Pith. sign in

REVIEW 3 major objections 5 minor 73 references

Physical faults can plant invisible triggers inside a neural network's feature maps so the model only misbehaves when faulted.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-13 02:45 UTC pith:HADW4AWL

load-bearing objection Solid cross-layer demo: reproducible physical single-byte faults become latent feature-map backdoors that stay silent under normal inference and dodge input-space detectors. the 3 major comments →

arxiv 2607.09473 v1 pith:HADW4AWL submitted 2026-07-10 cs.CR

Triggering Stealthy Feature Map Backdoors via Physical Fault Injection in Embedded Neural Networks

classification cs.CR
keywords fault injectionelectromagnetic fault injectionbackdoor attackfeature-map triggerembedded neural networksARM Cortex-M4cross-level attackCMSIS-NN
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper shows that a carefully characterized physical fault, such as an electromagnetic pulse or voltage glitch on an ARM Cortex-M4, can force a single byte inside a neural-network intermediate feature map into a known value. That value can be learned as a backdoor trigger during training or by weight editing. Under normal operation the model stays accurate; only when the same fault is re-applied at inference does the network flip to an attacker-chosen class. Because the trigger never appears in the input image, standard input-space backdoor detectors miss it. The authors demonstrate the attack end-to-end on quantized CNNs for MNIST and CIFAR-10, using both memcpy and SMLAD convolution instructions, and report near-100 percent success once the intended fault lands.

Core claim

Precisely characterized physical faults that produce tractable single-byte changes in registers or intermediate feature maps can be turned into latent backdoor triggers. The resulting model is benign until the physical fault is re-injected, at which point it reliably misclassifies to a chosen target class while remaining invisible to defenses that assume input-space triggers.

What carries the argument

LATCH (Latent Activation Trigger via Cross-level Faults in Hardware): a characterize-then-exploit pipeline that first maps EMFI or voltage-glitch parameters to reproducible data modifications (e.g., forcing a feature-map byte to 0x7F), then implants a matching backdoor that fires only on that modification.

Load-bearing premise

An attacker must obtain a clone of the target board and fully map the exact spatial and temporal glitch settings that produce a reliable single-byte change at a known offset before the attack can be used in the field.

What would settle it

On the same Cortex-M4 CMSIS-NN setup, measure whether a single, previously characterized EMFI pulse that forces the chosen feature-map byte to 0x7F actually drives attack success rate to near 100 percent while clean accuracy stays within a few points of the un-backdoored baseline, and whether Neural Cleanse, STRIP, Activation Clustering and ABS still fail to flag the deeper feature-map variants.

Watch this falsifier — get emailed when new claim-graph text bears on it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 5 minor

Summary. The paper introduces LATCH, a cross-level attack that first characterizes precise, reproducible data-level effects of physical fault injection (EMFI or voltage glitching) on ARM Cortex-M4 CMSIS-NN/NNoM quantized CNN inference (targeting memcpy LDRB/STRB and SMLAD in convolutional layers), then implants poison-based or data-free feature-map backdoors whose triggers are exactly those fault-induced single-byte perturbations (e.g., to 0x7F or 0xBF). Under normal operation the model retains near-baseline clean accuracy; under a successful fault the backdoor activates with ~100% ASR, and deeper feature-map triggers evade representative input-space detectors (Neural Cleanse, STRIP, Activation Clustering, ABS). Experiments on MNIST and CIFAR-10 demonstrate the end-to-end pipeline on a common embedded platform.

Significance. If the results hold, the work establishes a previously underexplored attack surface that joins implementation-level physical FI with algorithmic backdoor learning, showing that intermediate activations can be turned into stealthy, physically activated triggers that leave no input-space artifact. This is practically relevant for resource-constrained edge AI (Cortex-M4 + CMSIS-NN) and correctly stresses the need for defenses spanning hardware, software, and model layers. Concrete strengths include dual FI modalities with reported parameters, both poison and data-free implantation paths, explicit FSR/ASR separation, and a defense evaluation that systematically moves the trigger deeper into the network.

