Security issues in VLSI testing

Abstract

VLSI as a form of testing is a practical requirement that requires a high degree of caution to

ensure that the features enhancing testability execute maximum security. There is a possibility

that breaching can occur in the process of testing security leading to leaking of confidential data

and reduced protection of the intellectual property. This paper provides an overview of security

issues experienced during testing while particularly centering on the scan technique. Issues such

as test hazards, design challenge, and attackers are discussed into details. Along with this, the

paper gives another overview of the countermeasures that have been currently published and

finally a conclusion is given based on the best countermeasure to adopt based on cost parameters.

Introduction

In the recent years, circuit testing from an integrated point of view has emerged as a

security concern. It is worth noting that keen observation and controllability are two critical

components required for testability to prove effective. However, this is not the case when it

comes to security. It has been proven that techniques for standard design and testing can be used

to jeopardize the confidentiality of data and any intellectual property affiliated with it. In a

similar way, the structures used for testing can cause information breach regarding the chip

design. A third party can end up using the controllability from the test structures to obtain to

insert malicious data into the system or generally force the system into a state of being insecure.

It is, therefore, important to question how to achieve a higher quality in testing without

compromising the security of the circuit. Firstly, it would appear that built-in self-test (BIST) is

a magnificent technique for security risk mitigation caused by testability. Nevertheless, there are

some demerits that come along with it from the perspectives of hardware, diagnostic errors, and
security. Thus, another technique referred to as scan path is commonly used by testing

communities Over the recent years; there has been debate regarding how to proficiently secure

the scan technique. Security schemes need to mesh well with the tools used for design for test

(DfT). Furthermore, integrators of System-On-Chip (SoC) interact more with third party

providers of intellectual property (IP) leading to various questioning such as; What are the

assumptions made regarding the degradation of SoC by IP? How can DfT of the IP be

successfully integrated during the integration of SoC? and finally, how sure are we that the

infrastructure test from SoC will not be utilized in the attack of IP particularly from the point of

view of IP provider? This paper focuses on looking at some of the security challenges affiliated

with the testing of VLSI and some of the countermeasures that can be adopted based on the

available literature.

Problems of security testing

Test hazards: Bo Yang, Kaijie Wu, & Ramesh Karri (2005) present a new form of attack

on side channel against Data Encryption Standard (DES) through exploring the observability that

mechanism of scan chain provides. From these attacks, a possible inference is drawn stating that

incorporation of structures for testing which is scan-based in a crypto circuit present a

fundamental susceptibility for the circuit. Such an attack comprises unloading of the scan chain

at various stages of the algorithm among other practices. Features of testing can also be used to

compromised security in less spectacular ways.

Protection of intellectual property (IP) as discussed by Chakraborty & Bhunia (2009)

forms a fundamental concern in the design of SoC. An antagonist can exploit the structures used

for testing to obtain information related to the design. In fact, scan test features from a

magnificent tool that can be used for reversed engineering. In addition, the features could be
used as points of entry to create a chip containing malicious data or obtain particular information

related to design that can enhance repeat attack. From another perception, the possibility of

activating the scan chain can provide means for viability in the random injection. Following the

security hazards noted in the testing of IC, it has become important for any DfT technique to be

used to meet 3 criteria namely protected test mode restricted only to the privileged user,

managing leakage of confidential information, and managing malicious data insertion. These

three are aimed at ensuring no leakage of information occurs via a scan chain, and no data

insertion becomes possible via the scan path. Two distinct modes can be used to achieve security

for SoC namely functional and test mode In the test mode; there is permission to use all the test

particulars leading to permanent alteration of the IC so that they can just work in the functional

mode or require authentication to get back the test mode. Thus, leading to more benefits of

security.

The Attackers: making ICs secure is done based on the profile of an attacker. Various

attacker profiles may be identified based on test-based attacks. These include authorized test

engineer, in the field hacker, and IP provider. The first two categories are not that much

impacting. An attacker particularly based on the second part of the infield hacker would desire to

gain access to both the test mode and the functional mode thereby begging the question how best

would an individual activate the test mechanism? An attacker would basically want to merge the

two modes to enhance access to test qualities while the chip is in user mode. A test architecture

for SoC comprises a controller test and a test access mechanism (TAM). The controller test is

linked up to the tester and provides data from scanning through the TAM. Hackers use the

controller test to penetrate the IP via internal chain scan. However, in a case where the controller

test is highly protected against attackers, the attackers can still use direct attacks using brute
force techniques such as die probing. The success of such an attack is, however, minimum as it

needs a higher level of experience and proficient tools. Attackers particularly the hackers

alternatively introduce stress factors to trigger the internal errors of a design that lead to the

activation of test mechanisms. Various means can be used to induce the errors such as using

voltage, optical or electromagnetic. From such a perspective, two forms of attack can be

considered namely Protocol and Brute Force attack. Although there could also be infiltrated

attack where the attacker sniffs, recreates or introduces data on the test bus using a core in the

chip.

Design challenges: protecting the confidentiality of data from hazards of testing is a

common and almost achievable thing for the test engineers and designers. It is important to

enhance high test coverage since flaws in production could result in system malfunction which

could pose security hazard especially when using the system. Already, there is a high-test

coverage for efforts regarding the development of IC. Similarly, certification of security needs

and evaluation based on quantitative analysis of the test coverage noted in the certification

process. DfT is a very quantitative process and well automated, thus more barriers of security can

fit into the common tools of DfT like scan insertion and generation of automated test pattern.

Furthermore, most contemporary SoC contains several modules of IP which adhere to predefined

regulations so that their interfaces used for testing can easily merge with the SoC. Eventually, it

is important to take note of security and economics in the process of designing. Security would

enhance verification of the design while the economics would utilize less die area and power.

