Fault Injection with JTAG

In order to assess the robustness of software-based fault-tolerance methods, extensive tests have to be performed that inject faults, such as bit flips, into hardware components of a running system. Fault injection commonly uses either system simulations, resulting in execution times orders of magnitude longer than on real systems, or exposes a real system to error sources like radiation. This can take place in real time, but it enables only a very coarse-grained control over the affected system component.

A solution combining the best characteristics from both approaches should achieve precise fault injection in real hardware systems. Our approach uses the JTAG background debug facility of a CPU to inject faults into main memory and registers of a running system. Compared to similar approaches, our solution is able to achieve rapid fault injection using a low-cost microcontroller. Our injection software is very flexible. It allows to restrict error injection to the execution of a set of predefined components, resulting in a more precise control of the injection, and also emulates error reporting, which enables the evaluation of different error detection approaches in addition to robustness evaluation.

Experimental Setup

The system under test is a TK71 Development Board 1). The attached Marvell Kirkwood 88F6281 Processor 2) is clocked at 1.2 GHz. It is an implementation of an ARM926EJ-S processor compliant with the v5TE architecture, as published in the ARM Architecture Manual 3). Our system contains 256 MiB of DDR2 SDRAM and 128 MiB of NAND Flash.

The fault injection is implemented on an NXP mbed LPC1768 rapid prototyping board 4). The microcontroller is clocked at 100 MHz and uses an ARM Cortex M3 Core. 32 kiB RAM and 512 kiB Flash are available for programming. We refer to this board as injection board or JTAG host. As software load we execute an H.264 video decoder on the SUT as described in Estimedia 2010

Both boards are connected to each other via JTAG. To measure the time for fault injection, an oscilloscope is attached to the JTAG clock line.

Injection Procedure

Injection Procedure


The source code of the injection board's software is available here: jtag-inject-kirkwood-1.0.tar.lzma.

The compiler is available as source or binary (compiled under Ubuntu 12.04 64bit, extract in folder /opt/cross-toolchain)