Manufacturing Test Of Secure Devicesdinatale/Tutorial_Test_Security.pdfApple TV – Access to JTAG...

Giorgio Di Natale, LIRMM

Manufacturing Test Of Secure Devices Introduction to Manufacturing Testing and Scan Attacks

Giorgio Di Natale, CNRS (LIRMM, Montpellier)

Other contributors: Jean Da Rolt, Marion Doulcier, Marie-Lise Flottes, Bruno Rouzeyre


License Information

This work is licensed under the Creative Commons BY-NC License

To view a copy of the license, visit:

http://creativecommons.org/licenses/by-nc/3.0/legalcode

2


Disclaimer

•  We disclaim any warranties or representations as to the accuracy or completeness of this material

•  Materials are provided “as is” without warranty of any kind, either express or implied, including without limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement

•  Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material

3


Goals

•  Presenting some of the major issues related to digital testing

•  Presenting the industrial test solutions

•  Describing the antithesis between test and security

•  Presenting the known attacks exploiting test infrastructures

4

Security Test


Outline

•  Digital Testing –  Why testing –  Historical evolution –  The basic approach to test –  Scan-based design

•  Test of Secure Devices –  Why testing –  Scan-based attacks –  Introduction to countermeasures

5


DIGITAL TESTING

6


Why should I test ?

7


“If anything can go wrong … … it will !”

[Murphy]

8


“All customers are named Murphy !”

[Any test engineer]

9


Manufacturing Process

•  Manufacturing process of integrated circuit is not totally controlled: –  Dust, physical mechanisms, spot defect (open fault,

short fault, …) –  Process variability (oxide thickness, threshold tension,

electrical parameters variability, …) –  Assemblage faults (interconnections between chip and

board, chip and substrate, or die and die)

10


Short

Short Short

Examples of defects

11


Historical Evolution

•  From “First design then test”…

•  …to “Design & Test” –  Design for Testability, i.e., modifying the logic in a way

to make it easily testable

•  Examples: –  Built-In Self-Test (BIST): modifying the logic in a way to

make it capable of testing itself –  Built-In Self-Repair (BISR): modifying the logic in a way

to make it capable of repairing by itself –  Scan-based Design: modifying the sequential elements

so that they can be easily controllable and observable

12


=?

Reference System

Target Device Under Test

(DUT)

The basic approach to Testing

A proper sequence of

values

Good / Faulty indication

13


Some definitions

•  Test Vector –  Set of values that, at a given instant, are applied to the

DUT

•  Test Sequence (or Test Pattern) –  Sequences of values to be applied to the DUT

14


From Functional Testing…

4-bit Counter TC Output

Enable Clock

4

Reset

15


…to bigger circuits

32-bit Counter TC Output

Enable Clock

32

Reset

16


Scan-based Design

FF

FF

FF

...

...

... Primary

Inputs Primary Outputs

Observability of all states

... ...

Combinational Logic

Scan Enable

Scan In

Scan Out

Controllability of all states

17


Test procedure with scan design

18

Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)

Capture (Scan-Enable=0)

#L clock cycles #L clock cycles

Clock frequency is not realistic. Scan operations @ ≈ 50MHz


Multiple Scan Chains

19


Partial Scan

•  Only some FFs are connected to the scan chains

20


Test Data Compression

21


JTAG

22


Manufacturing Testing - Conclusion

•  Manufacturing testing necessary to identify defective chips

•  Test solutions based on the increasing of controllability and observability of internal nodes

23


TEST OF SECURE DEVICES

24

scan-in scan-out


Scenario: Test of digital ICs

•  Testing is mandatory to guarantee high quality of digital ICs

•  A defective secure device may jeopardize the overall security

D QD Q

D QD Q

D QD Q

D QD Q

PI PO

scan-in scan-out

scan-enable

25


Scan-chain attack on AES

•  AES –  Secure after 10 rounds

•  Hypothesis: –  Round-register belongs

to the scan chain –  Attacker controls test mode –  Deterministic circuit –  Other FFs belong to the scan

chain

•  Attack: –  Accessing the scan chain

after the first round

SubBytes

ShiftRows

MixColumns

Round

Key Generati

on

PlainText – 128 bits

CipherText – 128 bits

Secret Key 128 bits

b

c

d

e

f

a

ScanIn Register Other FFs

ScanOut

26


Differential Scan Attack

•  2 vectors per step

•  For each vector: –  Reset –  Normal mode,

until first round –  Test mode, to

shift out the response

ScanOut

SubBytes

ShiftRows

MixColumns

Round

Key Generation

Vector 1


Secret Key 128 bits

b1

c1

d1

e1

f1

a1

ScanIn

Register Other FFs

x1

27


Differential Scan Attack

ScanOut

SubBytes

ShiftRows

MixColumns

Round

Key Generation

Vector 2


Secret Key 128 bits

b2

c2

d2

e2

f2

a2

ScanIn

Register Other FFs

x2

f1 x1

•  2 vectors per step

•  For each vector: –  Reset –  Normal mode,

until first round –  Test mode, to

shift out the response

28


Avoiding other FFs

Register Other FFs

x2

Register Other FFs

x1 f1

f2

…00000000000… f1 xor f2

•  Hypothesis: –  Other FFs are independent of the plaintext –  Deterministic circuit –  After one round, they have always the same value

