Samah Mohamed Saeed

New scan-based attack using only the test mode

Scan attack is a threat to crypto-chips. An attacker can leverage the test mode of the chip and control the scan chains in order to reveal the secret key. One solution for this kind of attacks is to hamper the ability to switch the device from normal mode to test mode and corrupt the data in the scan cells. If the device is reset each time it switches the mode from normal to test, all existing attacks can be thwarted. We propose a new scan-based attack by controlling only the scan chains and demonstrate it on the AES hardware. The attack uses only the test mode of the hardware and it does not require switching between normal and test mode. The attack will work even in the presence of mode blocking countermeasure. The attack requires only 375 test vectors with an attack time complexity around 212.58.

Novel Test-Mode-Only Scan Attack and Countermeasure for Compression-Based Scan Architectures

Scan design is a de facto design-for-testability (DfT) technique that enhances access during manufacturing test process. However, it can also be used as a back door to leak secret information from a secure chip. In existing scan attacks, the secret key of a secure chip is retrieved by using both the functional mode and the test mode of the chip. These attacks can be thwarted by applying a reset operation when there is a switch of mode. However, the mode-reset countermeasure can be thwarted by using only the test mode of a secure chip. In this paper, we perform a detailed analysis on the test-mode-only scan attack. We propose attacks on an advanced encryption standard (AES) design with a basic scan architecture as well as on an AES design with an advanced DfT infrastructure that comprises decompressors and compactors. The attack results show that indeed the secure chips are vulnerable to test-mode-only attacks. The secret key can be recovered within 1 s even in the presence of decompressors and compactors. We then propose new countermeasures to thwart these attacks. The proposed countermeasures incur minimal cost while providing high success rate.

Activation of logic encrypted chips: Pre-test or post-test?

Logic encryption has been a popular defense against Intellectual Property (IP) piracy, hardware Trojans, reverse engineering, and IC overproduction. It protects a design from these threats by inserting key-gates that break the functionality when controlled by wrong keys. Researchers have taken multiple attempts in breaking logic encryption and leaking its secret key, while they also proposed difficult-to-break logic encryption techniques. Mainly, state-of-the-art logic encryption techniques pursue two different models that differ in when the manufactured chips are activated by loading the secret key on the chips memory: activation prior to manufacturing test (pre-test) versus subsequent to manufacturing test (post-test). In this paper, we shed light on the interaction between manufacturing test and logic encryption. We assess and compare the pre-test and post-test activation models not only in terms of the impact of logic encryption on test parameters such as fault coverage, test pattern count and test power consumption, but also in terms of the impact of manufacturing test on the security of logic encryption. We outline a test data mining attack that can successfully determine the logic encryption key of a pre-test activated chip by utilizing the test data.

Design for Testability Support for Launch and Capture Power Reduction in Launch-Off-Shift and Launch-Off-Capture Testing

At-speed or even faster-than-at-speed testing of VLSI circuits aims for high-quality screening of the circuits by targeting performance-related faults. On one hand, a compact test set with highly effective patterns, each detecting multiple delay faults, is desirable for lower test costs. On the other hand, such patterns increase switching activity during launch and capture operations. Patterns optimized for quality and cost may thus end up violating peak-power constraints, resulting in yield loss, while pattern generation under low switching activity constraints may lead to loss in test quality and/or pattern count inflation. In this paper, we propose design for testability (DfT) support for enabling the use of a set of patterns optimized for cost and quality as is, yet in a low power manner; we develop three different DfT mechanisms, one for launch-off shift, one for launch-off capture, and one for mixed at-speed testing. The proposed DfT support enables a design partitioning approach, where any given set of patterns, generated in a power-unaware manner, can be utilized to test the design regions one at a time, reducing both launch and capture power in a design-flow-compatible manner. This way, the test pattern count and quality of the optimized test set can be preserved, while lowering the launch/capture power.

