New Scan-Based Attack Using Only the Test Mode and an Input Corruption Countermeasure

Scan-based design-for-testability, which improves access and thus the test quality, is highly vulnerable to scan attack. While in-field test is enabled through the scan design to provide debug capabilities, an attacker can leverage the test mode to leak the secret key of the chip. The scan attack can be thwarted by a simple defense that resets the data upon a switch from the normal mode to the test mode. We proposed a new class of scan attack in [15] using only the test mode of a chip, circumventing this defense. In this book chapter we extend our earlier work by introducing case studies to explain this new attack in greater detail. Furthermore, we study the effectiveness of existing countermeasures to thwart the attack and propose a new input corruption countermeasure that requires a smaller area overhead compared to the existing countermeasures.

[1]  Ramesh Karri,et al.  New scan-based attack using only the test mode , 2013, 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC).

[2]  Giorgio Di Natale,et al.  A scan-based attack on Elliptic Curve Cryptosystems in presence of industrial Design-for-Testability structures , 2012, 2012 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT).

[3]  Rodham E. Tulloss,et al.  The Test Access Port and Boundary Scan Architecture , 1990 .

[4]  Kaisa Nyberg Generalized Feistel Networks , 1996, ASIACRYPT.

[5]  Ingrid Verbauwhede,et al.  Differential Scan Attack on AES with X-tolerant and X-masked Test Response Compactor , 2012, 2012 15th Euromicro Conference on Digital System Design.

[6]  Rohit Kapur Security vs. test quality: are they mutually exclusive? , 2004 .

[7]  Giorgio Di Natale,et al.  Scan Attacks and Countermeasures in Presence of Scan Response Compactors , 2011, 2011 Sixteenth IEEE European Test Symposium.

[8]  Roy Paily,et al.  RFID Circuit Design with Optimized CMOS Inductor for Monitoring Biomedical Signals , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[9]  Giorgio Di Natale,et al.  On-chip test comparison for protecting confidential data in secure ICs , 2012, 2012 17th IEEE European Test Symposium (ETS).

[10]  Nozomu Togawa,et al.  Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[11]  G. Sengar,et al.  An Efficient Approach to Develop Secure Scan Tree for Crypto-Hardware , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[12]  Ramesh Karri,et al.  Secure Scan: A Design-for-Test Architecture for Crypto Chips , 2006, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[13]  Ramesh Karri,et al.  New scan attacks against state-of-the-art countermeasures and DFT , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[14]  Ramesh Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004 .

[15]  Giorgio Di Natale,et al.  A New Scan Attack on RSA in Presence of Industrial Countermeasures , 2012, COSADE.

[16]  Nozomu Togawa,et al.  Scan-based attack against elliptic curve cryptosystems , 2010, 2010 15th Asia and South Pacific Design Automation Conference (ASP-DAC).

[17]  Ingrid Verbauwhede,et al.  Security Analysis of Industrial Test Compression Schemes , 2013, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[18]  Ramesh Karri,et al.  Test-mode-only scan attack using the boundary scan chain , 2014, 2014 19th IEEE European Test Symposium (ETS).

[19]  Yu Liu,et al.  Scan-based attacks on linear feedback shift register based stream ciphers , 2011, TODE.

[20]  Giorgio Di Natale,et al.  Are advanced DfT structures sufficient for preventing scan-attacks? , 2012, 2012 IEEE 30th VLSI Test Symposium (VTS).

[21]  Michel Renovell,et al.  Scan Design and Secure Chip , 2004, IOLTS.

[22]  Bruno Rouzeyre,et al.  Test control for secure scan designs , 2005, European Test Symposium (ETS'05).