

# Hardware Fault Injection and Co-Simulation

## Tutorial

Nikhil

## Contents

|          |                                                       |           |
|----------|-------------------------------------------------------|-----------|
| <b>1</b> | <b>Introduction: Why This Matters</b>                 | <b>3</b>  |
| <b>2</b> | <b>Foundation Concepts</b>                            | <b>3</b>  |
| 2.1      | What is RTL? (Hardware Description) . . . . .         | 3         |
| 2.2      | What is QEMU? (Software/Hardware Emulation) . . . . . | 4         |
| 2.3      | What is Fault Injection? . . . . .                    | 4         |
| <b>3</b> | <b>Types of Fault Attacks</b>                         | <b>4</b>  |
| 3.1      | Voltage Glitching . . . . .                           | 4         |
| 3.2      | Bit Flip Attacks . . . . .                            | 5         |
| 3.3      | Clock Glitching . . . . .                             | 5         |
| <b>4</b> | <b>Co-Simulation: Connecting RTL and QEMU</b>         | <b>6</b>  |
| 4.1      | Why Co-Simulation? . . . . .                          | 6         |
| 4.2      | The Communication Bridge . . . . .                    | 6         |
| <b>5</b> | <b>Practical Workflow</b>                             | <b>7</b>  |
| 5.1      | Step 1: Design Your Hardware (RTL) . . . . .          | 7         |
| 5.2      | Step 2: Simulate Hardware (Verilator) . . . . .       | 7         |
| 5.3      | Step 3: Set Up QEMU . . . . .                         | 7         |
| 5.4      | Step 4: Connect Them Together . . . . .               | 8         |
| <b>6</b> | <b>Complete Example: Breaking a Password Check</b>    | <b>9</b>  |
| 6.1      | The Vulnerable System . . . . .                       | 9         |
| 6.2      | The Attack . . . . .                                  | 9         |
| 6.3      | The Results . . . . .                                 | 10        |
| <b>7</b> | <b>Real-World Applications</b>                        | <b>10</b> |
| 7.1      | What You Can Build . . . . .                          | 10        |
| 7.2      | Academic and Industry Impact . . . . .                | 11        |
| <b>8</b> | <b>Tool Setup Guide</b>                               | <b>11</b> |
| 8.1      | Minimal Toolchain . . . . .                           | 11        |
| 8.2      | Installation Steps (Ubuntu/Debian) . . . . .          | 11        |
| <b>9</b> | <b>Building Your First Project</b>                    | <b>12</b> |
| 9.1      | Project Structure . . . . .                           | 12        |
| 9.2      | Build Script . . . . .                                | 12        |

|                                                   |           |
|---------------------------------------------------|-----------|
| <b>10 Advanced Topics Preview</b>                 | <b>13</b> |
| 10.1 Countermeasures . . . . .                    | 13        |
| 10.2 Power Analysis . . . . .                     | 13        |
| <b>11 Learning Path</b>                           | <b>13</b> |
| 11.1 Beginner Projects (Weeks 1-4) . . . . .      | 13        |
| 11.2 Intermediate Projects (Weeks 5-12) . . . . . | 14        |
| 11.3 Advanced Projects (Weeks 13+) . . . . .      | 14        |
| <b>12 Common Pitfalls and Solutions</b>           | <b>14</b> |
| 12.1 Timing Issues . . . . .                      | 14        |
| 12.2 Memory Mapping . . . . .                     | 14        |
| <b>13 Resources and Further Reading</b>           | <b>15</b> |
| 13.1 Online Resources . . . . .                   | 15        |
| 13.2 Recommended Papers . . . . .                 | 15        |
| 13.3 Practice Platforms . . . . .                 | 15        |
| <b>14 Conclusion</b>                              | <b>15</b> |

# 1 Introduction: Why This Matters

Imagine you're designing a bank vault. You'd want to test if someone could break in, right? Hardware fault injection is similar, but instead of testing physical doors, we're testing digital security systems.

In modern computing, we have:

- **Hardware** (physical chips and circuits)
- **Software** (programs running on that hardware)

Attackers can exploit weaknesses in *both*. Fault injection lets us simulate attacks before our devices reach customers, helping us build more secure systems.

