# Effects of synchronous clock glitch on the security of an integrated circuit

#### Amélie Marotta

PhD Defense 23/06/2025

Examiners: Vincent Beroulle Maria Méndez-Real Jessy Clédière Jean-Max Dutertre <u>PhD Advisors:</u> Olivier Sentieys (director) Ronan Lashermes (co-director) Rachid Dafali Guillaume Bouffard

#### Introduction



An example





# Vulnerabilities and exploitation methods



#### Fault Injection

Several fault injection (FI) methods exist:

 $\rightarrow$  voltage glitch

 $\rightarrow$  laser FI



- $\rightarrow$  clock glitch
- $\rightarrow$  electromagnetic FI



#### Fault characterization



# Physical level



Impacted elements:



 $\rightarrow$  Possible fault effects: switching logic gates output, preventing DFF sampling, etc.

| Amélie Marotta |
|----------------|
|----------------|

#### Physical level: the flip-flop



8 / 59

Register-transfer level



Normal behaviour

Faulted behaviour





 $\rightarrow$  Possible fault effects: bit flip propagation, etc.

Amélie Marotta





 $\rightarrow \text{Possible fault effects: instruction skip/repeat/modification, alteration of data/instruction transfer, etc.}$ 







 $\rightarrow \text{Possible fault effects: instruction skip/repeat/modification, alteration of data/instruction transfer, etc.}$ 

# A effect in particular: EM impact on the Phase-Locked Loop<sup>1</sup> (PLL)

#### Normal behaviour



<sup>1</sup> Ludovic Claudepierre and Philippe Besnier, Microcontroller Sensitivity to Fault-Injection Induced by Near-Field Electromagnetic Interference.

| Amè | 10 | NЛ | 21 | 0 | - |  |
|-----|----|----|----|---|---|--|
|     |    |    | сu | 0 |   |  |
|     |    |    |    |   |   |  |

# An effect in particular: EM impact on the Phase-Locked Loop (PLL)



 $\rightarrow$  effect at microarchitectural level: instruction skip or repeat

- $\rightarrow$  effect at register-transfer and physical levels?
  - $\hookrightarrow$  explained by state-of-the-art physical fault models?

EM on the PLL: does the Timing Fault Model<sup>2</sup> apply?

 $\to$  Main fault mechanism: timing violation of  $t_{\tt setup}$  by advancing a clock cycle or extending the execution time of  $D_1$ 



 $\rightarrow$  Does the TFM apply?

 $\times$  no because the SCG does not cause timing variations for either the clock or  $\mathtt{D}_1$ 

<sup>&</sup>lt;sup>2</sup> Amine Dehbaoui, Jean-Max Dutertre, Bruno Robisson, and Assia Tria, <u>Electromagnetic Transient Faults Injection</u> on a Hardware and a Software Implementations of AES.

# EM on the PLL: does the Sampling Fault Model<sup>3</sup> apply?

 $\rightarrow$  Main fault mechanism: race condition between the clock and D<sub>1</sub> by altering all signals



- $\rightarrow$  Does the SFM apply?  $\times$  no because the SCG only affects the clock
- <sup>3</sup> Mathieu Dumont, Mathieu Lisart, and Philippe Maurine, Modeling and Simulating Electromagnetic Fault Injection.

# EM on the PLL: does the Nabhan's Fault Model<sup>4</sup> apply?

 $\rightarrow \underline{\text{Main fault mechanism: timing violation of }}_{\text{setup}} \text{ by shifting a clock cycle or creating additional clock cycles}$ 



Q١

 $\rightarrow$  Does the NFM apply?

Q١

imes no because the SCG remains synchronous and affects a single clock cycle

<sup>4</sup> Roukoz Nabhan, Jean-Max Dutertre, Jean-Baptiste Rigaud, Jean-Luc Danger, and Laurent Sauvage, A Tale of Two Models: Discussing the Timing and Sampling EM Fault Injection Models.

Amélie Marotta

PhD Defense

# Thesis objective: Understanding the SCG

Contributions during this PhD:

- $\rightarrow$  characterizing and modeling the SCG at physical level (work published at COSADE'24)
- ightarrow extending the model at RTL
- $\rightarrow\,$  gathering clues on the SCG impact at microarchitectural/ISA level and comparing it to the state-of-the art

Overview



- 1. Physical characterization of the SCG
  - $\hookrightarrow \mathsf{TRAITOR}$
  - $\hookrightarrow \mathsf{Experimental} \ \mathsf{set-up}$
  - $\hookrightarrow \mathsf{Hypotheses} \text{ verification}$
- 2. Microarchitectural characterization of the SCG

# TRAITOR<sup>5</sup>



Three examples of clock signals generated by TRAITOR illustrating its possibilities.

