Jim Plusquellic

A low-cost solution for protecting IPs against scan-based side-channel attacks

Scan designs used for testing also provide an easily accessible port for hacking. In this paper, we present a new low-cost secure scan design that is effective against scan-based side-channel attacks. By integrating a test key into test vectors that are scanned into the chip, testing and accessing scan chains are guaranteed to be allowed only by an authorized user. Any attempt to use the scan chain without a verified test vector will result in a randomized output preventing potential side-channel attacks. The proposed technique has a negligible area overhead, has no negative impact on chip performance, and places several levels of security over the scan chain protecting it from potential attacks

Securing Designs against Scan-Based Side-Channel Attacks

Traditionally, the only standard method of testing that has consistently provided high fault coverage has been scan test due to the high controllability and high observability this technique provides. The scan chains used in scan test not only allow test engineers to control and observe a chip, but these properties also allow the scan architecture to be used as a means to breach chip security. In this paper, we propose a technique, called Lock & Key, to neutralize the potential for scan-based side-channel attacks. It is very difficult to implement an all inclusive security strategy, but by knowing the attacker, a suitable strategy can be devised. The Lock & Key technique provides a flexible security strategy to modern designs without significant changes to scan test practices. Using this technique, the scan chains are divided into smaller subchains. With the inclusion of a test security controller, access to subchains are randomized when being accessed by an unauthorized user. Random access reduces repeatability and predictability making reverse engineering more difficult. Without proper authorization, an attacker would need to unveil several layers of security before gaining proper access to the scan chain in order to exploit it. The proposed Lock & Key technique is design independent while maintaining a relatively low area overhead.

Securing Scan Design Using Lock and Key Technique

Scan test has been a common and useful method for testing VLSI designs due to the high controllability and observability it provides. These same properties have recently been shown to also be a security threat to the intellectual property on a chip (Yang et al., 2004). In order to defend from scan based attacks, we present the lock & key technique. Our proposed technique provides security while not negatively impacting the designs fault coverage. This technique requires only that a small area overhead penalty is incurred for a significant return in security. Lock & key divides the already present scan chain into smaller subchains of equal length that are controlled by an internal test security controller. When a malicious user attempts to manipulate the scan chain, the test security controller goes into insecure mode and enables each subchain in an unpredictable sequence making controllability and observability of the circuit under test very difficult. We present and analyze the design of the lock & key techniques to show that this is a flexible option to secure scan designs for various levels of security

Defect detection using power supply transient signal analysis

Transient Signal Analysis is a digital device testing method that is based on the analysis of voltage transients at multiple test points. The power supply transient signals of an 8-bit multiplier are analyzed using both hardware and simulation experiments. The small signal variations generated at these test points are analyzed in both the time and frequency domain. A simple statistical procedure is presented that captures the variation introduced by defects while attenuating those variations introduced by process variations. The results of the analysis show that it is possible to distinguish between defect-free and defective devices in both simulation and hardware.

Digital integrated circuit testing using transient signal analysis

A novel approach to testing CMOS digital circuits is presented that is based on an analysis of I/sub DD/ switching transients on the supply rails and voltage transients at selected test points. We present simulation and hardware experiments which show distinguishable characteristics between the transient waveforms of defective and non-defective devices. These variations are shown to exist for CMOS open drain and bridging defects, located both on and off of a sensitized path.

Identification of defective CMOS devices using correlation and regression analysis of frequency domain transient signal data

Transient signal analysis is a digital device testing method that is based on the analysis of voltage transients at multiple test points and on I/sub DD/ switching transients on the supply rails. We show that it is possible to identify defective devices by analyzing the transient signals produced at test points on paths not sensitized from the defect site. The small signal variations produced at these test points are analyzed in the frequency domain. Correlation analysis shows a high degree of correlation in these signals across the outputs of defect-free devices. We use regression analysis to show the absence of correlation across the outputs of bridging and open drain defective devices.