major comments (3)
  1. [Section 3, Tables 6-7, Figure 11] Section 3 (threat model) together with Tables 6–7 and Figure 11: the central claim is conditioned on an adversary who can fully characterize a reproducible single-byte fault on a clone board and later induce it in the field. Reported EMFI FSRs are modest (5.8–34 %, median ~6 attempts for SMLAD). While the paper states that repeated attempts within a short window are acceptable and that unsuccessful glitches are unlikely to raise alarms, no empirical evidence is given that failed attempts (or the accompanying resets) remain stealthy under realistic monitoring. This is load-bearing for practicality; a short additional experiment or quantitative argument on detectability of the attempt distribution would strengthen the claim.
  2. [Section 5.6] Section 5.6 and the adaptive-STRIP case analysis: the paper correctly shows that standard input-space detectors largely fail against deeper feature-map triggers, yet also demonstrates that an adaptive defender who injects the same fault during probing can detect the backdoor at the cost of near-100 % false rejection of clean inputs. The manuscript leaves a balanced adaptive defense to future work. Because the abstract and introduction claim that the attack “remain[s] effective against existing backdoor defenses,” a clearer statement of the defender’s knowledge assumptions (unaware of FI vs. aware of the fault model) is needed so that the evasion result is not overstated.
  3. [Sections 5.3, 5.5.2, Table 2] Sections 5.3 and 5.5.2 (data-free injection): the weight-surgery construction (zeroing kernels, setting center taps to γ=127, rewiring dense/output layers) produces a clean accuracy drop of ~2 % on MNIST (Table 2) and is demonstrated only for a single hand-crafted pathway to target class 7. While ASR remains high, the generality of the data-free path—especially to other architectures or multiple target classes—is not established. A brief ablation on the number of rewired channels (N_BD) or a second target class would confirm that the method is not brittle to the particular surgery chosen.
minor comments (5)
  1. [Figure 1] Figure 1 caption and surrounding text: the three attack points are labeled but the mapping from C-source vs. ASM is only partially explained; a short legend or additional call-outs would improve readability.
  2. [Table 1] Table 1: several entries list “unknown” for targeted SW/HW implementation; filling these from the cited papers (or marking “not reported”) would make the comparison more useful.
  3. [Section 4.3] Section 4.3: FSR and ASR definitions are clear, yet the text sometimes uses “ASR” for both backdoor success given a successful fault and overall end-to-end success; consistent terminology would avoid confusion.
  4. Typos and minor wording: “ot the (LATCH)” (Fig. 2 caption), “V oltage” (inconsistent spacing), “LFRB” for LDRB (Section 5.4.1), and a few missing articles. A careful proof-read will catch them.
  5. [Figures 5, 10] Figure 5 and 10: the color scales and red-box highlights are helpful, but the absolute byte values (or a color bar) would let readers verify the claimed single-byte change without referring back to the text.

Circularity Check

0 steps flagged

No significant circularity: experimental attack construction and measured FSR/ASR/defense results stand independently of any fitted or self-defined quantity.

full rationale

This is an empirical systems/security paper whose central claims are constructed attacks (characterize a reproducible single-byte FI effect such as 0x7F on memcpy or SMLAD, implant a matching feature-map backdoor via poisoning or data-free weight surgery, then trigger it at inference) evaluated by direct hardware measurement. FSR is the fraction of physical trials that produce the intended byte change; ASR is the fraction of those successful faults that flip the label to the target class; detection rates are obtained by running standard detectors (Neural Cleanse, STRIP, Activation Clustering, ABS) on the resulting models. None of these quantities is obtained by fitting a free parameter to a subset of the same data and then “predicting” a closely related quantity, nor is any uniqueness or first-principles derivation imported via self-citation. The threat-model assumption that an adversary can characterize a clone board is stated explicitly and scoped; it does not make the subsequent measured success rates tautological. Consequently the derivation chain contains no self-definitional step, no fitted-input-called-prediction, and no load-bearing self-citation, yielding a circularity score of 0.

Axiom & Free-Parameter Ledger

4 free parameters · 4 axioms · 1 invented entities

The central claim rests on experimental characterization of commercial FI equipment plus standard supply-chain and physical-access assumptions common to hardware security. Free parameters are the concrete glitch settings and backdoor hyperparameters chosen to make the attack succeed; axioms are the usual threat-model premises; the only invented entity is the named attack method itself, which is the contribution rather than an ungrounded postulate.