<sup>5</sup> Ludovic Claudepierre, Pierre-Yves Péneau, Damien Hardy, and Erven Rohou, TRAITOR: A Low-Cost Evaluation Platform for Multifault Injection.

Amélie Marotta

# Device Under Test (DUT)



# Floorplan



# Floorplan



### Floorplan



# Logical and physical, in-order and randomized



#### Hypotheses

**Hypothesis 1 (Energy Threshold)** For a DFF to correctly sample a clock's rising edge, the clock signal must meet a certain energy threshold, combination of voltage amplitude and width thresholds.



#### Behaviour of three selected DFF



Transitions phases of three target physical DFFs chosen since they exhibit different characteristics.

|--|

#### Simulation set-up



- $\rightarrow\,$  SPICE simulation
- $\rightarrow$  28nm DFF
  - $\,\hookrightarrow\,$  not the exact same as the Artix-7 DFF
  - $\,\hookrightarrow\,$  designed for similar technology so should behave the same way
- $\rightarrow\,$  focus on the state change of the first DFF

Goal: estimate the impact of the voltage and width of the CSCG

#### Simulation results



**Hypothesis 2 (Fault Sensitivity Dependency on Intrinsic Properties)** The fault sensitivity of a DFF depends on its intrinsic properties, such as <u>clock routing</u> up to the DFF among others.

# Only clock routing?

| Slice 1 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
| Slice 3 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 4 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 5 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |
| Slice 6 - | 22 | 22 | 22 | 22 | 23 | 23 | 23 | 23 |
| Slice 7 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 8 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
|           |    | _  | _  | _  | _  | _  | _  | _  |

(a) Color coded fault sensitivities of the first 64 registers on mapping 1 *in-order* on FPGA 1.

| Slice 1 - | 22 | 22 | 22 | 22 | 21 | 21 | 21 | 21 |  |
|-----------|----|----|----|----|----|----|----|----|--|
| Slice 2 - | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |  |
| Slice 3 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |  |
| Slice 4 - | 22 | 22 | 22 | 22 | 21 | 21 | 21 | 21 |  |
| Slice 5 - | 21 | 21 | 21 | 21 | 22 | 22 | 22 | 22 |  |
| Slice 6 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |  |
| Slice 7 - | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |  |
| Slice 8 - | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |  |
|           | _  | _  | _  | _  | _  | _  | _  |    |  |

(b) Color coded fault sensitivities of the first 64 registers on mapping 1 *in-order* on FPGA 2.

 $\hookrightarrow$  Comparing fault sensitivities on two FPGAs.

#### Hypotheses

**Hypothesis 2 (Fault Sensitivity Dependency on Intrinsic Properties)** The fault sensitivity of a DFF depends on its intrinsic properties, such as process variability and clock routing up to the DFF among others.

# Only intrinsic properties?

| Slice 1 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
| Slice 3 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 4 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 5 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |
| Slice 6 - | 22 | 22 | 22 | 22 | 23 | 23 | 23 | 23 |
| Slice 7 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 8 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
|           |    |    |    |    |    |    |    | -  |

(a) Color coded fault sensitivities of the first 64 registers on mapping 1 *in-order* on FPGA 1.

| Slice 1 · | 22 | 24 | 22 | 23 | 23 | 23 | 23 | 23 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 23 | 23 | 24 | 22 | 23 | 23 | 22 | 23 |
| Slice 3 - | 23 | 23 | 23 | 22 | 23 | 22 | 22 | 22 |
| Slice 4 - | 23 | 22 | 23 | 22 | 23 | 23 | 22 | 22 |
| Slice 5 - | 22 | 22 | 23 | 23 | 22 | 22 | 22 | 22 |
| Slice 6 - | 24 | 22 | 22 | 22 | 22 | 23 | 22 | 24 |
| Slice 7 - | 22 | 22 | 22 | 24 | 22 | 23 | 24 | 23 |
| Slice 8 - | 23 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |
|           |    | -  |    | -  | -  | -  | _  | -  |

(b) Color coded fault sensitivities of the first 64 registers on mapping 2 *randomized* on FPGA 1.

 $\hookrightarrow$  Comparing fault sensitivities between physical DFFs for different mappings.

