Efficient Symbolic Execution of Software under Fault Attacks

We propose a symbolic method for analyzing the safety of software under fault attacks both accurately and efficiently. Fault attacks leverage physically injected hardware faults to break the safety of a software program. While there are existing methods for analyzing the impact of faults on software, they suffer from inaccurate fault modeling and inefficient analysis algorithms. We propose two new techniques to overcome these problems. First, we propose a fault modeling technique that leverages program transformation to add symbolic variables to the program, to accurately model the fault-induced program behavior. Second, we propose a redundancy pruning technique that leverages the weakest precondition and fault saturation to mitigate path explosion, which is a performance bottleneck of symbolic execution that is exacerbated by the fault-induced program behavior. We have implemented the method and evaluated it on a variety of benchmark programs. The experimental results show that our method significantly outperforms the state-of-the-art method. Specifically, it not only reveals many previously-missed safety violations but also reduces the running time drastically. Compared to the baseline, our optimized method is 2.0$\times$ faster on average.