Detection of IJTAG attacks using LDPC-based feature reduction and machine learning

IEEE 1687 standard (IJTAG), as an extension to the IEEE 1149.1, facilitates efficient access to embedded instruments by supporting reconfigurable scan networks. Specifically, IJTAG allows each IP to be wrapped by a test data register (TDR) whose access is controlled by a segment insertion bit (SIB) or a scan-mux control bit (SCB). Because the TDRs and the SIB/SCB network are typically not public, but critical for accessing embedded instruments, they might be used for illegitimate purposes, such as dumping credential data and reverse engineering IP design. Machine learning has been proposed to detect such attacks, but the large number of instruments and parallel execution enabled by the IJTAG produce high-dimensional data, which poses a challenge to on-chip detection. In this paper, we propose to reduce the high-dimensional but sparse data using a low-density parity-check (LDPC) matrix. Experiments using a modified version of the OpenSPARC T2 to include IJTAG functionality demonstrate that the use of feature reduction eliminates 91% of the features, leading to 43% reduction in circuit size without affecting detection accuracy. Also, the on-chip detector adds moderate overhead (∼ 8%) to the IJTAG.

[1]  Ramesh Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004, 2004 International Conferce on Test.

[2]  Jared Tanner,et al.  Improved Bounds on Restricted Isometry Constants for Gaussian Matrices , 2010, SIAM J. Matrix Anal. Appl..

[3]  Hans-Joachim Wunderlich,et al.  Fine-Grained Access Management in Reconfigurable Scan Networks , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[4]  R. D. Blanton,et al.  Detection of illegitimate access to JTAG via statistical learning in chip , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Anderson Rocha,et al.  Toward Open Set Recognition , 2013, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[6]  Kidiyo Kpalma,et al.  Sparse Binary Matrices of LDPC Codes for Compressed Sensing , 2012, 2012 Data Compression Conference.

[7]  Alfred L. Crouch,et al.  Mitigating simple power analysis attacks on LSIB key logic , 2017, 2017 IEEE North Atlantic Test Workshop (NATW).

[8]  Vishwani D. Agrawal,et al.  Securing IEEE 1687-2014 Standard Instrumentation Access by LFSR Key , 2015, 2015 IEEE 24th Asian Test Symposium (ATS).

[9]  Sergei Skorobogatov,et al.  Breakthrough Silicon Scanning Discovers Backdoor in Military Chip , 2012, CHES.

[10]  Alfred L. Crouch,et al.  Making it harder to unlock an LSIB: Honeytraps and misdirection in a P1687 network , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[11]  R. D. Blanton,et al.  A Learning-Based Approach to Secure JTAG Against Unseen Scan-Based Attacks , 2016, 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[12]  R. D. Blanton,et al.  IC Protection Against JTAG-Based Attacks , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[13]  Ing. M. F. Breeuwsma Forensic imaging of embedded systems using JTAG (boundary-scan) , 2006, Digit. Investig..

[14]  S. Frick,et al.  Compressed Sensing , 2014, Computer Vision, A Reference Guide.

[15]  Hans-Joachim Wunderlich,et al.  Securing Access to Reconfigurable Scan Networks , 2013, 2013 22nd Asian Test Symposium.

[16]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[17]  Jennifer Dworak,et al.  Don't forget to lock your SIB: hiding instruments using P1687 , 2013, 2013 IEEE International Test Conference (ITC).

[18]  Jennifer Dworak,et al.  Echeloned IJTAG data protection , 2016, 2016 IEEE Asian Hardware-Oriented Security and Trust (AsianHOST).

[19]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[20]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.