Jennifer Dworak

Don't forget to lock your SIB: Hiding instruments using P16871

IEEE P1687 is a valuable tool for accessing on-chip instruments during test, diagnosis, debug, and board configuration. However, most of these instruments should not be available to an end user in the field. We propose a method for hiding instruments in a P1687 network that utilizes a “locking” segment insertion bit (LSIB) that can only be opened when pre-defined values, corresponding to a key, are present in particular bits in the chain. We also introduce “trap” bits, which can further reduce the effectiveness of brute force attacks by permanently locking an LSIB when an incorrect value is written to the traps update register. Only a global reset will allow the LSIB to become operable again. In this paper, we investigate the cost and effectiveness of LSIBs and traps in several different configurations and show that these relatively small modifications to the P1687 network can make undocumented instrument access exceedingly difficult.

A call to action: Securing IEEE 1687 and the need for an IEEE test Security Standard

Todays chips often contain a wealth of embedded instruments, including sensors, hardware monitors, built-in self-test (BIST) engines, etc. They may process sensitive data that requires encryption or obfuscation and may contain encryption keys and ChipIDs. Unfortunately, unauthorized access to internal registers or instruments through test and debug circuitry can turn design for testability (DFT) logic into a backdoor for data theft, reverse engineering, counterfeiting, and denial-of-service attacks. A compromised chip also poses a security threat to any board or system that includes that chip, and boards have their own security issues. We will provide an overview of some chip and board security concerns as they relate to DFT hardware and will briefly review several ways in which the new IEEE 1687 standard can be made more secure. We will then discuss the need for an IEEE Security Standard that can provide solutions and metrics for providing appropriate security matched to the needs of a real world environment.

Board security enhancement using new locking SIB-based architectures

Circuit boards are especially vulnerable to security attacks. Many routes and pins can be probed directly. Other pins may be controlled and observed through the JTAG boundary scan port. The JTAG port may also provide access to each chips internal scan chains. Furthermore, modern chips may include embedded instruments that can be accessed through the chips JTAG port and an internal IEEE P1687 scan network. If accessed by an attacker, these instruments may allow data to be leaked from the chips themselves or allow the attacker to drive other chips on the board. Finally, FPGA firmware is often stored in on-board memories and must be protected to prevent IP theft. In this paper, we describe some of the security issues facing boards. We then describe new chip access protocols that harness the use of licensed software and locking segment insertion bits (LSIBs) for secure Chip ID extraction. These methods enable authorized access while helping to prevent unauthorized access and counterfeiting of chips and IP on the board.

Enhancing online error detection through area-efficient multi-site implications

We present a new method to identify multi-site implications that can significantly increase the fault coverage of error-detecting hardware without increasing the area overhead. This method intelligently divides the input space about the functions of internal circuit sites and finds new valuable implications that can share gates in checker logic.

Making it harder to unlock an LSIB: Honeytraps and misdirection in a P1687 network

Todays chips often contain a wealth of embedded instruments and data, including sensors, hardware monitors, built-in self test (BIST) engines, and chip IDs, among others. IEEE P1687 was specifically designed to provide access to such instruments in an efficient manner, and some companies are already implementing the proposed standard on their chips. However, while instruments provide valuable information and features to authorized users who need to harness them for test, debug, diagnosis, and possibly counterfeit detection, it may be desirable to restrict unauthorized access to certain instruments through the P1687 network. Previous work proposed replacing some of the segment insertion bits (SIBs), which add scan path segments in a P1687 network, with locking SIBs (LSIBs). LSIBs use the data that is naturally scanned through the network as keys to hide instruments from attackers. However, that previous work did not investigate many of the techniques and structures that can be used to significantly increase the time an attacker is likely to need to unlock LSIBs and gain access to hidden instruments. In this work, we explore some of these techniques and show how simple modifications to a P1687 network protected with LSIBs can significantly increase the difficulty an attacker faces in attempting to access protected instruments.

Using implications to choose tests through suspect fault identification

As circuits continue to scale to smaller feature sizes, wearout and latent defects are expected to cause an increasing number of errors in the field. Online error detection techniques, including logic implication-based checker hardware, are capable of detecting at least some of these errors as they occur. However, recovery may be expensive, and the underlying problem may lead to multiple failures of a core over time. In this article, we will investigate the diagnostic capability of logic implications to identify possible failure locations when an error is detected online. We will then utilize this information to select a highly efficient test set that can be used to effectively test the identified suspect locations in both the failing core and in other identical cores in the system.

Dynamic Test Set Selection Using Implication-Based On-Chip Diagnosis

We propose using logic implications as a source of online diagnostic data for on-chip test set selection by taking advantage of their ability to automatically identify a restricted set of faults as the potential cause of an observed error. This information will be used to dynamically choose a test set to detect systematic latent defects or wear out in a multi core system.

A case study: Leverage IEEE 1687 based method to automate modeling, verification, and test access for embedded instruments in a server processor

IEEE 1149.1-based top-level access to IEEE 1500-compliant IP cores is commonly used in industrial designs as the underlying infrastructure to provide test access, control, instrumentation, and ease of use. Validating the test infrastructure and its usage in the early design stages is critical to the success of the project. The new Internal Joint Test Action Group (IJTAG or IEEE 1687-2014) standard is a valuable component of this test infrastructure and is designed to promote efficient embedded instrument access. This paper describes one of first comprehensive applications of an IJTAG-based method to a state-of-the-art server microprocessor design from specification to production. We leveraged IJTAG to automate design modeling, enable faster and more advanced verification, and optimize manufacturing test access. In this work, we demonstrate a very high degree of optimization and automation, which is cost-efficiently enabled by IJTAG, and goes beyond the capabilities of typical in-house IJTAG-like system, currently in use in industry.

Repairing a 3-D Die-Stack Using Available Programmable Logic

3-D die-stacks hold great promise for increasing system performance, but difficulties in testing dies and assembling a 3-D stack are leading to yield issues and slowing the large scale manufacturing of these devices. In many cases, a single defective die will kill the entire stack. To help mitigate this issue, we explore the possibility of repairing a stack that contains a defective die by utilizing an field programmable gate array (FPGA) that has already been included in the stack for other purposes, such as performance enhancement. Specifically, we propose bypassing the defective portion of a nonprogrammable die by replacing the defective functionality with functionality on the FPGA. In this paper, we discuss what additional logic must be added to an Application-Specific Integrated Circuit (ASIC) die to allow such a bypass to occur. We then show through detailed simulation of a 2.5-D Xilinx FPGA how bypassing of logic can be achieved and throughput maintained even when the two different dies involved operate at different frequencies. Finally, we explore the performance of this technique in a superscalar, out-of-order processor, where different functional units are marked for replacement. Our simulation results show that not only can we salvage a device that would otherwise have to be discarded, but creating multiple copies of the defective partition in the FPGA can allow us to regain performance even when the latency of the units in the FPGA is longer than that of the original defective copy.

Ternary Logic Network Justification Using Transfer Matrices

A linear algebraic method is developed that allows for logic network justification problems to be solved. The method differs from previous techniques that require learning or solution space search techniques in that all possible justification solutions are determined through a single vector-matrix product calculation. The logic network is represented by a matrix that is defined as the justification matrix. It is shown that the justification matrix is simply the transpose of the network transfer matrix and is thus easily obtained through a traversal of the network netlist. Example justification calculations are provided.