#### Hypotheses

**Hypothesis 3 (Fault Sensitivity Dependency on Extrinsic Properties)** The fault sensitivity of a DFF may also be affected by extrinsic factors, such as the activity in neighboring wires (including routing between DFFs and the routing of the clock tree).

 $\longrightarrow$  Impact of clock wires

 $\hookrightarrow$  forced adjacent clock paths

#### Impact of clock wires



Artix-7

#### Impact of clock wires



# Impact of clock wires

| Slice 1 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
| Slice 3 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 4 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 5 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |
| Slice 6 - | 22 | 22 | 22 | 22 | 23 | 23 | 23 | 23 |
| Slice 7 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 8 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |

21 21 21 21 21 21 21 21 Slice 1 20 20 20 20 20 20 Slice 2 -20 20 20 20 20 20 21 21 21 21 Slice 3 -Slice 4 21 21 21 21 21 21 21 21 20 20 20 20 20 20 Slice 5 -20 20 20 20 20 20 21 21 21 21 Slice 6 -20 20 20 20 20 20 20 20 20 Slice 7 -20 20 20 20 20 20 20 20 Slice 8 -20

(a) Color coded fault sensitivities of the first 64 registers on mapping 1 *in-order* on FPGA 1.

(b) Color-coded fault sensitivities of the first 64 registers on mapping 1 *in-order* with a forced adjacent path for the clock on FPGA 1

 $\hookrightarrow$  Comparing fault sensitivities between physical DFFs for different clock routing.
# The Energy Threshold Fault Model

**Hypothesis 1 (Energy Threshold)** For a DFF to correctly sample a clock's rising edge, the clock signal must meet a certain energy threshold, combination of voltage amplitude and width thresholds.

# The Energy Threshold Fault Model

**Hypothesis 1 (Energy Threshold)** For a DFF to correctly sample a clock's rising edge, the clock signal must meet a certain energy threshold, combination of voltage amplitude and width thresholds.

**Hypothesis 2 (Fault Sensitivity Dependency on Intrinsic Properties)** The fault sensitivity of a DFF depends on its intrinsic properties, such as process variability and clock routing up to the DFF among others.

**Hypothesis 1 (Energy Threshold)** For a DFF to correctly sample a clock's rising edge, the clock signal must meet a certain energy threshold, combination of voltage amplitude and width thresholds.

**Hypothesis 2 (Fault Sensitivity Dependency on Intrinsic Properties)** The fault sensitivity of a DFF depends on its intrinsic properties, such as process variability and clock routing up to the DFF among others.

**Hypothesis 3 (Fault Sensitivity Dependency on Extrinsic Properties)** The fault sensitivity of a DFF may also be affected by extrinsic factors, such as the activity in neighboring wires (including routing between DFFs and the routing of the clock tree).

#### Overview



- 1. Physical characterization of the SCG
- 2. Microarchitectural characterization of the SCG
  - $\hookrightarrow \mathsf{Preliminary} \ \mathsf{fault} \ \mathsf{model}$
  - $\hookrightarrow \mathsf{Experimental} \ \mathsf{set-up}$
  - $\hookrightarrow \mathsf{Hypothesis}\ \mathsf{verification}$







<sup>6</sup> Ludovic Claudepierre, Pierre-Yves Péneau, Damien Hardy, and Erven Rohou, TRAITOR: A Low-Cost Evaluation Platform for Multifault Injection



Amélie Marotta

PhD Defense



37 / 59

25



Amélie Marotta

PhD Defense



38 / 59

#### From the ETFM and the state of the art

 $\hookrightarrow {\rm preliminary\ microarchitectural\ fault\ model}$ 

#### Instructions are affected by the fault

- $\hookrightarrow$  instruction transfers (between caches, inside the pipeline) vulnerable
- $2 \neq \mathsf{amplitudes} \Longrightarrow \neq \mathsf{ISA}$  level effects
  - $\,\hookrightarrow\,$  instruction skip, repeat, modification



Fault impact is only visible on flipping bits

## Fault injection setup



Amélie Marotta

PhD Defense

# Target description



## Target code

| -1 Regis | ster initialization |
|----------|---------------------|
| movw r2, | 0x6c59              |
| movw r3, | 0x44a3              |
| movw r4, | 0xd0ea              |
| movw r5, | 0x2624              |
| movw r6, | 0x2e7c              |
| movw r7, | 0x1248              |
| movw r8, | 0x3330              |
| movw r9, | 0xed12              |
|          |                     |

Nop padding nop.w

...