•  Solution: XORing the output response

SubBytes

ShiftRows

MixColumns

Round

Key Generation

PlainText – 128 bits


Secret Key 128 bits

b

c

d

e

f

a

Register

= (e1 xor K) xor (e2 xor K)

= e1 xor e2

29


Focusing on a smaller key

MixColumns MixColumns MixColumns MixColumns

Add

Roun

dKey

AddInitialKey

S S S S S S S S S S S S S S S S

Shi

ftRo

ws

30



MixColumns

S S S S

MixColumns MixColumns MixColumns

S S S S S S S S S S S S

Constant for the two computations

31



32

S S S S

MixColumns

(a1,a2) Constant

k

(o1,o2) è It depends on 8 bits of the secret

(b1,b2)


Avoiding the chain

•  Position of FFs within the scan chain is not known

•  OutScanChain = array [N]

•  We need a function such that: •  p = f (OutScanChain) •  f : array à number

33


Hamming Distance

S S S S

MixColumns

(a1,a2) Constant

HD12

k

(o1,o2) è

(b1,b2)

(b1, b1 XOR 1)

b1 = 226 b1 = 242

b1 = 122

b1 = 130

34


Signature Attack

S S S S

MixColumns

(a1,a2) Constant

Load input pairs...

Observe the output difference HD

HD12

(a1,a2)

HD12

(a3,a4)

HD34

(a5,a6)

HD56

(a7,a8)

HD78

SIGNATURE

k

(o1,o2) è

35


Simulating all keys: Signature Table

•  Signature depends on the key guess

•  Signature table consists of the signature for each key

•  Goal: have unique signatures!

Observed difference

Input Pairs

Guessed Key K1

K2

K3

KN

P1 P2 P3 PM

Signature

HD11 HD12 HD13 HD1M HD21 HD22 HD23 HD2M HD31 HD32 HD33 HD3M HDN1 HDN2 HDN3 HDNM

S S S S

MixColumns

(a1, a2)

HD

k

36


Unique Signatures

•  Measured signature: –  must correspond to only one key

•  Input pairs: –  are chosen so the signatures are different –  E.g., randomly: between 12 and 20 pairs

37


Attack Summary

•  Signature table is created (possibly input pairs are optimized)

•  Input pairs are applied to the circuit

•  XOR of the 2 scan chains is calculated

•  Signature is generated

•  Look for the same signature in the table

The secret key is found!

38


APPLICATIONS

39


Single & Multiple Chains without Compression

•  The whole round-register is scanned-out

•  3 input pairs per key byte are enough

S S S S

MixColumns

(a1, a2) Constant

HD12

k

Signature is composed by Hamming Distances from 0 to 32

40


Compression

•  Used for reducing test time, I/O requirements –  No reduction of test coverage and diagnosis capability!

•  Round-register bits are not directly observable!

Chain 1

Chain 2

Chain 3

Chain N-1

Chain N

Slice

X O R

Output Bitstream

Scan In Scan Out

41


Attacking parity

•  Compress the output bitstream –  To just one bit (i.e., the parity of the whole scan chain)

Chain 1

Chain 2

Chain 3

Chain N-1

Chain N

X O R

Slice

Output Bitstream

FF

42


Signature Attack against Compression

•  Only the parity is observable


S S S S

MixColumns

(a1, a2) Constant

PD12

k

Signature is composed by a sequence of parity distances (0 or 1)

XOR

43


Observing a Subset

•  Only one bit is observable


S S S S

(a1, a2) Constant

O12

k

Signature is composed by a sequence of “bit” distances (0 or 1)

MixColumns

44


Advantage of observing a subset

•  Hypothesis: –  Other FFs are independent of the plaintext –  After one round they have always the same value

•  When this hypothesis is false –  Search for signature of bit 0 –  Between the bits that are changing

•  Useful for single and multiple chains without compression, and partial scan

observe 128 bits!