## Key Point

**The Goal:** Learn how to simulate hardware attacks using software tools, without needing expensive physical equipment.

## 2 Foundation Concepts

### 2.1 What is RTL? (Hardware Description)

RTL stands for **Register Transfer Level**. Think of it as the "blueprint" for computer chips.

## Example

Just like an architect uses blueprints to design a house, hardware engineers use RTL to design chips. The most common RTL language is called **Verilog**.

## A Simple Analogy:

- Building a house: Blueprint → Construction → House
- Building a chip: RTL/Verilog → Fabrication → Physical Chip

Here's what RTL code looks like:

Listing 1: Simple RTL Example - A Security Key

```
1 // This is a hardware register that stores a secret key
2 always @(posedge clock) begin
3     if (reset)
4         secret_key <= 128'h0;    // Clear the key
5     else if (write_enable)
6         secret_key <= new_key_value; // Store new key
7 end
```

This code describes a piece of hardware that remembers a secret key, just like a password safe.

## 2.2 What is QEMU? (Software/Hardware Emulation)

QEMU is like a "virtual computer" that runs on your actual computer.

### Example

Imagine you want to test an iPhone app but only have an Android phone. An emulator lets you run iOS on your Android. QEMU does this for entire computer systems.

### Why QEMU is Powerful:

1. **Fast:** Test without building physical hardware
2. **Safe:** Mistakes won't break real devices
3. **Flexible:** Simulate any computer system
4. **Controllable:** Inject faults precisely when needed

Listing 2: QEMU Attack Simulation Example

```
1 // Attacker code running in QEMU
2 if (attack_mode_enabled) {
3     // Trigger a fault at a specific time
4     inject_voltage_glitch();
5     send_fault_signal_to_hardware();
6 }
```

## 2.3 What is Fault Injection?

Fault injection means deliberately causing errors to test system behavior.

### Real-World Analogy:

- **Car safety testing:** Crash test dummies (fault injection) help design safer cars
- **Hardware security:** Simulated attacks (fault injection) help design more secure chips

### Key Point

We're not trying to break things maliciously. We're testing defenses by simulating what an attacker might do.

## 3 Types of Fault Attacks

### 3.1 Voltage Glitching

**What it is:** Temporarily changing the power supply voltage to cause errors.

**Physical Analogy:** Imagine flickering the lights in a house. For a brief moment, some electronics might malfunction.

### How it attacks security:

Listing 3: Vulnerable Security Check

```
1 // This should check if the password is correct
2 if (password == correct_password) {
3     grant_access = 1;
4 } else {
5     grant_access = 0;
6 }
```

During voltage glitch:

Listing 4: What Happens During Attack

```
1 // The comparison might fail or skip
2 if (password == correct_password) { // <- Glitch here!
3     grant_access = 1; // Might execute anyway!
4 }
```

### Important

A voltage glitch can make a chip skip instructions or compute wrong values, potentially bypassing security checks.

## 3.2 Bit Flip Attacks

**What it is:** Changing a single bit (0 to 1, or 1 to 0) in memory or a register.

**Real-World Example:**

Correct password hash: 0xFF81A2B3

After 1-bit flip: 0xFF81A2B2 (last bit changed)

Listing 5: Bit Flip Attack on Privilege Level

```
1 // User privilege level (should be 0 for normal user)
2 user_privilege = 0; // Binary: 0000
3
4 // After bit flip attack
5 user_privilege = 1; // Binary: 0001 (now admin!)
```

## 3.3 Clock Glitching

**What it is:** Manipulating the clock signal that synchronizes chip operations.

**Analogy:** Like speeding up a metronome. Musicians might miss beats; chips might skip instructions.

Listing 6: Timing-Dependent Security

```
1 always @ (posedge clock) begin
2     step1: verify_signature();
3     step2: check_permissions(); // <- Might skip if clock too
4             fast
5     step3: execute_command();
6 end
```

## 4 Co-Simulation: Connecting RTL and QEMU

### 4.1 Why Co-Simulation?

Modern systems have:

- **Hardware** (chip designs in RTL)
- **Software** (operating systems, applications in QEMU)

**Co-simulation** means running both simultaneously, allowing:

1. Software to trigger hardware faults
2. Hardware to report results to software
3. Complete system testing before manufacturing

#### Example

Think of co-simulation like testing a self-driving car:

- **QEMU**: Simulates the car's computer and software
- **RTL**: Simulates the sensors and control circuits
- **Together**: Complete system test without a real car