free parameters (4)
  • glitch source power (GSP) and temporal offset = e.g. 60% GSP, 68–70 ns for memcpy
    Chosen by scanning (e.g., 50–62% GSP, 10–70 ns offsets) until a reproducible single-byte change appears; values are equipment- and board-specific.
  • poison ratio ρ and target class t = ρ=10%, t=7
    Set to 10% and class 7 for all reported models; directly controls backdoor strength vs. clean accuracy.
  • backdoor threshold / trigger value = 0x7F
    Chosen to match the characterized fault (commonly 0x7F=127) so that the physical change activates the planted pathway.
  • N_BD and γ for data-free surgery = N_BD=16, γ=127
    Number of rewired channels and weight magnitude (16 and 127) selected so the integer pathway forces the target logit after right-shift.
axioms (4)
  • domain assumption Adversary has physical proximity sufficient for EMFI or voltage glitching and can obtain a clone board for offline characterization.
    Stated in Section 3 threat model; standard for physical FI papers but load-bearing for the claimed practicality.
  • domain assumption Adversary can tamper with the model supply chain (training data or quantized weights) to implant the backdoor before deployment.
    Section 3 and 4.1; without this the physical fault alone only causes untargeted corruption.
  • ad hoc to paper A single successful fault of the characterized pattern is sufficient to activate the backdoor; unsuccessful attempts do not raise alarms that would defeat stealth.
    Explicitly assumed in Section 3; low FSR is acknowledged but treated as acceptable because only one success is needed.
  • domain assumption CMSIS-NN kernels and NNoM quantized CNNs are representative of real constrained embedded deployments.
    Used throughout experimental sections; reasonable but not proven for all commercial edge devices.
invented entities (1)
  • LATCH (Latent Activation Trigger via Cross-level Faults in Hardware) independent evidence
    purpose: Names the end-to-end attack that turns characterized physical data modifications into feature-map backdoor triggers.
    The method is the paper’s contribution; it is not postulated as a new physical particle or force but as an attack construction whose existence is demonstrated experimentally.

pith-pipeline@v1.1.0-grok45 · 27411 in / 3219 out tokens · 39835 ms · 2026-07-13T02:45:48.110664+00:00 · methodology

0 comments
read the original abstract

Fault injection (FI) attacks on embedded neural network (NN) implementations primarily focus on inducing misclassification by corrupting weights or intermediate computations, overlooking their interaction with algorithmic adversarial threats. In this work, we present a cross-level attack that bridges implementation-level physical faults to algorithm-level adversarial attacks. By characterizing fault-induced data perturbations during NN inference, we connect FI with backdoor learning, enabling system-level attacks that jointly exploit implementation- and algorithm-level vulnerabilities. Specifically, we propose a precise fault-injection method that reliably manipulates targeted register values to tractable states during execution. Leveraging this level of FI precision, we propose a novel end-to-end feature map-level backdoor attack, where physically induced intermediate perturbations serve as stealthy triggers. Unlike conventional input-based backdoors, our trigger is activated only under physical faults, causing the NN to exhibit adversarial behavior that compromises system integrity while remaining benign during normal operation. We demonstrate that such physically triggered backdoors can be mounted on embedded NN platforms and remain effective against existing backdoor defenses that typically assume input-space triggers. We showcase the attack practicality using electromagnetic FI on convolutional neural networks implemented on ARM Cortex-M4 microcontroller, which is a common platform for constrained embedded applications. Our results highlight a novel attack vector at the intersection of hardware and algorithmic levels, stressing the need for defenses across abstraction levels.

Figures

Figures reproduced from arXiv: 2607.09473 by Durba Chatterjee, Lejla Batina, Lisanne Weidmann, Senna van Hoek, Steyn Hommes, Tanguy Stekke, Vincent Dankbaar, Xiaomeng Wang, Zhuoran Liu.

Figure 1
Figure 1. Figure 1: Illustrative visualization of our cross-level attack LATCH (Latent Activation Trigger via Cross-level Faults in Hardware). The overview showcases the bridge between hardware-level FI attacks (using EMFI or voltage glitching) and different software-level target points we attack, and how this maps to the NN inference flow. Point 1 (red target circle) targets the memcpy operation to trigger an FI-induced pixe… view at source ↗
Figure 2
Figure 2. Figure 2: illustrates the overall workflow. The core idea is that a backdoor can be triggered at runtime, not through a crafted input, but by inducing a data modification inside the model via physical fault injection. 4.1. Methodology Step 1: FI Characterization. The attacker could access a software implementation of the target NN model on clone hardware, e.g., a development board with the same model of micro-contro… view at source ↗
Figure 3
Figure 3. Figure 3: EMFI Setup comprising of: (1) EMFI Unidirec [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Scan of the MCU chip. The target MCU is STM32L4R5ZI, using decapping we verified the position of the actual die. We conduct several scans in different areas, first covering a wider area, both over the die itself and neighboring areas. We then proceeded to scan with a smaller step size when faults are observed (right). Green positions indicate no faults, grey positions indicate chip-resets and red positions… view at source ↗
Figure 6
Figure 6. Figure 6: Example results of performing the different EMFI [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Different Attack Points in memcpy operation. (1), (3) targets the load or store instruction to set register R3 to zero, respectively; (2) targets between the load and store instruction to set R3 to hold the value in R1 or R0; Case I introduces NOP instructions before the target operation, whereas Case II includes an add with 0 operation in addition to NOP instructions. For target (1) and (3), we work with … view at source ↗
Figure 8
Figure 8. Figure 8: Power trace when targeting the SMLAD operation in convolutional layer 2. The blue line is the main trigger; the red line is the pre-trigger used to locate the SMLAD execution. The pre-trigger pulses twice, corresponding to the two SMLAD code blocks (marked 1 and 2) in arm_nn_mat_mult_kernel_q7_q15_reordered (see [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Mapping from the CMSIS-NN SMLAD C opera￾tions to its Cortex-M4 disassembly version, optimized with GCC O3. The two SMLAD groups correspond to blocks 1 and 2 in the power trace ( [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Output feature maps of the second convolution [PITH_FULL_IMAGE:figures/full_fig_p011_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Histogram of first-successful-fault attempt counts [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Feature map view of the conv2 output of the CIFAR-10 5-conv model under the feature map fault injection backdoor (target class 7). Left: the channels of conv2 for a clean input (trigger inactive). Middle: the same channels when the backdoor is activated. Only a single channel (red box) is altered while every other channel is bit-identical to the clean case. Right: magnified channel 1, clean (top) vs. acti… view at source ↗
Figure 13
Figure 13. Figure 13: Neural Cleanse anomaly index per candidate [PITH_FULL_IMAGE:figures/full_fig_p013_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Neural Cleanse recovered trigger (class 7) for [PITH_FULL_IMAGE:figures/full_fig_p013_14.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

