hacker in hoodie in front of computer screens

Professionalizing Fault Injection

How to enhance Fault Injection Testing with Professional Security Equipment

In this article, we explore three key challenges in Fault Injection vulnerability detection and explain how Keysight’s professional testing tools help overcome them—making the testing process faster, clearer, and more reliable.

Introduction

Hobbyists and hackers often operate on limited budgets but possess strong technical skills and plenty of time. As a result, they typically rely on entry-level tools such as a basic Teensy microcontroller or a ChipWhisperer—both priced around $50. Despite their simplicity, these tools have proven effective. Reports from hacking events and even academic conferences show that such setups can successfully uncover vulnerabilities in embedded systems.

Teensy microcontroller (left), ChipWhisperer (right)

Image 1: Teensy microcontroller (left), ChipWhisperer (right)

However, when chip and device manufacturers attempt to replicate these attacks, they often find that even known vulnerabilities are difficult to reproduce. Identifying the root cause can be even more challenging and time-consuming. This sometimes leads developers to dismiss the threat as unrealistic.

That conclusion is premature. The issue lies not with the validity of the threat, but with the limitations of low-cost test equipment, which can slow down and complicate the verification process. In contrast, professional-grade testing tools enable developers to validate reported issues more efficiently, identify root causes, and implement effective countermeasures.

In the sections below, we highlight three key challenges in detecting FI vulnerabilities and explain how Keysight’s professional solutions help accelerate and improve the testing process.

Challenge 1: How to Safely Inject Faults Without Damaging the Target Circuit Board

Challenge 2: How to Navigate the Fault Injection Parameter Space

Challenge 3: How to Zoom into Narrow Time Windows and Achieve Repeatable Test Results

Challenge 1: How to Safely Inject Faults Without Damaging the Target Circuit Board

A common method of fault injection is to briefly interrupt the power supply to the device under test. The interruption must be precisely timed—short enough for the device to resume normal operation, yet long enough to cause a fault. Typically, this disruption lasts less than a µs, often as brief as a single clock cycle.

However, such short interruptions can be distorted by parasitic effects in the circuit, such as inductance and capacitance in the wires. Moreover, printed circuit boards (PCBs) often include decoupling capacitors near the chip's power pins to stabilize voltage. These capacitors resist rapid power changes and can hinder effective fault injection.

To address this, engineers may resort to modifying the circuit—removing capacitors and inserting an electronic switch to momentarily short the power line, a method known as the crowbar approach.

Crowbar approach, showing the original connection (left) and the modified circuit (right)

Image 2: Crowbar approach, showing the original connection (left) and the modified circuit (right)

While controlling crowbar circuitry is relatively straightforward, modifying modern circuit boards without damaging components is risky and time-consuming. At Keysight, we believe these challenges can be avoided using two safer and more efficient solutions.

Solution 1: DS1140A Glitch Amplifier

The Glitch Amplifier is a high-speed power amplifier that converts a digital pulse into a sharp, high-energy glitch. It delivers this glitch by making contact with the test circuitry via a probe. Thanks to its high current output, there's no need to remove capacitors from the target device. The glitch duration is extremely short, minimizing the risk of damage. Additionally, a monitor output lets users observe the actual glitch waveform to ensure it stays within safe operational limits.

Glitch Amplifier

Image 3: DS1140A 1.5 A Glitch Amplifier

Solution 2: DS1120A Unidirectional Fault Injection Probe

The EM-FI Adjustable Pulse Width (APW) Probe offers a non-invasive alternative. Rather than altering voltage, it emits a controlled electromagnetic pulse that can be directed at the target chip. The probe can be positioned over the chip without physical contact, and the pulse strength can be finely tuned to inject faults effectively—without any modifications to the PCB.

Unidirectional Fault Injection Probe

Image 4: DS1120A Unidirectional Fault Injection Probe

These two tools allow for safe and precise fault injection without altering the target hardware. This not only reduces the risk of damaging devices but also eliminates time spent on circuit modifications, significantly speeding up the testing process.

Challenge 2: How to Navigate the Fault Injection Parameter Space

Successfully injecting faults requires tuning multiple parameters. At a minimum, testers must configure the intensity, timing, and duration of the glitch pulse. In many cases, the physical position of the injection probe—whether it's an electromagnetic coil or a laser—also plays a crucial role.

When you multiply the range of possible values for each parameter, the result is a search space with billions of combinations. Fault injection success often depends on just a handful of precise settings. Without intelligent control, testing becomes a random and time-consuming process that could take months—or even years—to yield meaningful results.

