Security Against Data-Sniffing and Alteration Attacks in IJTAG

The IEEE Std. 1687 (IJTAG) facilitates access to on-chip instruments in complex system-on-chip designs. However, a major security vulnerability in IJTAG has yet to be addressed. IJTAG supports the integration of tapped and wrapped instruments at the IP provider with hidden test-data registers (TDRs). The instruments with hidden TDRs can alter and steal the data that is shifted through them. These attacks are called “data-alteration” and “data-sniffing” attacks, respectively. We propose the addition of shadow TDRs (STDRs) and information-flow tracking logic to protect the shifted in test data from illegitimate alteration and leakage by malicious third-party IPs. We present two security architectures for IJTAG. The first architecture secures the IJTAG against data alteration and incurs no timing overhead. However, it does not secure IJTAG against data-sniffing attacks (DS). The second architecture is an upgrade to the first architecture where we repurpose the use of the STDRs and information-tracking logic to secure the IJTAG against both data-alteration and DS. However, it incurs timing overhead. We present security proofs, simulation results, and the overheads associated with these countermeasures for various benchmarks. We also discuss the tradeoffs in security and overhead between the two proposed architectures.

[1]  Ozgur Sinanoglu,et al.  ScanSAT: Unlocking Static and Dynamic Scan Obfuscation , 2019, IEEE Transactions on Emerging Topics in Computing.

[2]  Pascal Raiola,et al.  On Integrating Lightweight Encryption in Reconfigurable Scan Networks , 2019, 2019 IEEE European Test Symposium (ETS).

[3]  Nur A. Touba,et al.  A Graph Theory Approach towards IJTAG Security via Controlled Scan Chain Isolation , 2019, 2019 IEEE 37th VLSI Test Symposium (VTS).

[4]  Jennifer Dworak,et al.  IJTAG Integrity Checking with Chained Hashing , 2018, 2018 IEEE International Test Conference (ITC).

[5]  R. D. Blanton,et al.  Detection of IJTAG attacks using LDPC-based feature reduction and machine learning , 2018, 2018 IEEE 23rd European Test Symposium (ETS).

[6]  Ramesh Karri,et al.  Securing IJTAG against data-integrity attacks , 2018, 2018 IEEE 36th VLSI Test Symposium (VTS).

[7]  Hans-Joachim Wunderlich,et al.  Trustworthy reconfigurable access to on-chip infrastructure , 2017, 2017 International Test Conference in Asia (ITC-Asia).

[8]  Alfred L. Crouch,et al.  Mitigating simple power analysis attacks on LSIB key logic , 2017, 2017 IEEE North Atlantic Test Workshop (NATW).

[9]  Jennifer Dworak,et al.  Echeloned IJTAG data protection , 2016, 2016 IEEE Asian Hardware-Oriented Security and Trust (AsianHOST).

[10]  K SudeendraKumar,et al.  Securing IEEE 1687 Standard On-chip Instrumentation Access Using PUF , 2016, 2016 IEEE International Symposium on Nanoelectronic and Information Systems (iNIS).

[11]  Matteo Sonza Reorda,et al.  A suite of IEEE 1687 benchmark networks , 2016, 2016 IEEE International Test Conference (ITC).

[12]  Wei Hu,et al.  Detecting Hardware Trojans with Gate-Level Information-Flow Tracking , 2016, Computer.

[13]  Vishwani D. Agrawal,et al.  Securing IEEE 1687-2014 Standard Instrumentation Access by LFSR Key , 2015, 2015 IEEE 24th Asian Test Symposium (ATS).

[14]  Alfred L. Crouch,et al.  A call to action: Securing IEEE 1687 and the need for an IEEE test Security Standard , 2015, 2015 IEEE 33rd VLSI Test Symposium (VTS).

[15]  Hans-Joachim Wunderlich,et al.  Reconfigurable Scan Networks: Modeling, Verification, and Optimal Pattern Generation , 2015, TODE.

[16]  Hans-Joachim Wunderlich,et al.  Fine-Grained Access Management in Reconfigurable Scan Networks , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[17]  Hans-Joachim Wunderlich,et al.  Access Port Protection for Reconfigurable Scan Networks , 2014, Journal of Electronic Testing.

[18]  Ryan Kastner,et al.  Leveraging Gate-Level Properties to Identify Hardware Timing Channels , 2014, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[19]  Alfred L. Crouch,et al.  Making it harder to unlock an LSIB: Honeytraps and misdirection in a P1687 network , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[20]  Hans-Joachim Wunderlich,et al.  Securing Access to Reconfigurable Scan Networks , 2013, 2013 22nd Asian Test Symposium.

[21]  Jennifer Dworak,et al.  Don't forget to lock your SIB: hiding instruments using P1687 , 2013, 2013 IEEE International Test Conference (ITC).

[22]  Farrokh Ghani Zadegan,et al.  Reusing and Retargeting On-Chip Instrument Access Procedures in IEEE P1687 , 2012, IEEE Design & Test of Computers.

[23]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[24]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[25]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[26]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.