73 extracted references · 5 linked inside Pith

  1. [1]

    Empowering edge intelligence: A comprehensive survey on on- device AI models,

    X. Wang, Z. Tang, J. Guo, T. Meng, C. Wang, T. Wang, and W. Jia, “Empowering edge intelligence: A comprehensive survey on on- device AI models,”ACM Computing Surveys, vol. 57, no. 9, pp. 1–39, 2025

  2. [2]

    Fault injection attack on deep neural network,

    Y . Liu, L. Wei, B. Luo, and Q. Xu, “Fault injection attack on deep neural network,” inProceedings of the 36th International Conference on Computer-Aided Design, 2017, pp. 131–138

  3. [3]

    On the importance of checking cryptographic protocols for faults,

    D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” inProceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, 1997, pp. 37–51

  4. [4]

    Differential fault analysis of secret key cryptosystems,

    E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” inProceedings of the Annual International Cryptol- ogy Conference, 1997, pp. 513–525

  5. [5]

    DFA on AES,

    C. Giraud, “DFA on AES,” inProceedings of the International Conference on Advanced Encryption Standard, 2004, pp. 27–41

  6. [6]

    CLKSCREW: exposing the perils of security-oblivious energy management,

    A. Tang, S. Sethumadhavan, and S. J. Stolfo, “CLKSCREW: exposing the perils of security-oblivious energy management,” inProceedings of the 26th USENIX Security Symposium, 2017, pp. 1057–1074

  7. [7]

    Escalating privileges in linux using voltage fault injection,

    N. Timmers and C. Mune, “Escalating privileges in linux using voltage fault injection,” inProceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, 2017, pp. 1–8

  8. [8]

    V oltPillager: Hardware-based fault injection attacks against intel SGX enclaves using the SVID voltage scaling interface,

    Z. Chen, G. Vasilakis, K. Murdock, E. Dean, D. Oswald, and F. D. Garcia, “V oltPillager: Hardware-based fault injection attacks against intel SGX enclaves using the SVID voltage scaling interface,” in Proceedings of the 30th USENIX Security Symposium, 2021, pp. 699– 716

  9. [9]

    Plundervolt: How a little bit of undervolting can create a lot of trouble,

    K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, F. Piessens, and D. Gruss, “Plundervolt: How a little bit of undervolting can create a lot of trouble,”IEEE Security & Privacy, vol. 18, no. 5, pp. 28–37, 2020

  10. [10]

    Faulty point unit: Abi poisoning attacks on intel sgx,

    F. Alder, J. Van Bulck, D. Oswald, and F. Piessens, “Faulty point unit: Abi poisoning attacks on intel sgx,” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 415– 427

  11. [11]

    Oops..! I glitched it again! how to Multi-Glitch the Glitching-Protections on ARM TrustZone- M,

    X. M. Saß, R. Mitev, and A.-R. Sadeghi, “Oops..! I glitched it again! how to Multi-Glitch the Glitching-Protections on ARM TrustZone- M,” inProceedings of the 32nd USENIX Security Symposium, 2023, pp. 6239–6256

  12. [12]

    Deeplaser: Practical fault attack on deep neural networks,

    J. Breier, X. Hou, D. Jap, L. Ma, S. Bhasin, and Y . Liu, “Deeplaser: Practical fault attack on deep neural networks,”arXiv preprint arXiv:1806.05859, 2018

  13. [13]

    Fault injection on embedded neural networks: Impact of a single instruction skip,

