2026-06-09 –, Poster Island A
Fault Injection Attacks (FIAs) induce transient hardware faults to subvert software security mechanisms, yet assessing fault resilience, especially during early design phases, remains impractical without specialized laboratory equipment. Microarchitectural simulation provides a reproducible and scalable alternative. This paper presents InjectV, a gem5-based fault injection framework targeting RISC-V systems, which employs trace-guided fault injection by identifying Candidate Injection Points (CIPs) at security-critical operations including control-flow branches and conditional comparisons. Supporting transient corruption of architectural registers and physical memory under full-system simulation, InjectV demonstrates that guided fault injection requires 95.8% fewer injections than random exploration to expose successful attacks on the FISSC VerifyPIN benchmarks.
InjectV is a research framework designed to evaluate the security impact of Fault Injection Attacks (FIAs) on RISC-V systems using full-system simulation. The project focuses on modeling realistic physical attacks that can induce transient faults and alter program execution.
The framework is implemented on top of the gem5 microarchitectural simulator in full-system mode, enabling experiments that include the operating system, firmware, and user applications. This allows the study of fault propagation across the entire hardware–software stack in a deterministic and reproducible environment.
InjectV introduces an attack-oriented methodology for fault injection so that instead of randomly exploring the fault space, it analyzes execution traces to identify Candidate Injection Points (CIPs) associated with security-relevant operations such as conditional branches, comparisons, and control-flow decisions. Fault injections are then guided toward these points to model realistic attack vectors more efficiently.
The system supports transient corruption of both architectural registers and physical memory, with configurable parameters for timing, bit selection, and injection frequency. A campaign manager orchestrates large experimental campaigns, automating simulation execution, parallelization, timeout handling, and result aggregation. The framework was evaluated using the FISSC VerifyPIN benchmark, demonstrating that guided campaigns significantly improve the efficiency of discovering security-relevant faults compared to random exploration.
Overall, InjectV provides a reproducible environment for studying how transient hardware faults can be exploited to bypass software protections, enabling early-stage security evaluation of embedded and processor-based systems before physical hardware is available.
Research Engineer at CEA-List, I hold a Master’s degree in Cybersecurity Engineering from Politecnico di Torino. I am passionate about hardware and software security, with a strong focus on fault injection and microarchitectural security.
Niccolò Lentini is a PhD student in Computer and Cybersecurity Engineering at Politecnico di Torino, Italy. His research focuses on hardware and system security, with particular emphasis on fault injection attacks, the resilience of RISC-V systems, and post-quantum security. He received his MSc in Cybersecurity Engineering from Politecnico di Torino, where his Master’s thesis focused on securing avionic embedded systems using hardware-assisted security mechanisms. His current research investigates methodologies and tools for evaluating the security of computing platforms against physical attacks.