IP-in-IP tunneling to enable the simultaneous use of multiple IP interfaces for network level connection striping

With ubiquitous computing and network access now a reality, multiple network conduits are become widely available to mobile as well as static hosts: for instance wired connections, 802.11 style wireless LANs, Bluetooth, and cellular phone modems. Selection of the preferred mode of data transfer is a dynamic optimization problem which depends on the type of application, its bandwidth/latency/jitter requirements, current network conditions (such as congestion or traffic patterns), cost, power consumption, battery life, and so on. Furthermore, since wireless bandwidth is likely to remain a scarce resource, we foresee scenarios wherein mobile hosts will require simultaneous data transfer across multiple IP interfaces to obtain higher overall bandwidth.We present a brief overview of existing work which enables the simultaneous use of multiple network interfaces and identify the applicability as well as strengths and weaknesses of these related approaches. We then propose a new mechanism to aggregate the bandwidth of multiple IP paths by splitting a data flow across multiple network interfaces at the IP level. We have analyzed the performance characteristics of our aggregation scheme and demonstrate significant gains when the network paths being aggregated have similar bandwidth and latency characteristics. In addition, our method is transparent to transport (TCP/UDP) and higher layers, and allows the use of multiple network interfaces to enhance reliability. Our analysis identifies the conditions under which the proposed scheme, or any other scheme that stripes a single TCP connection across multiple IP paths, can be used to increase throughput.

Impedance profile of a commercial power grid and test system

An impedance profile of a commercial power grid and a tester power distribution system is developed in this paper. The profile is used to identify the measurable frequency range of the power supply transient signals generated by a chip. Several resistance-capacitance (RC) models of the power grid are analyzed to determine the impact of each capacitance type. The impedance profile of a C4-based production testing environment is then developed. The impedance profile of the combined probe card and the power grid RC models illustrates the range of frequencies that are measurable at the supply ports of the chip-under-test (CUT). The results suggest that it is possible to measure the important frequency components of a chips power supply transients in a production test environment for use in fault detection and localization procedures. Conventional testing methods are challenged by changing circuit sensitivities and emerging defect mechanisms resulting from the use of new fabrication materials in very deep submicron processes [1]. For example, the change from a subtractive aluminum process to damascene Cu may lead to more particle-related blocked-etch resistive opens. Technology scaling also increases the probability of resis-tive vias caused by incomplete etch. The additional delays introduced by these types of resistive defects in combination with increased circuit sensitivity due to shorter clock cycles, reduced timing slack, crosstalk and PWR/GND bounce increase the likelihood of random defects causing delay fails. Similarly, hardware-based fault localization is challenged by increases in chip complexity as well as additional interconnection levels and the limitations on the spatial resolution of imaging technology. The increase in difficulty and cost of performing hardware physical failure analysis is likely to move it into a sampling/verification role. These trends continue to increase the importance of developing alternative software-based fault localization procedures. We believe that power supply testing methods are well aligned with these needs and others as described in the International Technology Roadmap for Semiconductors. In our previous work, a testing method is presented for fault detection that uses correlation analysis of multiple simultaneously measured power supply transient signals [2]. The transients at each of the supply ports of a chip-under-test (CUT) are cross-correlated to reduce the adverse effects of process variations on fault detection resolution. The multiple supply port measurements are analyzed for the regional signal anomalies introduced by defects. The regression analysis technique that we propose in [3] is able to detect anomalies in the ratios of the waveform …

Detecting delay faults using power supply transient signal analysis

A delay-fault testing strategy based on the analysis of power supply transient signals is presented. The method is an extension to a Go/No-Go device testing method called Transient Signal Analysis (TSA). TSA detects defects through the analysis of a set of power supply transient waveforms in the time or frequency domain, e.g., Fourier phase components. A recent extension to TSA demonstrated a correlation between the V/sub DDT/ Fourier phase components and path delays in defect-free devices. The method proposed here is able to detect increases in delay due to resistive shorting and open defects using a similar technique. In particular simulation results show that a delay defective device can be distinguished from a defect-free device through an anomaly in the Fourier phase correlation profile of the device.

Power supply transient signal analysis under real process and test hardware models

A device testing method called Transient Signal Analysis (TSA) is subjected to elements of a real process and testing environment in this paper. Simulation experiments are designed to determine the effects of process skew (obtained from measured parameters of a real process) on the accuracy of TSA in estimating path delays from power supply I/sub DDT/ and V/sub DDT/ waveforms. The circuit model is designed to test TSA under deep submicron process models that incorporate advanced parameters such as transistor V/sub t/ width dependencies. Modeling elements of a testing environment including the probe card are subsequently introduced as a means of evaluating the effects of tester measurement noise in an actual implementation.