Complex Test Pattern Generation for high speed fault diagnosis in FPGA based ...
Final Paper
1. 1
Fault Injection using the Raspberry Pi 3 Computer
Colby Stanley
Department of ECE
Duke University
Durham, NC 27701
cts20@duke.edu
Abstract
Throughout this project, multiple
means of fault injection are explored using a
Raspberry Pi 3 computer as the test bed.
The two major sets of fault injection
experiments are electromagnetic fault
injection and magnetic fault injection. The
presence of a fault is determined based on
what is expected to be in the SRAM versus
what is read out of the SRAM of the CPU of
the device after each experiment. If an
unexpected value is found, such as a 0 when
a 1 was expected, this course of action is
deemed to have injected a transient fault
into the Raspberry Pi’s SRAM. The scope of
this work is limited to transient faults in
SRAM in order to have a more controlled
environment where an expected value can be
compared with the result of a test. Results
indicated that the use of commodity devices
such as wireless routers, microwaves, a
permanent neodymium magnet, and an
electromagnet are inconclusive in their
ability to inject transient faults.
1. Introduction
When developing a scheme for
tolerating faults, it is important to test the
design to determine how well the design
handles the specific scenarios it is intended
for according to its fault model. However,
this leads to the question of how can a
design be tested and how does one
determine if the tests are passed or failed.
Typically, in order to perform fault
injection, simulators running a specific
processor’s architecture are used. This
allows control over where the fault is
injected and the duration of the fault if it is
transient [1]. Simulators are useful tools for
injecting faults and testing a system’s ability
to cope with different types of faults. The
simulator, however, is only as good as the
data that the simulation is based on, and the
inputs that are used. If the simulated faults
are not realistic in terms of the portion of the
chip that is impacted, or the duration over
which a voltage spike occurs, they may not
truly test some of the main cases effectively.
Additionally, faults may be logically masked
and if careful effort is not made to determine
whether the faults are being masked, the
fault can go undetected even after significant
testing [2].
An alternative to simulating fault
injection is to inject faults using real sources
of faults on real hardware. This approach is
not as commonly used as simulation because
it is time consuming and costly. The cost of
manufacturing the hardware for the
experiment and the cost of the test
environment itself can be prohibitive [1].
This project aims to provide an alternative
by using commonly found devices that have
the potential to inject faults into real
hardware. Additionally, the data gathered
provides insight into how the Raspberry Pi
responds to fault injection of different kinds.
The Raspberry Pi is becoming more popular
for different scientific and engineering
applications, and it is important to be aware
2. 2
of its sensitivity to different types of
conditions.
There is less information that can be
found in terms of system state working with
real hardware, unless the hardware is
designed with circuitry for accessing state
information at different points. This makes it
important to first determine what is the
expected outcome of an operation in order to
have a way of comparing that which is
expected with what has occurred
experimentally. For this project, it was
useful to target the SRAM for fault injection
because the initial values can be manually
selected for each SRAM cell and compared
with the results without the need for
additional hardware storing state
information.
The following information will make
up the remainder of this paper. First, prior
work done in the field of fault injection will
be discussed as well as how it differs from
this research. Next, the experimental setup
and equipment used to perform fault
injection experiments will be discussed, and
lastly the experimental results will be
included along with a detailed explanation
proceeded with a conclusion.
2. Prior Work
Existing methods of fault injection
on real hardware rely on either hardware or
software to inject faults. Software based
fault injection can be done at compile-time
and runtime, and does not require special
equipment. This form of fault injection is
limited, though, by the portions of hardware
that can be reached through software. Fault
injection done at compile-time works by
changing certain instructions to improper
instructions simulating what would happen
if a fault changed their value. Runtime fault
injection can work similarly to compile-time
fault injection by adding code as well as the
use of interrupts and exceptions to call
functions used to inject faults. Hardware
based fault injection can be done through
contact and non-contact methods. A non-
contact method would be to bombard a chip
or component with radiation. When a
radioactive particle strikes, it can generate a
current [6]. Depending on the current
generated, a bit may be flipped. As for
contact methods of fault injection, probes
can be used to alter the current at a specific
pin. This probe based method allows for a
targeted fault injection which can be useful
for testing how a design handles specific
faults. On the contrary, methods such as
bombarding a chip with radiation can
produce more realistic tests due to the
unpredictable nature [1].
