Many program analysis tools and techniques have been developed to assess program vulnerability. Yet, they are based on
the standard concept of reachability with an attacker able to craft smart legitimate input. In practice, attackers can be much
more powerful, using for instance micro-architectural exploits or fault injection methods. We introduce adversarial reachability,
a framework allowing to reason about such advanced attackers and assess a program vulnerability to a particular attacker. As
equipping the attacker with new capacities significantly increases the state space of the program under analysis, we present a
new symbolic exploration algorithm, namely adversarial symbolic execution, injecting faults in a forkless manner to prevent path
explosion, together with optimizations dedicated to reduce the number of injections to consider while keeping the same attacker
power. Experiments on representative benchmarks from fault injection show our method significantly reduces the number of
adversarial paths to explore, allowing to scale up to 10 faults where prior work timeout for 3 faults. In addition, we analyze the
well-tested WooKey's bootloader and demonstrate our analysis' ability to find known attacks and evaluate countermeasures in
real-life security scenarios. We were especially able to find a new attack on an incomplete patch.