Keysight has tackled this challenge with two key innovations aimed at making fault injection smarter and more efficient.

1. Adaptive Parameter Search

We first developed an adaptive search algorithm that refines its parameter choices based on previous outcomes. For example, the graph below illustrates the relationship between glitch amplitude and duration.

Green dots represent parameter combinations with no effect.
Yellow dots indicate system crashes.
Red dots highlight successful glitches that impact device behavior.

The adaptive algorithm automatically focuses future tests on the red-zone combinations—those with the highest likelihood of success—allowing it to find viable attack parameters faster and more systematically.

Adaptive Fault Injection – algorithm focuses on successful regions

Image 5: Adaptive Fault Injection – algorithm focuses on successful regions

2. AI-Driven Optimization Using GANs

Building on this foundation, Keysight applied advanced AI techniques—specifically Generative Adversarial Networks (GANs)—to further enhance fault injection efficiency. These models excel at predicting promising parameter combinations, even in highly complex scenarios.

Through extensive research and validation, we found that GAN-based algorithms can improve the likelihood of a successful fault injection by over tenfold. This capability is now integrated into Keysight's Inspector software for Fault Injection, enabling users to rapidly zero in on hard-to-find vulnerabilities with much greater accuracy and speed.

Performance of FI Parameter Tuner in Inspector Software

Image 6: Performance of FI Parameter Tuner in Inspector Software

By combining adaptive learning with cutting-edge AI, Keysight empowers developers and testers to explore the vast FI parameter space more intelligently, making security validation faster, more targeted, and far more effective.

Challenge 3: How to Zoom into Narrow Time Windows and Achieve Repeatable Test Results

Even with precise control over glitch timing, aligning the glitch with a specific point in the target device's execution—such as a single instruction—remains a major challenge. For effective testing, a user needs to reliably inject faults at the exact moment a targeted instruction is executed, and repeat this process consistently.

Ideally, this execution point would occur a fixed number of clock cycles after a synchronization event (like power-up). However, in practice, this time window is not stable. One major source of instability is clock drift, especially in devices using Phase Locked Loops (PLLs). A drift of just 1% can translate into thousands of clock cycles of variation over the span of a million cycles.

Additionally, execution paths can be non-deterministic, incorporating unpredictable delays or conditional steps. This causes recognizable patterns in the device's behavior to shift or misalign between test runs. The graph below illustrates how such misalignment affects signal traces, making it harder to pinpoint the exact instruction for fault injection.

Misalignment of traces due to non-deterministic behavior

Image 7: Misalignment of traces due to non-deterministic behavior

Keysight’s Solution: Real-Time Pattern Detection with Pattern-Based Trigger Generator

To overcome this, Keysight developed DS1002A Pattern-Based Trigger Generator (formerly known as icWaves)—a device that enables fault injection with high temporal precision by observing the execution flow through side-channel signals.

The Pattern-Based Trigger Generator can detect complex, real-time signal patterns during software execution and generate a trigger signal the moment those patterns occur. This allows the system to dynamically synchronize fault injection to actual code execution, even when clock drift or non-deterministic delays are present.

With DS1002A, users can:

Systematically scan code execution to identify fault injection opportunities
Precisely time fault injection events relative to observed behavior
Reproduce successful glitches with high reliability
Explore how variations in parameters affect the fault outcome

This makes it a critical tool for achieving consistent, repeatable results in fault injection testing—especially when targeting specific instructions in complex or unstable execution environments.

Conclusion

Fault Injection (FI) testing can be complex and time-consuming. Challenges such as the need for delicate circuit modifications, the vast parameter space, and the unpredictable timing behavior of modern devices can make effective testing feel out of reach—especially without professional tools.

Keysight addresses these challenges head-on. Our specialized test equipment is designed to eliminate the need for invasive hardware changes, streamline parameter exploration, and precisely align fault injection with real-time execution behavior. The result: what once took months can now be achieved in days.

We provide a complete solution for device manufacturers and security analysts committed to hardening their products. Our offering includes advanced testing tools, expert services, and tailored training programs.

As a market leader in Side Channel Analysis, Fault Injection, secure device architecture, and software vulnerability analysis, Keysight empowers security teams to uncover and mitigate risks with speed, precision, and confidence.

Learn more about our Device Security Testing solutions here, or reach out to us at [email protected].

limit