Register Other FFs

x2

Register Other FFs

x1 f1

f2

f1 xor f2 variable

45


A Real Threat???

iPhone 4 Pinout

Apple TV – Access to JTAG

XBOX 360 46


Countermeasures

•  Leave the scan chain unbound (fuses)

•  Built-In Self-Test

•  On-chip test comparison

•  Secure Test Access Mechanism

47


Countermeasures





48


Properties of Crypto-Algorithms

•  Confusion –  Making the relationship between the key and the

ciphertext as complex and involved as possible

•  Diffusion –  A change in a single bit of the plaintext should result in

changing the value of many ciphertext bits

49


Testability

•  Diffusion vs testability: –  every input bit influences many output bits (i.e. every

input bit is in the logic cone of many output bits) à the circuit is very observable

–  the input logic cone of every output contains many inputs

à each fault is highly controllable

•  Therefore these circuits are highly testable by nature no matter the implementations

50


Randomness

•  Diffusion and confusion de-correlate the output values from the input ones (both at encryption and round levels)

•  It has been demonstrated that by feeding back the output to the input, the generated output sequence has random properties. [ B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996 ]

•  AES/DES better than LFSR (proved by NIST tests)

•  Randomness also at round level

51


BIST Architecture

Round

Plain Text

Controller

Internal Register

First Opera+on

Last Opera+on

Output Register

Cipher Text

Round Key Generator

K1

f()

K2

f()

K3

Kn

K1

f()

K2

f()

K3

Kn

f()

52


Countermeasures





53


On-Chip Test Comparison

ATE

SCAN OUTs

SCAN INs

FUNCTIONAL I/O

SCAN ENABLE

Input Pa:erns

Expected Responses =

Fault/Diagnosis Information

ATE

SCAN OUT

SCAN IN

FUNCTIONAL I/O

SCAN ENABLE

Input Pa:erns

Expected Responses

Fault/Diagnosis Information

1 0 1

Sticky Mismatch

Comparator

EXPECTED RESPONSE

Results

pass/fail

54


Countermeasures




•  Secure Test Access Mechanism –  …next class

55


CONCLUSIONS

56


Conclusions

•  Digital Test –  Necessary for secure devices

•  Scan based testing –  Efficient and de-facto standard, but not compatible with

security

•  Countermeasures –  Avoiding scan chains reduces the test quality

• Diagnostic •  In-field testing

–  Secure Test Access Mechanism required

57


Further readings

Amitabh Das, Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre, Ingrid Verbauwhede Test versus Security: Past and Present, IEEE Transactions on Emerging Topics in Computing Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre Thwarting Scan-Based Attacks on Secure-ICs with On-Chip Comparison, IEEE Transaction on VLSI, DOI: 10.1109/TVLSI.2013.2257903 Amitabh Das, Jean Da Rolt, Santosh Ghosh, Stefaan Seys, Sophie Dupuis, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre, Ingrid Verbauwhede Secure JTAG Implementation Using Schnorr Protocol, Journal of Electronic Testing (JETTA), Springer, DOI: 10.1007/s10836-013-5369-9 Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre A Novel Differential Scan Attack on Advanced DFT Structures, ACM Transactions on Design Automation of Electronic Systems, Volume 18, Issue 4, October 2013, Article No. 58, DOI: 10.1145/2505014 Jean Da Rolt, Amitabh Das, Santosh Ghosh, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre and Ingrid Verbauwhede Scan Attacks on Side-channel and Fault Attack Resistant Public-key Implementations, Journal of Cryptographic Engineering, November 2012, Volume 2, Issue 4, pp 207-219, DOI: 10.1007/s13389-012-0045-z G. Di Natale, M. Doulcier, M. L. Flottes, B. Rouzeyre Self-Test Techniques for Crypto-Devices, IEEE Transaction on VLSI Systems, pp. 1-5, February 2010, Volume:18, Issue: 2, DOI: 10.1109/TVLSI.2008.2010045

58


Further readings

Yang, B. and Wu, K. and Karri, R. Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard 2004 International Conferece on Test Nara, R. and Togawa, N. and Yanagisawa, M. and Ohtsuki, T. Scan-based attack against elliptic curve cryptosystems 2010 Asia and South Pacific Design Automation Conference Nara, R. and Satoh, K. and Yanagisawa, M. and Ohtsuki, T. and Togawa, N. Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, number = 12, pages = 2481–2489 Liu, Yu and Wu, Kaijie and Karri, Ramesh Scan-based attacks on linear feedback shift register based stream ciphers, ACM Transactions on Design Automation of Electronic Systems, volume = 16, year = 2011 Sk Subidh Ali, Ozgur Sinanoglu, Ramesh Karri Test-Mode-Only Scan Attack Using the Boundary Scan Chain 2014 19th IEEE European Test Symposium (ETS)

59

Date post:	27-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Manufacturing Test Of Secure Devicesdinatale/Tutorial_Test_Security.pdfApple TV – Access to JTAG...

Documents