    C. Gaine, P.-A. Moellic, O. Potin, and J.-M. Dutertre, “Fault injection on embedded neural networks: Impact of a single instruction skip,” inProceedings of the 26th Euromicro Conference on Digital System Design, 2023, pp. 317–324

  14. [14]

    Fault injection attacks utilizing waveform pattern matching against neural networks processing on mi- crocontroller,

    Y . Fukuda, K. Yoshida, and T. Fujino, “Fault injection attacks utilizing waveform pattern matching against neural networks processing on mi- crocontroller,”IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 105, no. 3, pp. 300– 310, 2022

  15. [15]

    TFL: Targeted bit-flip attack on large language model,

    J. Guo, C. Chakrabarti, and D. Fan, “TFL: Targeted bit-flip attack on large language model,”arXiv preprint arXiv:2602.17837, 2026

  16. [16]

    How vulnerable are large language models (LLMs) against adversarial bit- flip attacks?

    A. M. A. Almalky, R. Zhou, S. Angizi, and A. S. Rakin, “How vulnerable are large language models (LLMs) against adversarial bit- flip attacks?” inProceedings of the Great Lakes Symposium on VLSI, 2025, pp. 534–539

  17. [17]

    TBT: Targeted neural network attack with bit trojan,

    A. S. Rakin, Z. He, and D. Fan, “TBT: Targeted neural network attack with bit trojan,” inProceedings of the conference on Computer Vision and Pattern Recognition, 2020, pp. 13 198–13 207

  18. [18]

    Physical security of deep learning on edge devices: Comprehensive evaluation of fault injection attack vectors,

    X. Hou, J. Breier, D. Jap, L. Ma, S. Bhasin, and Y . Liu, “Physical security of deep learning on edge devices: Comprehensive evaluation of fault injection attack vectors,”Microelectronics Reliability, vol. 120, p. 114116, 2021

  19. [19]

    Investigation of em fault injection on emerging lightweight neural network hardware,

    B. Goswami, R. Chetry, C. Moorthii J, and M. Suri, “Investigation of em fault injection on emerging lightweight neural network hardware,” inProceedings of the Applied Cryptography and Network Security Workshops, 2026, pp. 113–123

  20. [20]

    Rowhammer-based trojan injection: One bit flip is sufficient for backdooring DNNs,

    X. Li, Y . Meng, J. Chen, L. Luo, and Q. Zeng, “Rowhammer-based trojan injection: One bit flip is sufficient for backdooring DNNs,” inProceedings of the 34th USENIX Security Symposium, 2025, pp. 6319–6337

  21. [21]

    Backdoor attacks on neural networks via one-bit flip,

    X. Li, L. Luo, and Q. Zeng, “Backdoor attacks on neural networks via one-bit flip,” inProceedings of the IEEE International Conference on Computer Vision, 2025, pp. 4328–4338

  22. [22]

    Security evaluation of deep neural network resistance against laser fault in- jection,

    X. Hou, J. Breier, D. Jap, L. Ma, S. Bhasin, and Y . Liu, “Security evaluation of deep neural network resistance against laser fault in- jection,” inProceedings of the IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits, 2020, pp. 1–6

  23. [23]

    An overview of laser injection against embedded neural network models,

    M. Dumont, P.-A. Mo ¨ellic, R. Viera, J.-M. Dutertre, and R. Bernhard, “An overview of laser injection against embedded neural network models,” inProceedings of the 7th IEEE World Forum on Internet of Things, 2021, pp. 616–621

  24. [24]

    Fault injection and safe-error attack for extraction of embedded neural network models,

    K. Hector, P.-A. Mo ¨ellic, J.-M. Dutertre, and M. Dumont, “Fault injection and safe-error attack for extraction of embedded neural network models,” inProceedings of the European Symposium on Research in Computer Security, 2023, pp. 644–664

  25. [25]

    Evaluation of parameter-based attacks against embedded neural net- works with laser injection,

    M. Dumont, K. Hector, P.-A. Mo ¨ellic, J.-M. Dutertre, and S. Ponti ´e, “Evaluation of parameter-based attacks against embedded neural net- works with laser injection,” inProceedings of the Computer Safety, Reliability, and Security, 2023, pp. 259–272

  26. [26]

    Imperceptible misclas- sification attack on deep learning accelerator by glitch injection,

    W. Liu, C.-H. Chang, F. Zhang, and X. Lou, “Imperceptible misclas- sification attack on deep learning accelerator by glitch injection,” in Proceedings of the 57th IEEE Design Automation Conference, 2020, pp. 1–6

  27. [27]

    Stealthy and robust glitch injection attack on deep learning accelerator for target with varia- tional viewpoint,