nop.w

 $\rightarrow$  All instructions are 32-bit long, aligned

| ructions- |
|-----------|
| 1         |
| 1         |
| 1         |
| 1         |
| 1         |
| 1         |
| 1         |
| 1         |
|           |

 $\underbrace{\overset{\vee}{4}}_{\text{nop padding}}$ 

• • •

nop.w

## Fault models terminology

"instruction adds.w r2, r2, 1" "instruction that modifies r2"

 $\longrightarrow {\sf too} ~{\sf long}~!$ 

Naming convention of instruction:

| adds.w | r2, | r2, | 1 | $\longrightarrow$ ins. r2 |
|--------|-----|-----|---|---------------------------|
| adds.w | r3, | r3, | 1 | $\longrightarrow$ ins.r3  |
| adds.w | r4, | r4, | 1 | $\longrightarrow$ ins.r4  |
| adds.w | r5, | r5, | 1 | $\longrightarrow$ ins.r5  |
| adds.w | r6, | r6, | 1 | $\longrightarrow$ ins.r6  |
| adds.w | r7, | r7, | 1 | $\longrightarrow$ ins.r7  |
| adds.w | r8, | r8, | 1 | $\longrightarrow$ ins. r8 |
| adds.w | r9, | r9, | 1 | $\longrightarrow$ ins.r9  |

# Fault injection protocol

TRAITOR parameters:

- $\rightarrow\,$  amplitude ranges from 370 to 430
- $\rightarrow\,$  delay ranges from 30 to 50
- ightarrow width is constant at 1 (a single clock cycle is modified)

For each experiment (50 for each different set of parameters):

- $\rightarrow\,$  the target is reset
- $\rightarrow$  the execution stops at the end of the second nop.w set of instructions (breakpoint)
- ightarrow the value of r0-r12, sp, lr, pc, etc., are retrieved

 $\rightarrow$  in case of interrupt that escalates into Hardfault, the type of interrupt (xPSR) as well as pc and lr are retrieved

#### $\Rightarrow$ Dominant fault impacts on the target code







Amélie Marotta



at delay 37: FM2 adds.w r5, r5, 1 is skipped adds.w r4, r4, 1 is repeated

```
FM3 adds.w r5, r5, 1 is skipped adds.w r3, r3, 1 is executed
```

 $\rightarrow$  instruction modification  $\checkmark$ 

at delay 37: FM2 adds.w r5, r5, 1 is skipped adds.w r4, r4, 1 is repeated

FM3 adds.w r5, r5, 1 is skipped adds.w r3, r3, 1 is executed

 $\rightarrow$  instruction modification  $\checkmark$ 

 $\dots$  does not match hypothesis (3) Fault impact is only visible on flipping bits

at delay 37: FM2 adds.w r5, r5, 1 is skipped adds.w r4, r4, 1 is repeated

FM3 adds.w r5, r5, 1 is skipped adds.w r3, r3, 1 is executed

 $\rightarrow$  instruction modification  $\checkmark$ 

 $\dots$  does not match hypothesis (3) Fault impact is only visible on flipping bits

reg encoding r5 0101 r4 0100

at delay 37: FM2 adds.w r5, r5, 1 is skipped adds.w r4, r4, 1 is repeated

FM3 adds.w r5, r5, 1 is skipped adds.w r3, r3, 1 is executed

 $\rightarrow$  instruction modification  $\checkmark$ 

 $\dots$  does not match hypothesis (3) Fault impact is only visible on flipping bits

reg encoding r5 0101 r4 0100 × r3 0011

at delay 37: FM2 adds.w r5, r5, 1 is skipped adds.w r4, r4, 1 is repeated

FM3 adds.w r5, r5, 1 is skipped adds.w r3, r3, 1 is executed

 $\rightarrow$  instruction modification  $\checkmark$ 

 $\dots$  does not match hypothesis (3) Fault impact is only visible on flipping bits





# Fault influence: delay?



 $\Rightarrow$  fault effects are tied to the delay of the fault

23/06/2025

adds.w rd, rn, 1

| 31 | 30 | 29 | 28 | 27 | <br>19 | 18 | 17 | 16 | <br>11 | 10 | 9 | 8 | <br>3 | 2 | 1 | 0 |
|----|----|----|----|----|--------|----|----|----|--------|----|---|---|-------|---|---|---|
| 1  | 1  | 1  | 1  | 0  |        | r  | n  |    |        | rd |   |   | <br>0 | 0 | 0 | 1 |







| 31 | 30 | 29 | 28 | 27 | <br>19 | 18 | 17 | 16 | <br>11 | 10 | 9 | 8 | <br>3 | 2 | 1 | 0 |
|----|----|----|----|----|--------|----|----|----|--------|----|---|---|-------|---|---|---|
| 1  | 1  | 1  | 1  | 0  |        | r  | n  |    |        | rd |   |   | <br>0 | 0 | 0 | 1 |





