided reinforcement learning,”Sensors, vol. 23, no. 4, 2023. [Online]. Available: https://www.mdpi.com/1424-8220/23/4/2166
2023
-
[16]
Special session: Security and ras in the computing continuum,
M. Alonso, D. Andreu, R. Canal, S. Di Carlo, O. Chatzopoulos, C. Chenet, J. Costa, A. Girones, D. Gizopoulos, G. Papadimitriou, E. Morancho, B. Otero, and A. Savino, “Special session: Security and ras in the computing continuum,” in2024 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), 2024, pp. 1–6
2024
-
[17]
Real-time embedded system fault injector framework for micro-architectural state based reliability assessment,
E. Magliano, A. Savino, and S. Di Carlo, “Real-time embedded system fault injector framework for micro-architectural state based reliability assessment,”Journal of Electronic Testing, vol. 41, no. 2, pp. 193–208,
-
[18]
Available: https://doi.org/10.1007/s10836-025-06170-w
[Online]. Available: https://doi.org/10.1007/s10836-025-06170-w
-
[19]
Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures,
J.-M. Dutertre, A. Menu, O. Potin, J.-B. Rigaud, and J.-L. Danger, “Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures,”Microelectron- ics Reliability, vol. 121, p. 114133, 2021
2021
-
[20]
Fault injection and simulation secure collection (fissc),
FISSC Consortium, “Fault injection and simulation secure collection (fissc),” https://lazart.gricad-pages.univ-grenoble-alpes.fr/fissc/, 2024
2024
-
[21]
Formal veri- fication of a software countermeasure against instruction skip attacks,
N. Moro, K. Heydemann, E. Encrenaz, and B. Robisson, “Formal veri- fication of a software countermeasure against instruction skip attacks,” inProceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 2014, pp. 1–10
2014
-
[22]
Gemfi: A fault injection tool for studying the behavior of applications on unreliable substrates,
K. Parasyris, C. Tziantzoulis, C. Antonopoulos, and N. Bellas, “Gemfi: A fault injection tool for studying the behavior of applications on unreliable substrates,” inProceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2014
2014
-
[23]
gemv-tool: A comprehensive soft error reliability estima- tion tool,
J. Doeet al., “gemv-tool: A comprehensive soft error reliability estima- tion tool,”Electronics, vol. 12, no. 22, 2023
2023
-
[24]
gem5-marvel: Microarchitecture-level resilience analysis of heteroge- neous soc architectures,
O. Chatzopoulos, G. Papadimitriou, V . Karakostas, and D. Gizopoulos, “gem5-marvel: Microarchitecture-level resilience analysis of heteroge- neous soc architectures,” inProceedings of the IEEE International Symposium on High-Performance Computer Architecture (HPCA), 2024
2024
-
[25]
A survey of qemu-based fault injection tools & techniques for emulating physical faults,
Y . B. Bekele, D. B. Limbrick, and J. C. Kelly, “A survey of qemu-based fault injection tools & techniques for emulating physical faults,”IEEE Access, vol. 11, pp. 62 662–62 673, 2023
2023
-
[26]
Faultfinder: Lightning-fast, multi-architectural fault injection simulation,
K. Murdock, M. Thompson, and D. Oswald, “Faultfinder: Lightning-fast, multi-architectural fault injection simulation,” inWorkshop on Attacks and Solutions in Hardware Security (ASHES), 2024
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.