This work addresses two key bottlenecks in software security analysis under fault attacks: inaccurate fault modeling and low efficiency of symbolic execution. We propose a novel symbolic execution method that achieves both high precision and strong scalability. Our core contributions are: (1) the first program-transformation-based symbolic fault modeling technique, which precisely captures hardware-level fault behaviors; and (2) an integrated redundancy-aware path pruning mechanism combining weakest precondition reasoning with fault saturation analysis to effectively mitigate path explosion. Evaluated on multiple benchmark programs, our approach achieves an average 2.0× speedup over state-of-the-art methods, significantly improves vulnerability detection rates, and uncovers numerous previously missed security violations—demonstrating comprehensive superiority over existing best practices.

We propose a symbolic method for analyzing the safety of software under fault attacks both accurately and efficiently. Fault attacks leverage physically injected hardware faults to break the safety of a software program. While there are existing methods for analyzing the impact of faults on software, they suffer from inaccurate fault modeling and inefficient analysis algorithms. We propose two new techniques to overcome these problems. First, we propose a fault modeling technique that leverages program transformation to add symbolic variables to the program, to accurately model the fault-induced program behavior. Second, we propose a redundancy pruning technique that leverages the weakest precondition and fault saturation to mitigate path explosion, which is a performance bottleneck of symbolic execution that is exacerbated by the fault-induced program behavior. We have implemented the method and evaluated it on a variety of benchmark programs. The experimental results show that our method significantly outperforms the state-of-the-art method. Specifically, it not only reveals many previously-missed safety violations but also reduces the running time drastically. Compared to the baseline, our optimized method is 2.0$ imes$ faster on average.