 $\hookrightarrow$  unaligned adds.w instructions



Amélie Marotta

Vulnerable prefetch buffer part at clock cycle 0

| _ | r3, | , 1 | · · · · , | r4, . |          |
|---|-----|-----|-----------|-------|----------|
|   | r4, | , 1 | · · · · , | r5, . |          |
|   | r5, | , 1 | · · · · , | r6, . | <u> </u> |

Vulnerable prefetch buffer part at clock cycle 0

| r3, | · · · , | 1 | · · · , | r4, | <br>1  |
|-----|---------|---|---------|-----|--------|
| r4, | · · · , | 1 | · · · , | r5, | <br>К  |
| r5, | ,       | 1 | · · · , | r6, | <br>-) |

Vulnerable prefetch buffer part at clock cycle 1

|   | r4, | , | 1 | ,         | r5, | <br>1  |
|---|-----|---|---|-----------|-----|--------|
| ſ | r4, | , | 1 | ,         | r5, | <br>K  |
|   | r6, | , | 1 | · · · · , | r7, | <br>-) |

Vulnerable prefetch buffer part at clock cycle 0

| r3, | · · · , | 1 | · · · , | r4, | <br>1  |
|-----|---------|---|---------|-----|--------|
| r4, | · · · , | 1 | ,       | r5, | <br>K  |
| r5, | ,       | 1 | ,       | r6, | <br>-) |

Vulnerable prefetch buffer part at clock cycle 1

|   | r4, | , | 1 | , | r5, | <br>1  |
|---|-----|---|---|---|-----|--------|
| ſ | r4, | , | 1 | , | r5, | <br>К  |
|   | r6, | , | 1 | , | r7, | <br>-) |

Faulted instruction output:

. . .

. . .

| adds.w | r3, | r3, | 1 |
|--------|-----|-----|---|
| adds.w | r4, | r4, | 1 |
| adds.w | r4, | r5, | 1 |
| adds.w | r6, | r5, | 1 |
| adds.w | r7, | r7, | 1 |

# Enhanced microarchitectural preliminary fault model

1) The dominant fault effects are instruction skip, repeat and modification, happening for different delay and amplitude

- $\hookrightarrow$  the modifications affect identically the destination and source register
- $\hookrightarrow$  at higher amplitudes, the modifications affect non-flipping bits, which contradict the preliminary fault model
- ) A transfer in the prefetch mechanism is impacted
- 3 Some effects remain unexplained (instruction modification for example), suggesting that the fault affect unidentified parts of the microarchitecture

2
## Conclusion

- $\rightarrow$  **Contribution**: we propose an in-depth characterization of the SCG
- $\rightarrow$  At physical level (ETFM):
  - $\hookrightarrow$  Main fault mechanism: for a DFF to correctly sample a clock's rising edge, the clock signal must meet a certain **energy threshold**
  - $\hookrightarrow$  The required energy quantity is influenced by **intrinsic** properties (process variability, clock routing)...
  - $\hookrightarrow$  ... as well as extrinsic properties (activity in neighboring wires)
- $\rightarrow$  At microarchitectural level:
  - $\hookrightarrow$  The main observed fault effects are instruction skip, repeat, modification, depending on the amplitude of the SCG
  - $\,\hookrightarrow\,$  The prefetch mechanism is vulnerable to fault
  - $\,\hookrightarrow\,$  Other unidentified parts of the microarchitecture are affected

#### Perspectives

1) The microarchitectural fault model is incomplete

- $\hookrightarrow$  Analyzing the SCG impact on a processor we have more control and knowedge on is necessary, such as a FPGA-implemented softcore
- 2 The equivalence between the SCG and the CSCG is not proven
- $\,\hookrightarrow\,$  Recreating the SCG using EMFI
- $\,\hookrightarrow\,$  Does the ETFM still apply? Does it need adjusments?
- 3 The SCG exists alongside several other EM effects
- $\,\hookrightarrow\,$  Is it possible to offer a full characterization of the EM effects?

# Thank you for your attention

Questions?