    W. Liu, C.-H. Chang, and F. Zhang, “Stealthy and robust glitch injection attack on deep learning accelerator for target with varia- tional viewpoint,”IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1928–1942, 2020

  28. [28]

    Derailed: Arbitrarily controlling dnn out- puts with targeted fault injection attacks,

    J. Ordonez and C. Yang, “Derailed: Arbitrarily controlling dnn out- puts with targeted fault injection attacks,” inProceedings of the Design, Automation & Test in Europe Conference & Exhibition, 2024, pp. 1–6

  29. [29]

    Precision strike: Targeted misclassification of accelerated cnns with a single clock glitch,

    A. A. Malik, F. Aydin, and A. Aysu, “Precision strike: Targeted misclassification of accelerated cnns with a single clock glitch,” inProceedings of the IEEE Physical Assurance and Inspection of Electronics, 2025, pp. 1–7

  30. [30]

    Clock glitch fault attacks on deep neural networks and their countermeasures,

    S. Lee, S. Kim, S. Hong, and J. Ha, “Clock glitch fault attacks on deep neural networks and their countermeasures,”Sensors, vol. 25, no. 9, 2025

  31. [31]

    Fault injection attacks on machine learning- based quantum computer readout error correction,

    A. Etim and J. Szefer, “Fault injection attacks on machine learning- based quantum computer readout error correction,”arXiv preprint arXiv:2512.20077, 2025

  32. [32]

    Practical electro- magnetic fault injection on intel neural compute stick 2,

    S. Bhasin, D. Jap, M. Kr ˇcek, S. Picek, and P. Ravi, “Practical electro- magnetic fault injection on intel neural compute stick 2,”Cryptology ePrint Archive, 2025

  33. [33]

    Investigation on the impact of practical fault model for commercial edge machine learn- ing devices,

    S. Bhasin, D. Jap, M. Kr ˇcek, and S. Picek, “Investigation on the impact of practical fault model for commercial edge machine learn- ing devices,” inProceedings of the Security, Privacy, and Applied Cryptography Engineering, 2026, pp. 41–57

  34. [34]

    Fault injection attack against deep neural network-parameter exposure in random bits-flip model,

    H. Mun, J.-W. Huh, and D.-G. Han, “Fault injection attack against deep neural network-parameter exposure in random bits-flip model,” Connection Science, vol. 38, no. 1, p. 2622884, 2026

  35. [35]

    The weight of a bit: EMFI sen- sitivity analysis of embedded deep learning models,

    J. Breier, ˇS. Ku ˇcer´ak, and X. Hou, “The weight of a bit: EMFI sen- sitivity analysis of embedded deep learning models,”arXiv preprint arXiv:2602.16309, 2026

  36. [36]

    Prometheusfree: Concurrent detection of laser fault in- jection attacks in optical neural networks,

    K. Nishida, Y . Midoh, N. Miura, S. Kawakami, A. Orailoglu, and J. Shiomi, “Prometheusfree: Concurrent detection of laser fault in- jection attacks in optical neural networks,” inProceedings of the 31st Asia and South Pacific Design Automation Conference, 2026, pp. 1152–1159

  37. [37]

    How practical are fault injection attacks, really?

    J. Breier and X. Hou, “How practical are fault injection attacks, really?”IEEE Access, vol. 10, pp. 113 122–113 130, 2022

  38. [38]

    Sok: A beginner- friendly introduction to fault injection attacks,

    C. S. Liu, F. Wang, P. Gould, and C. Yagemann, “Sok: A beginner- friendly introduction to fault injection attacks,”arXiv preprint arXiv:2509.18341, 2025

  39. [39]

    Yes, One-Bit-Flip matters! universal DNN model inference depletion with runtime code fault injection,

    S. Li, X. Wang, M. Xue, H. Zhu, Z. Zhang, Y . Gao, W. Wu, and X. S. Shen, “Yes, One-Bit-Flip matters! universal DNN model inference depletion with runtime code fault injection,” inProceedings of the 33rd USENIX Security Symposium, 2024, pp. 1315–1330

  40. [40]

    Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,

    S. Hong, P. Frigo, Y . Kaya, C. Giuffrida, and T. Dumitras, “Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,” inProceedings of the 28th USENIX Security Symposium, 2019, pp. 497–514

  41. [41]

    Don’t knock! rowhammer at the backdoor of DNN models,

    M. C. Tol, S. Islam, A. J. Adiletta, B. Sunar, and Z. Zhang, “Don’t knock! rowhammer at the backdoor of DNN models,” inProceedings of the 53rd Annual IEEE International Conference on Dependable Systems and Networks, 2023, pp. 109–122

  42. [42]

    Tossing in the dark: Practical Bit-Flipping on gray-box deep neural networks for runtime trojan injection,