### 4.2 The Communication Bridge

RTL and QEMU communicate through a "bridge":

Listing 7: RTL Side - Receiving Fault Commands

```
1 // Hardware listens for fault signals
2 always @(posedge clock) begin
3     if (fault_injection_signal) begin
4         // Simulate voltage glitch
5         key <= 128'h0; // Clear the secret key!
6     end
7 end
```

Listing 8: QEMU Side - Sending Fault Commands

```
1 void trigger_hardware_attack() {
2     // Software sends signal to hardware
3     write_to_hardware_register(FAULT_ADDR, FAULT_ENABLE);
4
5     // Wait for hardware to process
6     wait_cycles(10);
7
8     // Read result
9     int result = read_from_hardware_register(STATUS_ADDR);
10 }
```

## 5 Practical Workflow

### 5.1 Step 1: Design Your Hardware (RTL)

Create a Verilog module with fault injection capability:

Listing 9: Secure Hardware with Fault Injection

```
1 module secure_module (
2     input wire clock,
3     input wire reset,
4     input wire fault_inject, // Fault injection input
5     input wire [127:0] input_key,
6     output reg [127:0] stored_key,
7     output reg access_granted
8 );
9
10 always @(posedge clock) begin
11     if (reset) begin
12         stored_key <= 128'h0;
13         access_granted <= 0;
14     end else if (fault_inject) begin
15         // Simulate fault: corrupt the key
16         stored_key <= 128'hDEADBEEF;
17     end else begin
18         // Normal operation
19         if (input_key == stored_key)
20             access_granted <= 1;
21         else
22             access_granted <= 0;
23     end
24 end
25
26 endmodule
```

### 5.2 Step 2: Simulate Hardware (Verilator)

Verilator converts your RTL into a fast C++ simulation:

Listing 10: Compiling RTL with Verilator

```
1 # Convert Verilog to C++ simulation
2 verilator --cc secure_module.v --exe testbench.cpp
3
4 # Compile the simulation
5 make -C obj_dir -f Vsecure_module.mk
6
7 # Run simulation
8 ./obj_dir/Vsecure_module
```

### 5.3 Step 3: Set Up QEMU

QEMU runs your attack software:

Listing 11: Attack Software in QEMU

```

1 #include <stdio.h>
2 #include <stdint.h>
3
4 // Memory-mapped hardware addresses
5 #define HW_KEY_ADDR      0x40000000
6 #define HWFAULT_ADDR     0x40000010
7 #define HW_STATUS_ADDR   0x40000020
8
9 void perform_fault_attack() {
10    printf("Stage 1: Normal access attempt...\n");
11    uint32_t wrong_key = 0x12345678;
12    *(volatile uint32_t*)HW_KEY_ADDR = wrong_key;
13
14    int status = *(volatile uint32_t*)HW_STATUS_ADDR;
15    printf("Access granted: %d (should be 0)\n", status);
16
17    printf("Stage 2: Injecting fault...\n");
18    *(volatile uint32_t*)HWFAULT_ADDR = 1; // Trigger fault
19
20    printf("Stage 3: Retry access...\n");
21    status = *(volatile uint32_t*)HW_STATUS_ADDR;
22    printf("Access granted: %d (might be 1!)\n", status);
23}
24
25 int main() {
26    printf("== Fault Injection Attack Simulation ==\n");
27    perform_fault_attack();
28    return 0;
29}
```

## 5.4 Step 4: Connect Them Together

The bridge code links QEMU and RTL:

Listing 12: Co-Simulation Bridge

```

1 #include "Vsecure_module.h" // Verilator-generated
2 #include <stdio.h>
3
4 // QEMU device callbacks
5 void qemu_hardware_write(uint64_t addr, uint64_t value) {
6     if (addr == 0x40000010) { // FAULT_ADDR
7         // Tell RTL to inject fault
8         rtl_model->fault_inject = (value & 1);
9     }
10}
11
12 uint64_t qemu_hardware_read(uint64_t addr) {
13     if (addr == 0x40000020) { // STATUS_ADDR
14         // Read RTL status
15 }
```

```

15         return rtl_model->access_granted;
16     }
17     return 0;
18 }
```

## 6 Complete Example: Breaking a Password Check

Let's walk through a complete attack simulation:

