GlitchGlück: Enabling Software Vulnerabilities through Guided Hardware Fault Injection

While many software vulnerabilities are blamed on software bugs, they can also be caused by hardware fault injection. Traditional fault injection methods rely on blind attacks based on simplified fault models, such as instruction skipping. These attacks require exhaustive experimentation across a wide range of fault parameters, with the methodology inferred solely from faulty outcomes, resulting in limited insight into fault impact and an overall inefficient approach. We present GLITCHGLÜCK, a novel approach that combines a tool for simulating hardware-software interactions with a methodology for guiding fault injection. The tool observes the system via scan-chain-accessible states and constructs the Dynamic State Transition Graph (DSTG), a temporal representation of how software instructions trigger interactions with hardware components. By analyzing the DSTG, GLITCHGLÜCK pinpoints fault injection parameters – such as when, where, and what to fault without relying on predefined fault models – thus avoiding the need for an exhaustive fault parameter search. This targeted, data-driven method bridges the gap between simulation and physical fault observation by using scan-chain. GLITCHGLÜCK is demonstrated on a physical OpenMSP430 ASIC chip with scan-chain support, and validated in simulation on PicoRV32 (RV32I) and IBEX (RV32IM) to confirm its applicability across different instruction set architectures and microarchitectures. We assess the effectiveness of several software countermeasures, such as instruction duplication and pin verification, using layout-aware fault simulations to guide fault attacks via clock glitching and laser-induced faults.