    Z. Wang, D. Tang, X. Wang, W. He, Z. Geng, and W. Wang, “Tossing in the dark: Practical Bit-Flipping on gray-box deep neural networks for runtime trojan injection,” inProceedings of the 33rd USENIX Security Symposium, 2024, pp. 1331–1348

  43. [43]

    DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,

    F. Yao, A. S. Rakin, and D. Fan, “DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,” inProceedings of the 29th USENIX Security Symposium, 2020, pp. 1463–1480

  44. [44]

    Hammering the diagnosis: Rowhammer-induced stealthy trojan attacks on vit-based medical imaging,

    B. S. Latibari, N. Nazari, H. Sayadi, H. Homayoun, and A. Ma- halanobis, “Hammering the diagnosis: Rowhammer-induced stealthy trojan attacks on vit-based medical imaging,” inProceedings of the 43rd IEEE International Conference on Computer Design, 2025, pp. 1–8

  45. [45]

    A survey on fault attacks on symmetric key cryptosystems,

    A. Baksi, S. Bhasin, J. Breier, D. Jap, and D. Saha, “A survey on fault attacks on symmetric key cryptosystems,”ACM Computing Surveys, vol. 55, no. 4, 2022

  46. [46]

    Attacking deterministic signature schemes using fault attacks,

    D. Poddebniak, J. Somorovsky, S. Schinzel, M. Lochter, and P. R¨osler, “Attacking deterministic signature schemes using fault attacks,” in Proceedings of the IEEE European Symposium on Security and Privacy, 2018, pp. 338–352

  47. [47]

    Fault- injection attacks against nist’s post-quantum cryptography round 3 kem candidates,

    K. Xagawa, A. Ito, R. Ueno, J. Takahashi, and N. Homma, “Fault- injection attacks against nist’s post-quantum cryptography round 3 kem candidates,” inProceedings of the International Conference on the Theory and Application of Cryptology and Information Security, 2021, pp. 33–61

  48. [48]

    Sok: On the physical security of uov-based signature schemes,

    T. Aulbach, F. Campos, and J. Kr ¨amer, “Sok: On the physical security of uov-based signature schemes,” inProceedings of the International Conference on Post-Quantum Cryptography, 2025, pp. 199–231

  49. [49]

    Proflip: Targeted trojan attack with progressive bit flips,

    H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “Proflip: Targeted trojan attack with progressive bit flips,” inProceedings of the International Conference on Computer Vision, 2021, pp. 7698–7707

  50. [50]

    Hardly perceptible trojan attack against neural networks with bit flips,

    J. Bai, K. Gao, D. Gong, S.-T. Xia, Z. Li, and W. Liu, “Hardly perceptible trojan attack against neural networks with bit flips,” in Proceedings of the European Conference on Computer Vision, 2022, pp. 104–121

  51. [51]

    TrojViT: Trojan insertion in vision transformers,

    M. Zheng, Q. Lou, and L. Jiang, “TrojViT: Trojan insertion in vision transformers,” inProceedings of the Conference on Computer Vision and Pattern Recognition, 2023, pp. 4025–4034

  52. [52]

    Deep-TROJ: An inference stage trojan insertion algorithm through efficient weight replacement attack,

    S. Ahmed, R. Zhou, S. Angizi, and A. S. Rakin, “Deep-TROJ: An inference stage trojan insertion algorithm through efficient weight replacement attack,” inProceedings of the Conference on Computer Vision and Pattern Recognition, 2024, pp. 24 810–24 819

  53. [53]

    Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,

    B. Wang, Y . Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y . Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” inProceedings of the IEEE Symposium on Security and Privacy, 2019, pp. 707–723

  54. [54]

    ABS: Scanning neural networks for back-doors by artificial brain stimula- tion,

    Y . Liu, W.-C. Lee, G. Tao, S. Ma, Y . Aafer, and X. Zhang, “ABS: Scanning neural networks for back-doors by artificial brain stimula- tion,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1265–1282

  55. [55]

    TABOR: A highly accurate approach to inspecting and restoring trojan backdoors in AI systems,

    W. Guo, L. Wang, X. Xing, M. Du, and D. Song, “TABOR: A highly accurate approach to inspecting and restoring trojan backdoors in AI systems,”arXiv preprint arXiv:1908.01763, 2019

  56. [56]

    Towards reliable and efficient backdoor trigger inversion via decoupling benign features,

    X. Xu, K. Huang, Y . Li, Z. Qin, and K. Ren, “Towards reliable and efficient backdoor trigger inversion via decoupling benign features,” inProceedings of the International Conference on Learning Repre- sentations, 2024

  57. [57]