### 6.1 The Vulnerable System

Listing 13: Vulnerable Password Checker (RTL)

```

1 module password_checker (
2     input wire clock,
3     input wire [31:0] input_password,
4     input wire check_enable,
5     input wire fault_enable, // For testing
6     output reg access_granted
7 );
8
9 localparam CORRECT_PASSWORD = 32'hABCD1234;
10
11 always @(posedge clock) begin
12     if (fault_enable) begin
13         // Fault: Skip password check entirely
14         access_granted <= 1;
15     end else if (check_enable) begin
16         if (input_password == CORRECT_PASSWORD)
17             access_granted <= 1;
18         else
19             access_granted <= 0;
20     end
21 end
22
23 endmodule
```

### 6.2 The Attack

Listing 14: Attack Code

```

1 int main() {
2     // Step 1: Try without fault (should fail)
3     printf("Attempt 1: Wrong password, no fault\n");
4     set_password(0xWRONG);
5     enable_check();
6     printf("Result: %d\n", read_access()); // Outputs: 0
7
8     // Step 2: Try with fault injection
```

```

9   printf("Attempt 2: Wrong password, WITH fault\n");
10  enable_fault(); // <- Attack happens here
11  set_password(0xWRONG);
12  enable_check();
13  printf("Result: %d\n", read_access()); // Outputs: 1 (Hacked
14    !
15
16  return 0;
}

```

### 6.3 The Results

== Simulation Output ==

Attempt 1: Wrong password, no fault  
 Result: 0 (Access Denied - Correct behavior)

Attempt 2: Wrong password, WITH fault  
 Result: 1 (Access Granted - Security bypassed!)

#### Important

This demonstrates why we need fault-resistant designs. Real attackers can inject similar faults using physical equipment.

## 7 Real-World Applications

### 7.1 What You Can Build

After mastering these techniques, you can work on:

#### 1. Virtual System-on-Chip (SoC)

- Complete chip systems in simulation
- Test interactions between CPU, memory, peripherals
- Example: ARM processor + custom accelerators

#### 2. Driver Testing

- Test Linux device drivers before hardware exists
- Simulate hardware errors safely
- Example: Testing PCIe drivers with fault injection

#### 3. Secure Enclave Development

- Design protected execution environments
- Test against fault attacks
- Example: TEE (Trusted Execution Environment) security

#### 4. Hardware Security Research

- Publish research papers on attack/defense techniques
- Discover new vulnerabilities
- Develop countermeasures

## 7.2 Academic and Industry Impact

### Key Point

Skills from this tutorial translate directly to:

- Hardware security conferences (CHES, HOST, IEEE S&P)
- Industry positions at AMD, Intel, ARM, Apple
- Security consulting and penetration testing
- Academic research positions

## 8 Tool Setup Guide

### 8.1 Minimal Toolchain

| Purpose              | Tool      | Installation                             |
|----------------------|-----------|------------------------------------------|
| Virtual Hardware     | QEMU      | <code>apt install qemu-system</code>     |
| RTL Design           | Verilog   | (text editor - any)                      |
| RTL Simulation       | Verilator | <code>apt install verilator</code>       |
| Software Compilation | GCC       | <code>apt install build-essential</code> |
| Debugging            | GDB       | <code>apt install gdb</code>             |
| Waveform Viewing     | GTKWave   | <code>apt install gtkwave</code>         |

Table 1: Essential Tools for Fault Injection

### 8.2 Installation Steps (Ubuntu/Debian)

Listing 15: Quick Setup Script

```
1 #!/bin/bash
2
3 # Update package list
4 sudo apt update
5
6 # Install core tools
7 sudo apt install -y \
8     qemu-system \
9     verilator \
10    build-essential \
```

```

11     gdb \
12     gtkwave \
13     git
14
15 # Verify installations
16 echo "==== Verifying Installations ==="
17 qemu-system-arm --version
18 verilator --version
19 gcc --version
20 gdb --version
21
22 echo "Setup complete!"

