Security vulnerability analysis of design-for-test exploits for asset protection in SoCs

SoCs implementing security modules should be both testable and secure. Oversights in a design's test structure could expose internal modules creating security vulnerabilities during test. In this paper, for the first time, we propose a novel automated security vulnerability analysis framework to identify violations of confidentiality, integrity, and availability policies caused by test structures and designer oversights during SoC integration. Results demonstrate existing information leakage vulnerabilities in implementations of various encryption algorithms and secure microprocessors. These can be exploited to obtain secret keys, control finite state machines, or gain unauthorized access to memory read/write functions.

[1]  Shwetak N. Patel,et al.  Experimental Security Analysis of a Modern Automobile , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Giorgio Di Natale,et al.  A novel differential scan attack on advanced DFT structures , 2013, ACM Trans. Design Autom. Electr. Syst..

[3]  Ramesh Karri,et al.  Secure design-for-debug for Systems-on-Chip , 2015, 2015 IEEE International Test Conference (ITC).

[4]  M. Renovell,et al.  Scan design and secure chip [secure IC testing] , 2004, Proceedings. 10th IEEE International On-Line Testing Symposium.

[5]  Bruno Rouzeyre,et al.  Test control for secure scan designs , 2005, European Test Symposium (ETS'05).

[6]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[7]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[8]  Nozomu Togawa,et al.  Scan-based attack against elliptic curve cryptosystems , 2010, 2010 15th Asia and South Pacific Design Automation Conference (ASP-DAC).

[9]  Mark Mohammad Tehranipoor,et al.  On design vulnerability analysis and trust benchmarks development , 2013, 2013 IEEE 31st International Conference on Computer Design (ICCD).

[10]  Mark Mohammad Tehranipoor,et al.  Securing Designs against Scan-Based Side-Channel Attacks , 2007, IEEE Transactions on Dependable and Secure Computing.

[11]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[12]  Chien-Mo James Li,et al.  A Secure Test Wrapper Design Against Internal and Boundary Scan Attacks for Embedded Cores , 2012, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[13]  Eric DeBusschere,et al.  Modern Game Console Exploitation , 2012 .

[14]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[15]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[16]  Ing. M. F. Breeuwsma Forensic imaging of embedded systems using JTAG (boundary-scan) , 2006, Digit. Investig..

[17]  Ramesh Karri,et al.  Secure scan: a design-for-test architecture for crypto chips , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[18]  Giorgio Di Natale,et al.  Test Versus Security: Past and Present , 2014, IEEE Transactions on Emerging Topics in Computing.

[19]  Ramesh Karri,et al.  Novel Test-Mode-Only Scan Attack and Countermeasure for Compression-Based Scan Architectures , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[20]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[21]  Hideo Fujiwara,et al.  Secure and testable scan design using extended de Bruijn graphs , 2010, 2010 15th Asia and South Pacific Design Automation Conference (ASP-DAC).

[22]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[23]  Giorgio Di Natale,et al.  Secure JTAG Implementation Using Schnorr Protocol , 2013, J. Electron. Test..

[24]  Adam Waksman,et al.  Producing Trustworthy Hardware Using Untrusted Components, Personnel and Resources , 2014 .