This project is used as a tool to simulate fault attacks to ARM-M processors (Thumb mode). Within the "content" folder, there is a C project that is loaded into the simulation environment. Faults are introduces depending the predefined ranges or manualy. For the simulated attacks "all", "single" and "double", all implemented faults are executed till one leads to an successful attack. (e.g. "--class double"). For specific cases the check of the C code operation can be disabled with the "--no-check" option. This will allow to remove for e.g. the SUCCESS_DATA from the file under attack.
Once a vulnerability is found, the attack command sequence can be further analyzed using the '--analysis' command line parameter.
Screenshot of the attack visualization with highlighted instructions.
For fast reproduction of a successful attack, the faults can be setup with the --faults feature manualy. (E.g. "--faults glitch_1 glitch_10" -a double attack with 1 and 10 instruction glitches) Code examples for main.c are located at: "content\src\examples"
Inject a program counter (PC) glitch (skips 1–10 assembly instructions).
Syntax:
- Attack class:
glitch - Specific attacks:
glitch_1,glitch_2, ...,glitch_10
Example:
glitch_3 # Skips 3 instructionsFlip bits in registers R0–R12 using XOR with a hex mask (single-bit only).
Syntax:
- Attack class:
regbf - Specific attacks:
regbf_rX_YYYYYYYY(X=0–12, Y=hex mask)
Examples:
regbf_r0_00000001 # Flip bit 0 of R0
regbf_r12_80000000 # Flip bit 31 of R12Flood a register with 0x00000000 or 0xFFFFFFFF.
Syntax:
- Attack class:
regfld - Specific attacks:
regfld_rX_00000000,regfld_rX_FFFFFFFF
Example:
regfld_r5_FFFFFFFF # Set R5 to 0xFFFFFFFFFlip bits in instructions during fetch (single-bit only).
Syntax:
- Attack class:
cmdbf - Specific attacks:
cmdbf_YYYYYYYY(Y=hex mask)
Example:
cmdbf_00000001 # Flip bit 0 of the fetched instructionThe included C project (/content) is compiled with these flags:
TARGET = armv8-m.main
CFLAGS = -c -O3 -Iinclude \
-g -gdwarf -Wno-unused-but-set-variable -fno-inline -fno-omit-frame-pointer \
-fno-ipa-cp-clone -fno-ipa-cp -fno-common -fno-builtin -ffreestanding -fno-stack-protector \
-Wall -Wno-format-security -Wno-format-nonliteral -Wno-return-local-addr -Wno-int-to-pointer-cast \
-march=$(TARGET) -DMCUBOOT_FIH_PROFILE_ON -DMCUBOOT_FIH_PROFILE_HIGH -DFAULT_INJECTION_TEST
CFLAGS_LD = -N -Wl,--build-id=none -g -gdwarf -Os -Wno-unused-but-set-variable \
-Wno-return-local-addr -fno-inline -fno-ipa-cp-clone \
-fno-ipa-cp -nostartfiles -nodefaultlibsRust Toolchain
- Included crates:
unicorn-engineelflogenv_loggercapstoneindicatifgit-versionrayonitertoolsclapserdeserder_json
Compiler Toolchain
gcc-arm-none-eabicompiler toolchain
Build Tools
maketoolchain
Ghidra Trace Visualization
- Ghidra 11.3 or newer with PyGhidra mode.
You can configure the simulator using either command-line arguments or a JSON config file.
CLI arguments always override values from the config file.
| Flag/Option | Description |
-c, --config <CONFIG> |
Load configuration from JSON file |
|---|---|
-t, --threads <THREADS> |
Number of threads started in parallel [default: 1]. "-t 0" activate full thread usage |
-n, --no-compilation |
Suppress re-compilation of target program |
--class <ATTACK>,<GROUPS> |
Attack class to be executed. Possible values are: all, single, double [default: all]. GROUPS can be the names of the implemented attacks. E.g. --class single regbf separated by ' ' |
--faults <FAULTS> |
Run a command line defined sequence of faults. Alternative to --attack. (E.g. --faults glitch_1 glitch_10). Current implemented fault attacks: - glitch_1 .. glitch_10 - regbf_r0_00000001 .. regbf_r12_80000000 - regfld_r0_00000000 or regfld_r0_FFFFFFFF - cmdbf_00000000 .. cmdbf_80000000 |
-a, --analysis |
Activate trace analysis of picked fault |
-d, --deep-analysis |
Check with deep analysis scan. Repeated code (e.g. loops) are fully analysed |
-m, --max_instructions |
Maximum number of instructions to be executed. Required for longer code under investigation (Default value: 2000) |
--no_check |
Disable program flow check |
-e, --elf <FILE> |
Use external elf file w/o compilation step |
--trace |
Trace and analyse program w/o fault injection |
-r, --run-through |
Don't stop on first successful fault injection |
--success-addresses [<SUCCESS_ADDRESSES>...] |
List of memory addresses that indicate success when accessed Format: --success-addresses 0x8000123 0x8000456 |
--failure-addresses [<FAILURE_ADDRESSES>...] |
List of memory addresses that indicate failure when accessed Format: --failure-addresses 0x8000789 0x8000abc |
-h, --help |
Print help |
-V, --version |
Print version |
-
Single glitch attack with trace analysis (CLI):
cargo run -- --class single glitch --analysis
-
Single glitch attack with trace analysis (JSON config): Create a file (e.g.,
example.json):{ "class": ["single", "glitch"], "analysis": true }Run with:
cargo run -- --config example.json
-
Mixing CLI and JSON:
cargo run -- --config example.json --analysis false -
Double attack (glitch + register flood) on custom ELF:
cargo run -- --class double glitch regfld --elf tests/bin/victim.elf -t 4
-
Running a fault sequence with register bit-flip and glitch:
cargo run -- --faults regbf_r1_0100 glitch_1
-
Running with custom initial register context: Create a config file (
custom_context.json):{ "elf": "tests/bin/victim_3.elf", "class": ["single", "glitch"], "analysis": true, "initial_registers": { "R0": "0x12345678", "R7": "0x2000FFF8", "SP": "0x2000FFF8", "LR": "0x08000005", "PC": "0x08000620" } }Run with:
cargo run -- --config custom_context.json
Supported registers: R0-R12, SP, LR, PC, CPSR
Value formats: Hex strings ("0x12345678") or decimal numbers (42)
Case insensitive: "r0", "R0", "sp", "SP" all work
The Ghidra script you created enhances the visualization of the trace output generated by the simulator with the -a, --analysis option.
Usage:
- Ensure Ghidra 11.3 or newer is installed and running in PyGhidra mode as described in the Ghidra Installation Guide.
- Start the script in Ghidra.
- Paste the trace output from the simulation.
- Observe the executed instructions highlighted in green and the faulted instruction in red.
- Use the table window to step through the instruction trace.
Visualization Example:
Screenshot of the Ghidra visualization with highlighted instructions.