Test affiliated with production is expensive for the VLSI production process. From the

perspectives of security enhancements, there should be no complication during the process of

testing such as heightening time or increasing the equipment complexity used for the automated

test. The following parameters, therefore, characterize the techniques used in DfT:

Coverage of the test and its penalty.

Tool compatibility and penalty of the design.
Resisting attack against the protocol.
Resisting the attack categorized as Brute.

Control measures

From the available literature, several techniques have been proposed to mitigate the

hazards arising due to insecurity in testing. These measures deal with the test protocol, design of

the scan chain, and the generation of the test pattern.

Protocol Level: protection reinforcement through following the differentiation of the test

mode has been one of the approaches used by the SoC industry. The protocol for test solution

comprises the disabling of the test feature in user mode particularly during the addressing of

confidential data. In the pursuit of protecting data that a circuit processes Hly, Bancel, Flottes,

& Rouzeyre (2007) proposes that it is important for the test protocol to be modified prior to

entering the test mode in order to reset the circuit completely. If this is done correctly then scan-

in, scan-out, and capture processes can be done. Then before getting back to the functional mode,

the circuit should be reset to see to it that no data is entering through the scan path. Also, there is

need to isolate confidential data from the chain performing the scan. This requires switching

between user and test mode (Yang, Wu, & Karri, 2006). Another counter measure is through

using a crypto-based scheme for protecting the interfaces of JTAG against attacks of protocol

level such as sniffing confidential data this has added benefit related to the authentication of

chips in the system (Rosenfeld & Karri, 2011).

Scan Chain-level protection: attackers can strive to activate the scan chain through

bypassing the logic controlling the switch existing between the user and functional mode for
instance in probing attack. Such forms of attack can be controlled by using scan data scrambling

technique. However, during a brute-force attack on a scan chain, there is a possibility that the

scrambling can end up being ineffective, thus the protection can be determined by the length of

the scrambled part. Therefore, it is important to add more protection aimed at ensuring that there

is no activation of scan path in user mode

Communication Security for test channel: it is important to test all the cores in an SoC

and communicate the responses of these tests to the tester irrespective of which testing is used. In

a case where the cores of the SoC are untrustworthy, the shared wiring can end up becoming a

security problem. Relying on the details of the shared wiring implementation it is easy to

experience infiltration by a malicious core which can cause interference with the communication

channel between the test controller and the beginning victim core. It is possible to mitigate such

a threat using crypto techniques on the test bus. Rosenfeld & Karri (2011) suggest an architecture

that can be used to create a secured test communication between a test controller and the cores in

SoC with the main idea of taking advantage of the little knowledge of the circuitry in the core of

third party IP.

Pattern Watermarking: this is an efficient way of implementing protection in the scan

chain. It is worth noting that during scanning the scan chain is always enabled, but with each

scanning, it is important to take note of the data in order to determine whether to authorize or

reject the incoming scan operations. From another perspective, adding some flip-flops in the scan

path and then switching the circuit to test mode can be a way of performing a countermeasure,

but only through the utilization of appropriate sequence (Paul, Chakraborty, & Bhunia, 2007).

Conclusively, the security issues surrounding the scan-based test in the contemporary

VLSI have been discussed at length. The various techniques that can be used for mitigation have
been looked at based on the literature available supporting them. It is important to take note of

the strengths and weaknesses affiliated with this mitigation techniques so as to come up with the

best technique for use. All in all, there is no universal solution that can be used to provide

protection against that security threats for arbitrary protection as far as cos is concerned.

Designers have to take note of the security concerns they wish to mitigate and the price they

wish to pay before choosing an appropriate countermeasure.

 References

Bo Yang, Kaijie Wu, & Ramesh Karri, (2005). Scan based side channel attack on dedicated

hardware implementations of Data Encryption Standard. 2004 International Conference

On Test. http://dx.doi.org/10.1109/test.2004.1386969

Chakraborty, R. & Bhunia, S. (2009). HARPOON: An Obfuscation-Based SoC Design

Methodology for Hardware Protection. IEEE Transactions On Computer-Aided Design

Of Integrated Circuits And Systems, 28(10), 1493-1502.

http://dx.doi.org/10.1109/tcad.2009.2028166

Hly, D., Bancel, F., Flottes, M., & Rouzeyre, B. (2007). Securing Scan Control in Crypto

Chips. Journal Of Electronic Testing, 23(5), 457-464. http://dx.doi.org/10.1007/s10836-

007-5000-z

Lee, J., Tehranipoor, M., Patel, C., & Plusquellic, J. (2007). Securing Designs against Scan-

Based Side-Channel Attacks. IEEE Transactions On Dependable And Secure

Computing, 4(4), 325-336. http://dx.doi.org/10.1109/tdsc.2007.70215

Paul, S., Chakraborty, R., & Bhunia, S. (2007). VIm-Scan: A Low Overhead Scan Design

Approach for Protection of Secret Key in Scan-Based Secure Chips. 25Th IEEE VLSI

Test Symposium (VTS'07). http://dx.doi.org/10.1109/vts.2007.89

Rosenfeld, K. & Karri, R. (2011). Security-aware SoC tests access mechanisms. 29Th VLSI Test

Symposium. http://dx.doi.org/10.1109/vts.2011.5783765

Yang, B., Wu, K., & Karri, R. (2006). Secure Scan: A Design-for-Test Architecture for Crypto

Chips. IEEE Transactions On Computer-Aided Design Of Integrated Circuits And

Systems, 25(10), 2287-2293. http://dx.doi.org/10.1109/tcad.2005.862745