ChipWhisperer Husky Voltage Glitch Platform

• ChipWhisperer Husky is a specialized hardware platform designed for precise voltage glitch attacks on embedded MCUs, assessing ML pipeline vulnerabilities in quantum readout systems.
• It integrates oscillator-driven timing, programmable glitch control, and synchronized data capture, with a Python API for fine-grained parameterization of fault injections.
• Automated, Optuna-driven experiments reveal significant layer-specific fault susceptibilities in ML error-correction models, underscoring the need for robust fault detection.

ChipWhisperer Husky is a purpose-built hardware platform for orchestrating precise, cycle-accurate voltage glitch attacks against embedded microcontroller (MCU) targets, with a primary focus on evaluating the vulnerability of ML-based pipelines such as those found in quantum computer readout and correction stacks. In recent research, ChipWhisperer Husky facilitated detailed, automated exploration of fault-injection effects on a real-world, embedded realization of a quantum-readout ML error-correction model (HERQULES), enabling systematic characterization of layer-wise model susceptibility and fault-induced failure modes (Etim et al., 23 Dec 2025).

1. System Architecture and Hardware Integration

The ChipWhisperer Husky integrates oscillator-driven timing, programmable glitch injection, and synchronized data capture into a single platform. The device's on-board 12 MHz crystal oscillator supplies the reference clock for both its internal capture-scope and the attached target MCU, enforcing fully-synchronous operation between fault injector, trigger detection, and MCU execution. A dedicated digital input pin connects to a target MCU GPIO, which is toggled at the entry of each ML model layer and serves as the "layer trigger" for synchronizing glitch events.

The Husky’s glitch amplifier modulates the supply voltage of the target system's 3.3 V power rail, delivering a controlled voltage droop (nominal amplitude: −1.5 V) during fault-injection events. The MCU, continuing to execute from its internal regulator, experiences transient VCC aberrations precisely aligned with desired computation windows. UART at 115200 baud establishes a bidirectional data channel between the MCU and the host PC, transmitting both input vectors (IR sample vectors) and output results (5-bit class predictions, status flags).

2. Fault Generation and Parameterization

Fault-injection events are rigorously parameterized along four axes:

• Width ($w$): the interval (in target clock cycles) for which VCC is held low
• Intra-cycle offset ($\delta$): sub-cycle timing shift from the clock's rising edge, in clock ticks
• External offset ($E$): absolute offset in clock cycles from the layer trigger event
• Repeats ($r$): repetition count of back-to-back voltage droop pulses per injection (range: 1–5)

Programming these parameters occurs through the ChipWhisperer Python API (e.g., chipwhisperer.capture.glitch.set_parameters), which updates the Husky’s glitch controller registers. This infrastructure includes a digital counter (driven by the master clock) for $E$, a precision sub-cycle delay for $\delta$, and a pulse-width-modulation circuit for $w$. Multiple repeat pulses are used to probe susceptibility for longer computational primitives, such as MAC chains.

3. Automated Parameter-Space Exploration

Manual exploration of $(w, \delta, E, r)$ space is infeasible due to dimensionality. The experimental methodology embeds trials within an Optuna-driven optimization loop that systematically samples candidate glitch configurations, reboots and re-arms the MCU, and evaluates the impact over 96 inference queries per trial (32 classes × 3 repetitions, each with a targeted glitch). The objective function is defined as:

$$S(w, \delta, E, r) = \frac{1}{96} \sum_{i=1}^{96} HD(\hat{y}_i, y_i) - \lambda \cdot (\#\text{resets} + \#\text{hangs})$$

where $HD$ denotes bitwise Hamming distance, $\lambda$ is a reset/hang penalty, $\hat{y}_i$ are predicted classes, and $y_i$ are ground-truth classes. Objective scores, as well as all execution artifacts (reset, hang counts), are reported to guide Optuna's search and empirically map out "hot" regions of glitch susceptibility in parameter space.

4. Timing Calibration and Per-Layer Targeting

Prior to extensive glitch scanning, a one-time calibration sweep is performed on the target HERQULES inference implementation. GPIO toggling at entry of each of the five neural-network layers allows the Husky to measure per-layer execution windows with cycle-level resolution:

Layer	Cycle Range
Dense₁	[687, 140047]
ReLU₁	[14048, 15602]
Dense₂, ...	...
Output	[40260, 118602]

This enables precise constraint of $E$ (external offset) so that glitches align to computations within a single layer boundary, ensuring that observed effects reflect true per-layer susceptibility rather than uncontrolled side effects.

5. Integration into Quantum Computer Readout Workflows

The experimental stack maps closely to actual quantum hardware readout pipelines. The HERQULES ML code (C-ported) operates on a Husky-connected STM32F4-class MCU, mirroring deployment on quantum-readout controllers for superconducting qubits. Input vectors, derived from the Maurya et al. dataset, are streamed by the host PC, which also configures the Husky and collects all result data (trigger times, glitch parameters, predictions, serial logs) over USB for offline statistical analysis. This alignment allows for direct assessment of security-critical behavior in ML-based multi-qubit readout error correction under real-world, physically-plausible adversarial conditions.

6. Empirical Findings and Fault Model Characterization

Empirical results reveal strong layer dependence in fault susceptibility. Early layers (Dense₁, ReLU₁) show substantial sensitivity, with the exemplar configuration in ReLU₁ yielding 27 faulty outputs out of 96 queries (≈28%). In contrast, deeper layers (Dense₂, ReLU₂, Output) present much lower success rates (3–7/96, or 3–7%). Nearly all successful faults occur for $w\approx2400$–$2800$ cycles and $\delta\approx2400$–$2600$ cycles, with optimal $r$ varying between 2 and 5 pulses by layer. The external offset $E$ is always constrained within the layer’s calibrated cycle window.

Bitstring failures, as measured by Hamming distance, often display structured corruption rather than random bit-flips after single-shot glitches. The waveform for an injected glitch is analytically described as:

$$V_{\text{glitch}}(t) = \begin{cases} V_{\text{CC}} - \Delta V, & \text{for } t_0 \leq t < t_0 + w \, T_{\text{CLK}} + \delta \, T_{\text{sub}} \ V_{\text{CC}}, & \text{otherwise} \end{cases}$$

where $T_{\text{CLK}} = 1/12 \,\text{MHz}$ and $T_{\text{sub}} = T_{\text{CLK}}/100$. Alignment $t_0$ derives from the layer trigger plus $E \cdot T_{\text{CLK}}$.

7. Implications for Quantum Readout Security

The ChipWhisperer Husky enables reproducible, fine-grained, and automatable fault-injection studies at the intersection of embedded ML and quantum system security. The findings indicate that multilayer neural architectures (such as those in ML-driven readout error correction) have pronounced, layer-specific vulnerabilities towards voltage glitch attacks, motivating the need for robust, lightweight fault detection and redundancy mechanisms in quantum computing pipelines. A plausible implication is that ML-based quantum computer readout and correction modules must be treated as security-critical, and their deployment contexts must include both fault-tolerance and real-time fault detection capabilities (Etim et al., 23 Dec 2025). The Husky platform’s methodology—precise timing, per-layer glitch targeting, and Optuna-automated parameter search—establishes a standard for future research into embedded ML robustness and hardware-in-the-loop adversarial testing.