Additional methods of noncontact
fault injection include those that rely on
electromagnetic radiation including the use
of lasers to change the voltage on a wire
within a chip resulting in a bit flip. Such
forms of fault injection can be used in
testing cryptographic systems in order to test
their security. The certification of a
cryptographic system can rely on the
system’s ability to withstand fault attacks
with the intention of revealing cryptographic
information. Such testing relies on a system
using an electromagnetic probe which is
connected to a pulse generator through
which a voltage pulse is produced. The
specialized magnetic probe is intended for
targeted attacks directed at certain portions
of a chip rather than exposing the entire chip
to a magnetic field [5].
With the forms of fault injection
discussed, each has its own benefits and
drawbacks. Without removing a processor’s
cap, fault injection using a laser or an
intense pulse of light such as a camera flash
would not produce desirable results.
Similarly, applying a magnetic field to a
system that has a metal case for fault
injection would also be fruitless due to the
metal case being a Faraday cage protecting
3. 3
the CPU and other components [3].
Radiation based fault injection using a
radioactive source provides an unpredictable
means of fault injection that is more realistic
in nature. However, specialized equipment
would be needed to fire radioactive particles
at a system and its components.
With each of the possible forms of
fault injection considered, it was found that
noncontact fault injection using magnetic
fields and electromagnetic radiation would
be capable of producing realistic results
similar to that of the firing of radioactive
particles. If used without a magnetic probe
focusing the magnetic pulse to a region of
the chip or component, a magnetic field
could be produced capable of impacting the
entire chip at once. Another added benefit is
that the two chosen fault injection methods
could be achieved through the use of
commonly found items or be built with
relatively little cost.
3. Experimental Setup
The Raspberry Pi computer is
commonly referred to as a system on a chip.
Aside from the small size, there is little
difference between a Raspberry Pi and the
average personal computer. The major
differences lie in the use of a microSD card
instead of a traditional hard disk drive, and
the GPIO (General Purpose Input-Output
Connector) that can be used to power
different devices such as servos. The
Raspberry Pi 3 used for each of these
experiments ran the Linux based operating
system Raspbian version 4.4 which provided
the basic functionality for the experiments
performed. Before any significant data was
taken, it was important to develop a
consistent way of determining whether or
not an SRAM cell had been effected by the
attempt at fault injection. This was done
through a simple program written in C that
allocates space for a user selected number of
unsigned integers and stores either 1’s or 0’s
in the entire allocated space. The Raspberry
Pi’s processor is a Broadcom BCM2837
which has a 32 KB L1 cache for each of the
four cores and a shared 512 KB L2 cache.
Because each unsigned integer is 4 bytes,
each trial was performed by allocating space
for 136,000 unsigned integers to ensure that
all of the SRAM was being used. The initial
values for each of the integers are written to
one file, while the final values are written to
a separate file when the console receives
user input. Using the diff command, it was
determined whether there was a change in
the integers written to file from the SRAM
after the attempted fault injection or if the
two files remained the same [4].
3.1 Magnetic Fields
According to Faraday’s Law, the
motion of a circuit in a magnetic field, the
change of a magnetic field’s strength, and
the movement of a magnetic field in relation
to a circuit are each capable of generating a
current. This is known as electromagnetic
induction and is the driving idea behind
using an electromagnet to flip bits within
SRAM cells. By passing a magnet over the
processor in different directions, the
magnetic field has the potential to impact
the current being carried within the cache
memory or the combinational logic.
However, there are several unknowns in
regards to this approach. Because the
voltage that denotes a 1 or a 0 being held in
the cross coupled inverters of each cache
cell is not included in the Broadcom
processor’s datasheet, it is only through
experimental measures that a determination
of this voltage can be determined [3].
During the magnetic fault injection
portion of the project, several different
approaches were taken. Initially, a Uxcell
electromagnet solenoid was used with
4. 4
multiple input voltages at a fixed distance
from the processor. Also, a permanent
neodymium magnet was used which proved
to have a higher magnetic field strength than
what could be achieved with the
electromagnet. It was important for the
testing done to avoid producing any
permanent faults by shorting out pins
through contact between the board and the
magnets. This limited the proximity the
magnets could be used within with respect
to the Raspberry Pi and as a result this
limited the magnetic field strength reaching
the processor.
There are several differences
between the experimental setup for the
magnetic fault injection experiments of this
project and that of prior work including the
lack of a motorized stage [4]. Rather than
relying on a motorized stage, the magnet
was moved manually in the x, y, and z
directions. Also, the magnetic field
generated was done using an electromagnet
solenoid rather than a magnetic probe, and
the voltage was constant for each trial rather
than pulsed.
3.2 Electromagnetic Radiation
Following the testing done using
magnetic fields to inject faults,
electromagnetic radiation was explored.