## TRAITOR: generation of the CSCG



Figure: The Controlled Synchronous Clock Glitch (CSCG) is generated using two out-of-phase clocks, clk1 and clk2. The TRAITOR user has the capability to replace the regular clock signal with CSCG at their discretion.

# DFFs behaviour amplitude 22

# DFFs behaviour amplitude 23

# DFFs behaviour amplitude 24

## Impact of data wires



Figure: Abstract representation of the DUT placement on a Artix-7 FPGA, with route variations between two DFFs.

#### Impact of data wires

| Slice 1 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
| Slice 3 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 4 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 5 - | 22 | 22 | 22 | 22 | 22 | 22 | 22 | 22 |
| Slice 6 - | 22 | 22 | 22 | 22 | 23 | 23 | 23 | 23 |
| Slice 7 - | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
| Slice 8 - | 23 | 23 | 23 | 23 | 22 | 22 | 22 | 22 |
|           |    |    |    |    |    |    |    | _  |

| Slice 1 - | 22 | 23 | 23 | 22 | 22 | 23 | 23 | 22 |
|-----------|----|----|----|----|----|----|----|----|
| Slice 2 - | 22 | 23 | 22 | 22 | 23 | 23 | 23 | 22 |
| Slice 3 - | 22 | 23 | 22 | 22 | 22 | 23 | 23 | 22 |
| Slice 4 - | 23 | 22 | 23 | 23 | 22 | 23 | 22 | 22 |
| Slice 5 - | 22 | 22 | 23 | 23 | 22 | 22 | 22 | 23 |
| Slice 6 - | 22 | 22 | 22 | 24 | 22 | 22 | 22 | 23 |
| Slice 7 - | 24 | 22 | 23 | 22 | 22 | 22 | 23 | 23 |
| Slice 8 - | 22 | 23 | 22 | 23 | 22 | 22 | 22 | 22 |
|           |    |    |    | ,  |    |    |    |    |

(a) Color coded fault sensitivities of the first 64 registers on mapping 1 *in-order* on FPGA 1.

(b) Color-coded fault sensitivities of the first 64 registers on mapping 1 *in-order* with different data routing on FPGA 1

Figure: Comparing fault sensitivities between physical DFFs for different data routing.

#### Extension to RTL

initial state for both chains

clock cycle n







#### Extension to RTL

initial state for both chains

clock cycle n



unfaulted chain



# Finding dominant fault models: immediate variations

ightarrow Target code:

 $\hookrightarrow \texttt{listing 2}$ 

 $\hookrightarrow$  8 nops.w + in-order, aligned adds.w instructions



### Fault influence: instruction order?

 $\hookrightarrow$  8 nops.w + out-of-order, aligned adds.w instructions



# Fault influence: delay?



 $\Rightarrow$  same fault models, indepedantly of the instruction order

| A /1*  |         |
|--------|---------|
| Amelie | Warotta |
|        |         |

# Fault influence: delay?



## Vulnerable processor part



## Vulnerable processor part

| instruction | FM  | r2     | r3     | r4     | r5     | r6     | r7     | r8     | r9     |
|-------------|-----|--------|--------|--------|--------|--------|--------|--------|--------|
|             | FM1 | 0x6c59 | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
| nop.w       | FM2 | 0x6c59 | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c59 | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
| r2          | FM2 | 0x6c5a | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a3 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a4 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
| r3          | FM2 | 0x6c5a | 0x44a4 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a4 | 0xd0ea | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
| r4          | FM2 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a4 | 0x2625 | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
| r5          | FM2 | 0x6c5a | 0x2625 | 0xd0eb | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x2e7c | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a4 | 0x2625 | 0x2624 | 0x2625 | 0x1248 | 0x3330 | 0xed12 |
| r6          | FM2 | 0x6c5a | 0x2625 | 0xd0eb | 0x2624 | 0xd0ec | 0x1248 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x6c5b | 0x1248 | 0x3330 | 0xed12 |
|             | FM1 | 0x6c5a | 0x44a4 | 0x2625 | 0x2624 | 0x2625 | 0x1249 | 0x3330 | 0xed12 |
| r7          | FM2 | 0x6c5a | 0x2625 | 0xd0eb | 0x2624 | 0xd0ec | 0x1249 | 0x3330 | 0xed12 |
|             | FM3 | 0x6c5a | 0x44a4 | 0xd0eb | 0x2624 | 0x6c5b | 0x1249 | 0x3330 | 0xed12 |

Fault adds.w r7, r7, 1

