Scientific Programming

Research Article

Characterization of Program Behavior under Faulty Instruction Encoding

Statistics on bit flips in opcode field.


Inst group	Original inst ⟶ changed inst	Injected	Average rate (%)			Sites may be affected
Inst group	Original inst ⟶ changed inst	Injected	SDC	Benign	Crash (%)	EIP	Return address	EFLAGS	Dest operand	Source operand

Call-related instruction	CALL ⟶ JMP	177	2.3%	0%	96.0		√
	CALL ⟶ PUSH	177	31.6%	16.9%	50.8	√	√
	MOV reg1, reg2 (MOV EBP, ESP) ⟶ OR reg1, reg2	112	8.9%	27.7%	63.4		√	√	√
	SUB reg, imm (SUB ESP, offset) ⟶ CMP reg, imm	108	4.6%	26.9%	67.6		√	√	√
	SUB reg, imm (SUB ESP, offset) ⟶ AND reg, imm	108	6.5%	14.8%	77.8		√	√	√
	SUB reg, imm (SUB ESP, offset) ⟶ OR reg, imm	108	6.4%	26.9%	64.9		√	√	√
	PUSH ⟶ POP	151	3.3%	4.0%	92.7		√
	PUSH ⟶ INC	151	3.3%	6.6%	90.1		√	√
	LEAVE ⟶ DEC	62	0	0	100		√	√
	LEAVE ⟶ RET	63	0	0	100	√	√
	RET no argument ⟶ RET intersegment	90	0	0	100	√	√

Control transfer instruction	JMP ⟶ JCXZ	66	27.3%	56.1%	16.7	√
	Jcc ⟶ Jcc (ttt-bit)	636	21.1%	58.0%	18.9	√
	Jcc ⟶ Jcc (n-bit)	212	46.7%	13.7%	37.7	√

Arithmetic instruction	CMP mem, imm ⟶ SUB mem, imm	91	12.1%	76.9%	11.0			√	√
	CMP mem, imm ⟶ XOR mem, imm	91	13.2%	75.8%	9.9			√	√
	CMP mem, imm ⟶ SBB mem, imm	91	12.1%	75.8%	12.1			√	√

Data transfer instruction	MOV mem, reg ⟶ OR mem, reg	382	24.1%	33.8%	40.3			√	√
	MOV mem, reg ⟶ LEA reg, mem	350	22.3%	21.7%	52.9				√	√
	MOV mem, reg ⟶ MOV reg, mem	382	23.6%	23.0%	50.8				√	√
	MOV reg, mem ⟶ OR reg, mem	478	15.7%	43.3%	40.8			√	√
	MOV reg, mem ⟶ POP	401	12.7%	13.7%	73.3		√		√
	MOV reg, mem ⟶ MOV mem, reg	478	15.9%	25.7%	56.0				√	√