    STRIP: A defence against trojan attacks on deep neural networks,

    Y . Gao, C. Xu, D. Wang, S. Chen, D. C. Ranasinghe, and S. Nepal, “STRIP: A defence against trojan attacks on deep neural networks,” inProceedings of the Annual Computer Security Applications Con- ference, 2019, pp. 113–125

  58. [58]

    Detecting backdoor attacks on deep neural networks by activation clustering,

    B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting backdoor attacks on deep neural networks by activation clustering,” inProceedings of the Workshop on Artificial Intelligence Safety, 2019

  59. [59]

    Spectral signatures in backdoor at- tacks,

    B. Tran, J. Li, and A. Madry, “Spectral signatures in backdoor at- tacks,” inProceedings of the Neural Information Processing Systems, 2018, pp. 8000–8010

  60. [60]

    Fine-pruning: Defending against backdooring attacks on deep neural networks,

    K. Liu, B. Dolan-Gavitt, and S. Garg, “Fine-pruning: Defending against backdooring attacks on deep neural networks,” inProceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses, 2018, pp. 273–294

  61. [61]

    Adversarial neuron pruning purifies backdoored deep models,

    D. Wu and Y . Wang, “Adversarial neuron pruning purifies backdoored deep models,” inProceedings of the Neural Information Processing Systems, 2021, pp. 16 913–16 925

  62. [62]

    Detecting AI trojans using meta neural analysis,

    X. Xu, Q. Wang, H. Li, N. Borisov, C. A. Gunter, and B. Li, “Detecting AI trojans using meta neural analysis,” inProceedings of the IEEE Symposium on Security and Privacy, 2021, pp. 103–120

  63. [63]

    Anti-backdoor learning: Training clean models on poisoned data,

    Y . Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, “Anti-backdoor learning: Training clean models on poisoned data,” inProceedings of the Neural Information Processing Systems, 2021, pp. 14 900–14 912

  64. [64]

    Data poisoning in deep learning: A survey,

    P. Zhao, W. Zhu, P. Jiao, D. Gao, and O. Wu, “Data poisoning in deep learning: A survey,”arXiv preprint arXiv:2503.22759, 2025

  65. [65]

    Badedit: Backdooring large language models by model editing,

    Y . Li, T. Li, K. Chen, J. Zhang, S. Liu, W. Wang, T. Zhang, and Y . Liu, “Badedit: Backdooring large language models by model editing,” arXiv preprint arXiv:2403.13355, 2024

  66. [66]

    Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers,

    A. Menu, S. Bhasin, J.-M. Dutertre, J.-B. Rigaud, and J.-L. Danger, “Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers,” inProceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, 2019, pp. 1–8

  67. [67]

    Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller,

    N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, and E. Encrenaz, “Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller,” inProceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, 2013, p. 77–88

  68. [68]

    Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures,

    A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache, “Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures,”Proceedings of the IEEE, vol. 100, no. 11, pp. 3056–3076, 2012

  69. [69]

    Physical fault injection and side-channel attacks on mobile devices: A comprehensive anal- ysis,

    C. Shepherd, K. Markantonakis, N. Van Heijningen, D. Aboulkassimi, C. Gaine, T. Heckmann, and D. Naccache, “Physical fault injection and side-channel attacks on mobile devices: A comprehensive anal- ysis,”Computers & Security, vol. 111, p. 102471, 2021

  70. [70]

    The sorcerer’s apprentice guide to fault attacks,

    H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan, “The sorcerer’s apprentice guide to fault attacks,”Proceedings of the IEEE, vol. 94, no. 2, pp. 370–382, 2006

  71. [71]

    Self-testing/correcting with applications to numerical problems,

    M. Blum, M. Luby, and R. Rubinfeld, “Self-testing/correcting with applications to numerical problems,”Journal of Computer and System Sciences, vol. 47, no. 3, pp. 549–595, 1993

  72. [72]

    Systematic use of random self-reducibility in cryptographic code against physical attacks,

    F. Erata, T. Chiu, A. Etim, S. Nampally, T. Raju, R. Ramu, R. Piskac, T. Antonopoulos, W. Xiong, and J. Szefer, “Systematic use of random self-reducibility in cryptographic code against physical attacks,” in Proceedings of the 43rd IEEE International Conference on Computer- Aided Design, 2024, pp. 1–9

  73. [73]

    Fault injection attacks and countermeasures on TinyML algorithms,

    A. Etim, S. Nampally, A. Rasouli, D. Mazza, K. Chilakapati, T. Chiu, F. Erata, L. Nazhandali, W. Xiong, and J. Szefer, “Fault injection attacks and countermeasures on TinyML algorithms,” inProceedings of the IEEE International Symposium on Hardware Oriented Security and Trust, 2026