```

## 9 Building Your First Project

### 9.1 Project Structure

```

fault_injection_project/
  rtl/
    secure_module.v      (Your hardware design)
    testbench.v          (Test harness)
  software/
    attack.c            (Attack simulation)
    Makefile
  bridge/
    qemu_rtl_bridge.cpp (Communication layer)
  scripts/
    build.sh            (Build automation)
    run.sh               (Run simulation)

```

### 9.2 Build Script

Listing 16: Automated Build Script

```

1 #!/bin/bash
2
3 echo "Step 1: Compile RTL with Verilator..."
4 verilator --cc rtl/secure_module.v --exe bridge/qemu_rtl_bridge.
5   cpp
6 make -C obj_dir -f Vsecure_module.mk
7
8 echo "Step 2: Compile attack software..."
9 cd software
10 make
11 cd ..
12
13 echo "Step 3: Set up QEMU environment..."
14 qemu-system-arm -M virt -m 256M \
15   -kernel software/attack.bin \

```

```

15      -nographic -monitor none
16
17 echo "Build complete!"

```

## 10 Advanced Topics Preview

### 10.1 Countermeasures

Once you understand attacks, you can design defenses:

Listing 17: Fault-Resistant Design Example

```

1 module secure_checker (
2     input wire clock,
3     input wire [31:0] password,
4     output reg access
5 );
6
7 // Redundant checking
8 reg check1, check2, check3;
9
10 always @ (posedge clock) begin
11     // Triple redundancy
12     check1 <= (password == CORRECT_PASS);
13     check2 <= (password == CORRECT_PASS);
14     check3 <= (password == CORRECT_PASS);
15
16     // Majority voting - harder to fault
17     access <= (check1 & check2) |
18             (check2 & check3) |
19             (check1 & check3);
20 end
21
22 endmodule

```

### 10.2 Power Analysis

Combine fault injection with power analysis for advanced attacks:

- Measure power consumption during operations
- Identify when cryptographic keys are used
- Inject faults at precise moments

## 11 Learning Path

### 11.1 Beginner Projects (Weeks 1-4)

1. Build a simple password checker in Verilog

2. Simulate it with Verilator
3. Write basic fault injection testbench
4. Observe security failures

## 11.2 Intermediate Projects (Weeks 5-12)

1. Set up QEMU with custom device
2. Bridge QEMU and Verilator
3. Implement voltage glitch simulation
4. Test against AES encryption module

## 11.3 Advanced Projects (Weeks 13+)

1. Build complete SoC with CPU + custom accelerator
2. Implement secure boot with fault resistance
3. Write research paper on new attack/defense
4. Contribute to open-source security tools

# 12 Common Pitfalls and Solutions

## 12.1 Timing Issues

**Problem:** QEMU and RTL run at different speeds.

**Solution:** Use synchronization signals:

```

1 // Wait for hardware to be ready
2 while (!rtl->ready_signal) {
3     rtl->clock = 1;
4     rtl->eval();
5     rtl->clock = 0;
6     rtl->eval();
7 }
```

## 12.2 Memory Mapping

**Problem:** QEMU addresses don't match RTL addresses.

**Solution:** Create address translation layer:

```

1 uint64_t translate_address(uint64_t qemu_addr) {
2     // Map QEMU 0x40000000 -> RTL 0x0000
3     if (qemu_addr >= 0x40000000 && qemu_addr < 0x40010000) {
4         return qemu_addr - 0x40000000;
5     }
6     return 0xFFFFFFFF;    // Invalid
7 }
```

## 13 Resources and Further Reading

### 13.1 Online Resources

- **Verilator Documentation:** <https://verilator.org>
- **QEMU Documentation:** <https://www.qemu.org/docs/>
- **ChipWhisperer:** Hardware fault injection toolkit
- **Riscure Training:** Professional hardware security courses

### 13.2 Recommended Papers

1. “Fault Attacks on Cryptographic Devices” - Boneh et al.
2. “Clock Glitch Attacks: Methods and Countermeasures” - Yuce et al.
3. “Electromagnetic Fault Injection” - Dehbaoui et al.

### 13.3 Practice Platforms

- **CryptoHack:** Cryptography challenges (some involve fault attacks)
- **HackTheBox:** Some hardware security challenges
- **IEEE CSAW ESC:** Annual embedded security challenge

## 14 Conclusion

You now understand:

- What RTL and QEMU are and why they’re used together
- How fault injection simulates real-world attacks
- The workflow from RTL design to attack simulation
- Practical applications in industry and research

#### Key Point

#### Next Steps:

1. Install the minimal toolchain
2. Build the password checker example
3. Experiment with different fault types
4. Start your first security research project

Remember: This is a *defensive* skill. Use it to build more secure systems, not to attack real devices without authorization.