Does a set of candidate variables exists within the set of potential injection locations that will be suitable for injecting multiple faults? How can they be identified? To what extent is dependability val- idation improved? That is, what is the probability of uncovering vulnerabilities?
4.2. IDENTIFYING CANDIDATE VARIABLES TO TARGET 40
To address this problem, the nature of interactions between variables needs to be understood and thus the associated problem of error propagation when multiple faults are considered for injections arises.
4.2.1
Error Propagation Masking
Does an activated fault nullify the effect of a previously activated fault? Does an activated fault prevent another fault from being acti- vated? Can faults that may potentiallymask another be identified?
If multiple faults are injected, an activated faultf1can potentially mask another fault (or error) f2 if, for instance, either f1 preventedf2 from being activated or f1 cancelled the effect of f2. The following illustrations elaborate on error masking:
Prevention of Fault Activation: Considering the following program code,
the following is a typical problem that can occur during multiple fault injections:
2 2 Z = X + Y; 4 4 if Z ≤ v2 then 6 6 Y = v2 − X; 8 8 else 10 10 Y = v1 − X; 12 12 c = Y;
Assuming that at a given point during the program’s execution at Line 2,v2= 7, X = 1 and Y = 0; in this instance, in the absence of any fault, the value of Z will be 1, the program execution will true for the branching condition in Line 4 and thus the value ofY would be updated at Line 6, and in turnCwill assume the value of Y at Line 12. Also, assuming each variable is 4-bit long, and Y is targeted at Line 2. Any fault injection that causes the state ofZ to assume a value between 0 to 7 will be masked, this means the injected fault will not
4.2. IDENTIFYING CANDIDATE VARIABLES TO TARGET 41
change the execution flow, and the state of Y and C would be updated with the correct value at Line 6 and Line 12, respectively. Further, any injected fault that changes the state of Z to become a value in the range of 8 to 15 would cause the execution flow to change and consequently the state ofY andCwill be incorrectly updated at Line 10 and Line 12 respectively, which may likely lead to some sort of system failure. This means, some injections would be wasteful, i.e., certain injections exercise the system in the same way, and faults targeted at locations whose state may be used to determine branching conditions may not likely get activated.
However, assumingY is instead targeted after the program execution have ex- ited the loop at Line 12, the state ofC will be updated with the corruptedY value. Thus, targeting Y at that location ensures the fault will be activated, and subsequently increasing the probability of causing a system failure.
Nullification of the Effect of Activated Fault: Considering another dummy program, another typical problem associated with multiple fault injections could occur as follows: 2 2 a1 = a2; 4 4 b1 = getB(); 5 ... ... 7 7 E = a1 −b1; 8 ... ...
Supposing that during a given program execution a2= 2 at Line 2 andb1= 0 at Line 7, this means during a fault free execution a1 and E will assume the values 2, at Line 2 and 2, at Line 7, respectively. Assuming also, that double single faults are injected if: locationa2 is targeted at Line 2 and locationb1 is targeted at Line 7. Supposing each location is 4-bit long, and at Line 2, the fault corrupted the first bit position ina2 thus changing its state from 2 to 3. Consequently, at Line 7,Ewill be computed as 3. Assuming the second fault is
4.2. IDENTIFYING CANDIDATE VARIABLES TO TARGET 42
activated at this location and the first position is corrupted, thereby changing the state ofE from 3 to 2. Thus, the second activated fault inEwill mask the first corruption ina2, i.e., the effect of the second fault cancels the effect of the first fault.
4.2.2
Error Propagation Amplification
Does an activated fault increase the effect of a previously activated fault? Would flipping a single bit be more impactful than flipping multiple bits in a given location? Can faults that may potentially
amplify the effect of each other or another be identified?
Another ambiguity that can occur during multiple fault injections is reduction of the impact of an error when another fault gets activated. However, when the effect of an activated fault is increased by a another fault being activated then
amplification has occurred. If multiple faults are injected, an activated faultf2
can potentially reduce the impact of another errorf1, if, for instance, f1 leads to a corrupted value in locationl that deviates with a large difference from the supposedd correct value l at that point, and f2 updates the state ofl with a corrupt value that deviates with the a small difference of the correct value ofl. Considering the following sample code illustrates the concept of amplification:
1 ... ... 3 3 a := getA(); 5 5 c := getC(); 7 7 b := c + a; 8 ... ...
Assuming all the variables are 4-bits long integers, and at a given execution cycle of the program,getA() returns a value 4 at Line 3. In the absence of fault, an error the value ofaat that point will be 4, and letc= 5 at Line 5. In a fault
4.2. IDENTIFYING CANDIDATE VARIABLES TO TARGET 43
free execution of the programb= 9 at Line 7. If, a fault is activated at Line 3, and it corrupts the state of aby making a= 0, without the activation of any other, the corruption will propagate to b at Line 7 (b = 5, deviating from its fault-free value by−4). Supposing a second fault is activated at Line 7 that led cto have a corrupted value of 8, with both faults activated at Line 7 (b= 8, just 1 less than its fault-free value). In this scenario, the activation of the second fault has reduced the deviation introduced by the first fault activated, thus the second fault did not amplify the effects of the second fault, and thereby reducing the likelihood of system failure. However, supposing at Line 5, the state of c is corrupted with the value 13 rather than 8, this will result in b assuming a corrupted value of 13 (4 more than its fault-free value) instead of 8. In this second scenario, the second error have increased the effect of the first error, i.e., amplification has occurred, and the likelihood of a system failure is increased.
Another type of amplification effect that may potentially occur is when multiple bit-flips are considered within a single location. Still considering the preceding source code, maintaining the assumptions of each variable being 4-bits long integers and in a given point of a fault-free execution of the program getA() returns a value of 4 at Line 3 and getC() returns a value of 5 at Line 5, then b= 9 at Line 7. Considering aat Line 3 to be the only target location, where any number of faults can be injected, i.e., any number of bits can be flipped. In a fault-free execution,awill be represented as 0100. If, the first bit from left is flipped,awill become 1100 (12), when the error propagates tobat Line 7,bwill be 17 (8 more than its fault-free value). Supposing, three faults are introduced into a in the first, second and third bit-positions from right; a then becomes 0011 (3), and when the error propagates tobat Line 7,bwill be 8 (just−1 less than its fault-free value). In this scenario, injecting multiple faults is less likely to induce a system failure than the injecting single fault. On the hand, if a single fault is introduced in the first bit-position from the right, (a= 0101 (5)), and multiple fault are injected in the first, second and third bit-positions from the