Many common devices can be significant
sources of electromagnetic radiation. The
devices used were a wireless router and two
different microwave ovens. Due to the
danger of operating an open microwave, the
Raspberry Pi was placed on top of a closed
microwave during the experiments. This,
however, does not mean that there was no
microwave radiation reaching the Raspberry
Pi. A simple test showed that both
microwaves used leaked electromagnetic
radiation. The test involved placing a cell
phone inside of each microwave while they
were unplugged and monitoring its
connection to the wireless network. If the
device lost its connection to the wireless
network, this would indicate that the
microwave was well insulated and did not
leak electromagnetic radiation. However, it
was found in the case of both microwaves
that they did leak electromagnetic radiation.
Wireless routers also produce
electromagnetic radiation, however at a
lesser intensity. Testing was performed
using a wireless router alone, a wireless
router and a microwave simultaneously, and
the addition of parabolic reflectors to direct
the electromagnetic radiation from the
wireless router towards the Raspberry Pi.
These devices were used over different
durations and in different combinations in an
attempt to inject transient faults.
4. Experimental Results and Analysis
The first experiments performed
were using the electromagnet at different
operating voltages/currents at a fixed
distance from the Raspberry Pi. At each
input voltage, the magnet was moved
manually in the x, y, and z directions
relative to the Raspberry Pi’s processor
(shown in Figure 1).
Also, along with a variable voltage for
electromagnet, each trial was performed
with the SRAM full of 1’s and the SRAM
X
Y
Z
Figure 1: (The z axis is coming out of the page)
5. 5
full of 0’s in order to account for the
induction flipping bits in one direction more
easily than another. The electromagnet is
rated for 12 volts DC. Nonetheless, without
knowing the permeability of the core’s
material and the number of turns of
magnetic wire it was impossible to calculate
the magnetic field strength of the magnet.
All that is known is the magnet’s lifting
force is 50kg when operated at its threshold
voltage according to its documentation. The
electromagnet was operated at each voltage
between 0 and 12 volts for a total of 24
trials. Some work was done operating the
electromagnet beyond its rated voltage, but
the magnet became dangerously hot. It was
found that with the magnet used along with
the experimental setup that transient faults
could not be injected. One major issue is the
distance between the electromagnet and the
Raspberry Pi’s processor. This distance was
maintained in order to keep the
electromagnet from contacting pins and
shorting them out. Magnetic field strength is
dependent on the distance from the
electromagnet itself, therefore by having this
gap distance between the electromagnet and
the processor the magnetic field strength
reaching processor was reduced [3].
Additionally, a cylindrical
neodymium magnet with a 13,500 Gauss
internal magnetic field strength was tested in
a similar fashion. However, due to the
permanent magnet’s size, the magnet could
be placed against the Raspberry Pi’s
processor rather than at a fixed distance.
This proximity along with the noticeably
more powerful magnetic field generated by
the permanent magnet created what was
thought to be better conditions for
performing fault injection. After performing
trials with the SRAM full of 1’s and then
0’s, it was found that just as with the
electromagnet no bits were flipped in the
caches of the Raspberry Pi.
Next, the use of electromagnetic
radiation from a microwave and a wireless
router were tested. Trials were done with the
microwave and wireless router individually.
Below in Figure 2, the table shows the
various setups that were used in the hopes of
isolating the change that caused enough
electromagnetic radiation exposure to flip
bits within the Raspberry Pi. Each of the
tests in the following figure were performed
with the Raspberry Pi’s cache being filled
with 1’s and then with 0’s.
Microwave Router Parabolic
Reflectors
Duration
(Minutes)
X 10
X 60
X X 60
X X 10
X X X 10
Figure 2: Experimental setup combinations
for electromagnetic fault injection
The duration in Figure 2 is the
duration for which the Raspberry Pi was
exposed to the sources of electromagnetic
radiation before the resulting data was
collected. It was found that regardless of the
experimental setup used, the Raspberry Pi
functioned normally and the data read out of
the caches showed no flipped bits. An
important aside is that the duration the
microwave was run was limited by the time
it took for ice to become boiling water. It is
unsafe to run a microwave oven empty as it
can damage it, therefore ice was used as a
simple solution for running the microwave
for extended periods of time without harm.
One possible reason for the results
attained through both methods of fault
injection is that the induced current due to
the magnet/electromagnet and the
electromagnetic fields were not great
enough to change the system’s state.
Therefore, the use of more powerful sources
of induction such as a more powerful
6. 6
electromagnet and power supply or
microwave emission device that is without
shielding that limits the amount of
electromagnetic radiation reaching the target
device. Also, longer durations of exposure to
the sources of electromagnetic radiation may
increase the chance of transient faults being
injection.
