Dynamically obfuscated scan for protecting IPs against scan-based attacks throughout supply chain

Scan-based test is commonly used to increase testability and fault coverage, however, it is also known to be a liability for chip security. Research has shown that intellectual property (IP) or secret keys can be leaked through scan-based attacks. In this paper, we propose a dynamically-obfuscated scan design for protecting IPs against scan-based attacks. By perturbing all test patterns/responses and protecting the obfuscation key, the proposed architecture is proven to be robust against existing non-invasive scan attacks, and can protect all scan data from attackers in foundry, assembly, and system developers (i.e., OEMs) without compromising the testability. Furthermore, the proposed architecture can be easily plugged into EDA generated scan chains without having a noticeable impact on conventional integrated circuit (IC) design, manufacturing, and test flow. Finally, detailed security and experimental analyses have been performed on several benchmarks. The results demonstrate that the proposed method can protect chips from existing brute force, differential, and other scan-based attacks that target the obfuscation key. The proposed design is of low overhead on area, power consumption, and pattern generation time, and there is no impact on test time.

[1]  Ingrid Verbauwhede,et al.  Security Analysis of Industrial Test Compression Schemes , 2013, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  Giorgio Di Natale,et al.  Are advanced DfT structures sufficient for preventing scan-attacks? , 2012, 2012 IEEE 30th VLSI Test Symposium (VTS).

[3]  Ramesh Karri,et al.  New scan-based attack using only the test mode , 2013, 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC).

[4]  Hideo Tamamoto,et al.  Secure scan design using shift register equivalents against differential behavior attack , 2011, 16th Asia and South Pacific Design Automation Conference (ASP-DAC 2011).

[5]  Ramesh Karri,et al.  Secure scan: a design-for-test architecture for crypto chips , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[6]  Mark Mohammad Tehranipoor,et al.  Counterfeit Integrated Circuits: Detection, Avoidance, and the Challenges Ahead , 2014, J. Electron. Test..

[7]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[8]  Avi Mendelson,et al.  Exploiting the Scan Side Channel for Reverse Engineering of a VLSI Device , 2016 .

[9]  Mark Mohammad Tehranipoor,et al.  Securing Designs against Scan-Based Side-Channel Attacks , 2007, IEEE Transactions on Dependable and Secure Computing.

[10]  Giorgio Di Natale,et al.  Scan Attacks and Countermeasures in Presence of Scan Response Compactors , 2011, 2011 Sixteenth IEEE European Test Symposium.

[11]  M. Kuhn,et al.  The Advanced Computing Systems Association Design Principles for Tamper-resistant Smartcard Processors Design Principles for Tamper-resistant Smartcard Processors , 2022 .

[12]  Adit D. Singh,et al.  SSTKR: Secure and Testable Scan Design through Test Key Randomization , 2011, 2011 Asian Test Symposium.

[13]  Mark Mohammad Tehranipoor,et al.  Security vulnerability analysis of design-for-test exploits for asset protection in SoCs , 2017, 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC).

[14]  Giorgio Di Natale,et al.  A smart test controller for scan chains in secure circuits , 2013, 2013 IEEE 19th International On-Line Testing Symposium (IOLTS).

[15]  Hideo Fujiwara,et al.  Partial Scan Approach for Secret Information Protection , 2009, 2009 14th IEEE European Test Symposium.

[16]  Youhua Shi,et al.  Dynamically changeable secure scan architecture against scan-based side channel attack , 2012, 2012 International SoC Design Conference (ISOCC).

[17]  Yu Huang,et al.  Effects of Embedded Decompression and Compaction Architectures on Side-Channel Attack Resistance , 2007, 25th IEEE VLSI Test Symposium (VTS'07).

[18]  Michel Renovell,et al.  Scan Design and Secure Chip , 2004, IOLTS.

[19]  Ramesh Karri,et al.  Attacks and Defenses for JTAG , 2010, IEEE Design & Test of Computers.

[20]  Dan Zhao,et al.  SS-KTC: A High-Testability Low-Overhead Scan Architecture with Multi-level Security Integration , 2009, 2009 27th IEEE VLSI Test Symposium.

[21]  Ramesh Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004 .

[22]  Chien-Mo James Li,et al.  IEEE 1500 Compatible Secure Test Wrapper For Embedded IP Cores , 2008, 2008 IEEE International Test Conference.

[23]  Giorgio Di Natale,et al.  A novel differential scan attack on advanced DFT structures , 2013, ACM Trans. Design Autom. Electr. Syst..

[24]  Bruno Rouzeyre,et al.  Secure scan techniques: a comparison , 2006, 12th IEEE International On-Line Testing Symposium (IOLTS'06).

[25]  Alfred L. Crouch,et al.  A call to action: Securing IEEE 1687 and the need for an IEEE test Security Standard , 2015, 2015 IEEE 33rd VLSI Test Symposium (VTS).

[26]  Gang Qu,et al.  A new countermeasure against scan-based side-channel attacks , 2016, 2016 IEEE International Symposium on Circuits and Systems (ISCAS).

[27]  Roy Paily,et al.  RFID Circuit Design with Optimized CMOS Inductor for Monitoring Biomedical Signals , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[28]  G. Sengar,et al.  An Efficient Approach to Develop Secure Scan Tree for Crypto-Hardware , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[29]  Nozomu Togawa,et al.  Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[30]  Chip-Hong Chang,et al.  Static and Dynamic Obfuscations of Scan Data Against Scan-Based Side-Channel Attacks , 2017, IEEE Transactions on Information Forensics and Security.

[31]  Mark Mohammad Tehranipoor,et al.  A low-cost solution for protecting IPs against scan-based side-channel attacks , 2006, 24th IEEE VLSI Test Symposium.

[32]  Ramesh Karri,et al.  Test-mode-only scan attack using the boundary scan chain , 2014, 2014 19th IEEE European Test Symposium (ETS).

[33]  Debdeep Mukhopadhyay,et al.  CryptoScan: A Secured Scan Chain Architecture , 2005, 14th Asian Test Symposium (ATS'05).

[34]  Nozomu Togawa,et al.  Scan-based attack against elliptic curve cryptosystems , 2010, 2010 15th Asia and South Pacific Design Automation Conference (ASP-DAC).

[35]  Ramesh Karri,et al.  Test-mode-only scan attack and countermeasure for contemporary scan architectures , 2014, 2014 International Test Conference.

[36]  Spyros Tragoudas,et al.  Enhanced Secure Architecture for Joint Action Test Group Systems , 2013, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[37]  Swarup Bhunia,et al.  VIm-Scan: A Low Overhead Scan Design Approach for Protection of Secret Key in Scan-Based Secure Chips , 2007, 25th IEEE VLSI Test Symposium (VTS'07).

[38]  Debdeep Mukhopadhyay,et al.  Secured Flipped Scan-Chain Model for Crypto-Architecture , 2007, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[39]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.