Scan attack in presence of mode-reset countermeasure

Design for testability (DFT) is the most common testing technique used in the modern VLSI industries. However, when this technique is incorporated in a cryptographic circuit, it may open a back door to an attacker. The attacker can get access to the internal scan chains by switching the device from the normal mode to the test mode and then observe the chip content. The scan cells which were originally used to enhance the testability, can thus be misused to access the intermediate results of the cryptographic algorithm running inside the chip. One countermeasure against such attacks is to reset the device whenever there is a switch from the normal mode to the test mode. In this work we are going to analyse this countermeasure and show that it is not completely secure against scan attack. We show that an attack is possible using only the test mode which will bypass the countermeasure.

Expedited response compaction for scan power reduction

Transitions embedded in between consecutive stimulus/response bits toggle scan cells during shift operations. The consequent switching activity in the scan chains further propagate into the combinational logic, resulting in elevated power dissipation levels, and thus, endangering the reliability of the chip being tested. Based on the observation that the content of scan chains during shift operations is irrelevant and unimportant, we propose an expedited response compaction technique in order to reduce power dissipation during scan operations. Parallelized (and expedited) compaction operations help compress the entire capture response onto a single reference chain during the first portion of shift cycles, enabling a simultaneous constant-0 feed to all the remaining chains, in which no scan-out power is dissipated during the subsequent shift cycles. This DfT-based approach is nonintrusive for design flow, requires a very minor investment in area, and in turn delivers significant savings in test power. The proposed solution reduces test power without resorting to x-filling, enabling orthogonal x-filling techniques to be applied in conjunction, while retaining the observed responses intact. Experimental results justify the efficacy of the proposed technique in attaining test power reductions.

Test-mode-only scan attack and countermeasure for contemporary scan architectures

Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.

DfT support for launch and capture power reduction in launch-off-capture testing

At-speed or even faster-than-at-speed testing of VLSI circuits aim at a high quality screening of VLSI circuits by targeting performance-related faults. On one hand, a compact test set with highly effective patterns, each detecting multiple delay faults, is desirable to lower test costs. On the other hand, such patterns increase switching activity during launch and capture operations. Patterns optimized for quality and cost may thus end up violating peak power constraints, resulting in yield loss, while pattern generation under low switching activity constraints may lead to loss in test quality and/or pattern count inflation. In this paper, we propose DfT support for enabling the use of a set of patterns optimized for cost and quality as is, yet in a low power manner. The DfT support we outline in this paper enables a design partitioning approach, where any given set of patterns, generated in a power-unaware manner, can be utilized to test the design regions one at a time, reducing both launch and capture power in a design flow compatible manner. This way, the test pattern count and quality of the optimized test set can be preserved, while lowering launch/capture power.

New scan attacks against state-of-the-art countermeasures and DFT

Scan attack has been known as a threat to Design for Testability (DFT). All the existing attacks require both the normal mode and the test mode of the device. In normal mode the intermediate results of a crypto-hardware are captured in scan chains and in the test mode the results are shifted out. One simple countermeasure for this kind of attacks is to reset the device whenever there is a switch of the mode. A recent test-mode-only attack shows that the mode-reset countermeasure is insecure against scan attack. An attack is still possible using only the test mode of the device. However, the attack was presented without the presence of an on-chip test compactor. In this paper we propose a new test-mode-only attack on AES hardware which works in the presence of an on-chip response compactor. The proposed attack retrieves the secret key with negligible time complexity. The attack results show that DFT infrastructures with response compactor are vulnerable to scan attack even in the presence of mode-reset countermeasure.

Predictive Techniques for Projecting Test Data Volume Compression

Test data compression is widely employed in scan design to tackle high test data volume (TDV) and test time problems. Given the number of scan-in pins available in automated test equipment, architectural decisions regarding the number of internal scan chains directly impact the compression level attained. While targeting an aggressive compression level by increasing the number of internal scan chains would reduce the TDV per encodable pattern, the cost of serially applying more patterns to restore the coverage loss offsets the compression benefits. Following up from our earlier work, we propose here a wide spectrum of predictive techniques for projecting the test cost of a given scan configuration for combinational xor-based decompression. The appropriate technique is selected by designers based on which stage the design is in, the design abstraction and the amount of information available, the permissible computational complexity of the techniques, and the accuracy of the projected optimal compression ratio.