In terms of the Raspberry Pi’s
resistance to fault injection techniques, the
results show that it would take a greater
magnetic field strength than 13,500 Gauss to
produce a transient fault, and that wireless
routers and microwaves do not produce
enough electromagnetic radiation to readily
impact the processor’s state. Both of these
pieces of information are helpful in
developing future experiments for injecting
faults into the Raspberry Pi and they
demonstrate the device’s ability to withstand
various forms of fault injection.
5. Conclusion
There were two major objectives in
this paper, the first of which being to
develop a method of fault injection using
magnets, wireless routers, and microwaves
instead of costly specialized equipment that
is typically used when performing hardware
based fault injection. The second objective
was to study the Raspberry Pi’s ability to
tolerate these sources of fault injection.
Raspberry Pi computers are becoming more
popular for many projects, therefore the
ability of the device to withstand common
sources of faults is beneficial. It was found
that with the experimental setup used it is
not likely that a Raspberry Pi under similar
conditions would experience a transient
fault. However, even though there were no
detected faults in the data readout from the
device’s SRAM, this does not mean that
transient faults did not exist in the device’s
DRAM or combinational logic as a result of
the testing. Transient faults in combinational
logic could be logically masked, and any
transient error in DRAM may not be a value
that is used by the system again.
This paper demonstrates a repeatable
experimental setup for testing multiple
forms of fault injection that could be built
upon. By making use of commonly found
items, the provided setup attempts to reduce
the need for specialized equipment, thereby
making non-contact, hardware based fault
injection a more appealing choice when
testing a system’s ability to handle faults.
Future work could demonstrate this low-cost
approach to fault injection as an effective
alternative that provides realistic faults on
par with the use of radioactive particles.
6. Future Work
Moving forward, one major
improvement that could be made is building
an electromagnet specifically for the
purpose of injecting faults. Some work was
done to gather the materials such as
magnetic wire and a ferromagnetic core,
however finding a suitable power source
hindered the efforts to take experimental
data using this more powerful magnet.
Additionally, using a voltage pulse with the
electromagnet could be beneficial as well.
An issue discovered with the electromagnet
used is the heat that is generated, therefore
reducing the time over which the current is
running through the magnetic wire would
aid in the reduction of temperature of the
electromagnet.
Another avenue would be the use of
more powerful permanent magnets, but one
of the determining factors in how powerful a
permanent magnet is its size. Larger
magnets would be more cumbersome to pass
over the Raspberry Pi’s processor and the
larger dimensions might require a larger gap
between the magnet and the Raspberry Pi to
avoid contacting the GPIO pins. This could
defeat the purpose of having a more
7. 7
powerful magnet because the magnetic field
strength decreases proportionally to the
distance from the magnetic core [3]. With
that in mind, the motivations behind using a
small electromagnetic magnetic probe
controlled with short voltage pulses over a
traditional electromagnet or permanent
magnet become apparent as it is better suited
for use with sensitive electronic devices.
References
[1] Hsueh, M., Tsai, T. K., & Iyer, R. K.
(1997, April). Fault Injection Techniques
and ... - ece.cmu.edu. Retrieved November
1, 2016, from
https://www.ece.cmu.edu/~ece749/docs/faul
tInjectionSurvey.pdf
[2] Shivakumar, P., Kistler, M., Keckler, S.,
Burger, D., & Alvisi, L. (n.d.). Modeling the
effect of technology trends on the soft error
rate of combinational logic. Proceedings
International Conference on Dependable
Systems and Networks. 2002
[3] Griffiths, D. J. (2003). Introduction to
electrodynamics (4th ed.). Pearson.
[4] Raspberry Pi Hardware. (n.d.). Retrieved
November 7, 2016, from
https://www.raspberrypi.org/documentation/
hardware/raspberrypi/README.md
[5] Dehbaoui, A., Dutertre, J., Robinson, B.,
Orsatelli, P., Maurine, P., & Tria, A. (n.d.).
Injection of transient faults using
electromagnetic pulses Practical results on a
cryptographic system. Retrieved from
https://www.researchgate.net/profile/Bruno_
Robisson/publication/267407641_Injection_
of_transient_faults_using_electromagnetic_
pulses_Practical_results_on_a_cryptographi
c_system/links/546278520cf2cb7e9da64fe1.
pdf
[6] Ziegler, J. F., Curtis, H. W., Muhlfeld,
H. P., Montrose, C. J., Chin, B., Nicewicz,
M., . . . Wahaus, C. W. (1996). IBM
experiments in soft fails in computer
electronics (1978–1994). IBM Journal of
Research and Development, 40(1), 3-18.
doi:10.1147/rd.401.0003