Test-mode-only scan attack using the boundary scan chain

Boundary-scan is a very popular technology with wide applications in product life cycle that ranges from product design, prototype debugging, production to field service. However, when it comes to securing a product such as smart card, RFID tag, set-top-box, etc., the technology can be targeted by an attacker to reveal the secret information of the chip. In this paper, for the first time, we will show that the boundary scan chain can be used to bypass the mode-reset countermeasure, which is used to thwart all the scan attacks that rely on switching between the normal mode and the test mode of the chip. We propose two attacks on the AES core. The first attack uses the boundary scan chain to apply input plaintexts to the first round of AES, whereas the second attack targets the final round by applying the inputs through the internal scan chain(s) and the round output is captured in the boundary scan chain. The attacks not only bypass the mode-reset countermeasure but also circumvent the affect of stimulus decompressor (first attack) or the response compactor (second attack). Both attacks retrieve the 128-bit secret key within one minute of execution.

[1]  Ramesh Karri,et al.  Secure Scan: A Design-for-Test Architecture for Crypto Chips , 2005, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  Giorgio Di Natale,et al.  Scan Attacks and Countermeasures in Presence of Scan Response Compactors , 2011, 2011 Sixteenth IEEE European Test Symposium.

[3]  Ramesh Karri,et al.  Scan attack in presence of mode-reset countermeasure , 2013, 2013 IEEE 19th International On-Line Testing Symposium (IOLTS).

[4]  Ramesh Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004 .

[5]  Ramesh Karri,et al.  Attacks and Defenses for JTAG , 2010, IEEE Design & Test of Computers.

[6]  Ramesh Karri,et al.  New scan-based attack using only the test mode , 2013, 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC).

[7]  Bruno Rouzeyre,et al.  Test control for secure scan designs , 2005, European Test Symposium (ETS'05).

[8]  Giorgio Di Natale,et al.  A scan-based attack on Elliptic Curve Cryptosystems in presence of industrial Design-for-Testability structures , 2012, 2012 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT).

[9]  Nozomu Togawa,et al.  Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[10]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .