Giorgio Di Natale, LIRMM
Manufacturing Test Of Secure Devices Introduction to Manufacturing Testing and Scan Attacks
Giorgio Di Natale, CNRS (LIRMM, Montpellier)
Other contributors: Jean Da Rolt, Marion Doulcier, Marie-Lise Flottes, Bruno Rouzeyre
Giorgio Di Natale, LIRMM
License Information
This work is licensed under the Creative Commons BY-NC License
To view a copy of the license, visit:
http://creativecommons.org/licenses/by-nc/3.0/legalcode
2
Giorgio Di Natale, LIRMM
Disclaimer
• We disclaim any warranties or representations as to the accuracy or completeness of this material
• Materials are provided “as is” without warranty of any kind, either express or implied, including without limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement
• Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material
3
Giorgio Di Natale, LIRMM
Goals
• Presenting some of the major issues related to digital testing
• Presenting the industrial test solutions
• Describing the antithesis between test and security
• Presenting the known attacks exploiting test infrastructures
4
Security Test
Giorgio Di Natale, LIRMM
Outline
• Digital Testing – Why testing – Historical evolution – The basic approach to test – Scan-based design
• Test of Secure Devices – Why testing – Scan-based attacks – Introduction to countermeasures
5
Giorgio Di Natale, LIRMM
DIGITAL TESTING
6
Giorgio Di Natale, LIRMM
Why should I test ?
7
Giorgio Di Natale, LIRMM
“If anything can go wrong … … it will !”
[Murphy]
8
Giorgio Di Natale, LIRMM
“All customers are named Murphy !”
[Any test engineer]
9
Giorgio Di Natale, LIRMM
Manufacturing Process
• Manufacturing process of integrated circuit is not totally controlled: – Dust, physical mechanisms, spot defect (open fault,
short fault, …) – Process variability (oxide thickness, threshold tension,
electrical parameters variability, …) – Assemblage faults (interconnections between chip and
board, chip and substrate, or die and die)
10
Giorgio Di Natale, LIRMM
Short
Short Short
Examples of defects
11
Giorgio Di Natale, LIRMM
Historical Evolution
• From “First design then test”…
• …to “Design & Test” – Design for Testability, i.e., modifying the logic in a way
to make it easily testable
• Examples: – Built-In Self-Test (BIST): modifying the logic in a way to
make it capable of testing itself – Built-In Self-Repair (BISR): modifying the logic in a way
to make it capable of repairing by itself – Scan-based Design: modifying the sequential elements
so that they can be easily controllable and observable
12
Giorgio Di Natale, LIRMM
=?
Reference System
Target Device Under Test
(DUT)
The basic approach to Testing
A proper sequence of
values
Good / Faulty indication
13
Giorgio Di Natale, LIRMM
Some definitions
• Test Vector – Set of values that, at a given instant, are applied to the
DUT
• Test Sequence (or Test Pattern) – Sequences of values to be applied to the DUT
14
Giorgio Di Natale, LIRMM
From Functional Testing…
4-bit Counter TC Output
Enable Clock
4
Reset
15
Giorgio Di Natale, LIRMM
…to bigger circuits
32-bit Counter TC Output
Enable Clock
32
Reset
16
Giorgio Di Natale, LIRMM
Scan-based Design
FF
FF
FF
...
...
... Primary
Inputs Primary Outputs
Observability of all states
... ...
Combinational Logic
Scan Enable
Scan In
Scan Out
Controllability of all states
17
Giorgio Di Natale, LIRMM
Test procedure with scan design
18
Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)
Capture (Scan-Enable=0)
#L clock cycles #L clock cycles
Clock frequency is not realistic. Scan operations @ ≈ 50MHz
Giorgio Di Natale, LIRMM
Multiple Scan Chains
19
Giorgio Di Natale, LIRMM
Partial Scan
• Only some FFs are connected to the scan chains
20
Giorgio Di Natale, LIRMM
Test Data Compression
21
Giorgio Di Natale, LIRMM
JTAG
22
Giorgio Di Natale, LIRMM
Manufacturing Testing - Conclusion
• Manufacturing testing necessary to identify defective chips
• Test solutions based on the increasing of controllability and observability of internal nodes
23
Giorgio Di Natale, LIRMM
TEST OF SECURE DEVICES
24
scan-in scan-out
Giorgio Di Natale, LIRMM
Scenario: Test of digital ICs
• Testing is mandatory to guarantee high quality of digital ICs
• A defective secure device may jeopardize the overall security
D QD Q
D QD Q
D QD Q
D QD Q
PI PO
scan-in scan-out
scan-enable
25
Giorgio Di Natale, LIRMM
Scan-chain attack on AES
• AES – Secure after 10 rounds
• Hypothesis: – Round-register belongs
to the scan chain – Attacker controls test mode – Deterministic circuit – Other FFs belong to the scan
chain
• Attack: – Accessing the scan chain
after the first round
SubBytes
ShiftRows
MixColumns
Round
Key Generati
on
PlainText – 128 bits
CipherText – 128 bits
Secret Key 128 bits
b
c
d
e
f
a
ScanIn Register Other FFs
ScanOut
26
Giorgio Di Natale, LIRMM
Differential Scan Attack
• 2 vectors per step
• For each vector: – Reset – Normal mode,
until first round – Test mode, to
shift out the response
ScanOut
SubBytes
ShiftRows
MixColumns
Round
Key Generation
Vector 1
CipherText – 128 bits
Secret Key 128 bits
b1
c1
d1
e1
f1
a1
ScanIn
Register Other FFs
x1
27
Giorgio Di Natale, LIRMM
Differential Scan Attack
ScanOut
SubBytes
ShiftRows
MixColumns
Round
Key Generation
Vector 2
CipherText – 128 bits
Secret Key 128 bits
b2
c2
d2
e2
f2
a2
ScanIn
Register Other FFs
x2
f1 x1
• 2 vectors per step
• For each vector: – Reset – Normal mode,
until first round – Test mode, to
shift out the response
28
Giorgio Di Natale, LIRMM
Avoiding other FFs
Register Other FFs
x2
Register Other FFs
x1 f1
f2
…00000000000… f1 xor f2
• Hypothesis: – Other FFs are independent of the plaintext – Deterministic circuit – After one round, they have always the same value
• Solution: XORing the output response
SubBytes
ShiftRows
MixColumns
Round
Key Generation
PlainText – 128 bits
CipherText – 128 bits
Secret Key 128 bits
b
c
d
e
f
a
Register
= (e1 xor K) xor (e2 xor K)
= e1 xor e2
29
Giorgio Di Natale, LIRMM
Focusing on a smaller key
MixColumns MixColumns MixColumns MixColumns
Add
Roun
dKey
AddInitialKey
S S S S S S S S S S S S S S S S
Shi
ftRo
ws
30
Giorgio Di Natale, LIRMM
Focusing on a smaller key
MixColumns
S S S S
MixColumns MixColumns MixColumns
S S S S S S S S S S S S
Constant for the two computations
31
Giorgio Di Natale, LIRMM
Focusing on a smaller key
32
S S S S
MixColumns
(a1,a2) Constant
k
(o1,o2) è It depends on 8 bits of the secret
(b1,b2)
Giorgio Di Natale, LIRMM
Avoiding the chain
• Position of FFs within the scan chain is not known
• OutScanChain = array [N]
• We need a function such that: • p = f (OutScanChain) • f : array à number
33
Giorgio Di Natale, LIRMM
Hamming Distance
S S S S
MixColumns
(a1,a2) Constant
HD12
k
(o1,o2) è
(b1,b2)
(b1, b1 XOR 1)
b1 = 226 b1 = 242
b1 = 122
b1 = 130
34
Giorgio Di Natale, LIRMM
Signature Attack
S S S S
MixColumns
(a1,a2) Constant
Load input pairs...
Observe the output difference HD
HD12
(a1,a2)
HD12
(a3,a4)
HD34
(a5,a6)
HD56
(a7,a8)
HD78
SIGNATURE
k
(o1,o2) è
35
Giorgio Di Natale, LIRMM
Simulating all keys: Signature Table
• Signature depends on the key guess
• Signature table consists of the signature for each key
• Goal: have unique signatures!
Observed difference
Input Pairs
Guessed Key K1
K2
K3
KN
P1 P2 P3 PM
Signature
HD11 HD12 HD13 HD1M HD21 HD22 HD23 HD2M HD31 HD32 HD33 HD3M HDN1 HDN2 HDN3 HDNM
S S S S
MixColumns
(a1, a2)
HD
k
36
Giorgio Di Natale, LIRMM
Unique Signatures
• Measured signature: – must correspond to only one key
• Input pairs: – are chosen so the signatures are different – E.g., randomly: between 12 and 20 pairs
37
Giorgio Di Natale, LIRMM
Attack Summary
• Signature table is created (possibly input pairs are optimized)
• Input pairs are applied to the circuit
• XOR of the 2 scan chains is calculated
• Signature is generated
• Look for the same signature in the table
The secret key is found!
38
Giorgio Di Natale, LIRMM
APPLICATIONS
39
Giorgio Di Natale, LIRMM
Single & Multiple Chains without Compression
• The whole round-register is scanned-out
• 3 input pairs per key byte are enough
S S S S
MixColumns
(a1, a2) Constant
HD12
k
Signature is composed by Hamming Distances from 0 to 32
40
Giorgio Di Natale, LIRMM
Compression
• Used for reducing test time, I/O requirements – No reduction of test coverage and diagnosis capability!
• Round-register bits are not directly observable!
Chain 1
Chain 2
Chain 3
Chain N-1
Chain N
Slice
X O R
Output Bitstream
Scan In Scan Out
41
Giorgio Di Natale, LIRMM
Attacking parity
• Compress the output bitstream – To just one bit (i.e., the parity of the whole scan chain)
Chain 1
Chain 2
Chain 3
Chain N-1
Chain N
X O R
Slice
Output Bitstream
FF
42
Giorgio Di Natale, LIRMM
Signature Attack against Compression
• Only the parity is observable
• 12 input pairs per key byte are enough
S S S S
MixColumns
(a1, a2) Constant
PD12
k
Signature is composed by a sequence of parity distances (0 or 1)
XOR
43
Giorgio Di Natale, LIRMM
Observing a Subset
• Only one bit is observable
• 12 input pairs per key byte are enough
S S S S
(a1, a2) Constant
O12
k
Signature is composed by a sequence of “bit” distances (0 or 1)
MixColumns
44
Giorgio Di Natale, LIRMM
Advantage of observing a subset
• Hypothesis: – Other FFs are independent of the plaintext – After one round they have always the same value
• When this hypothesis is false – Search for signature of bit 0 – Between the bits that are changing
• Useful for single and multiple chains without compression, and partial scan
observe 128 bits!
Register Other FFs
x2
Register Other FFs
x1 f1
f2
f1 xor f2 variable
45
Giorgio Di Natale, LIRMM
A Real Threat???
iPhone 4 Pinout
Apple TV – Access to JTAG
XBOX 360 46
Giorgio Di Natale, LIRMM
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
47
Giorgio Di Natale, LIRMM
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
48
Giorgio Di Natale, LIRMM
Properties of Crypto-Algorithms
• Confusion – Making the relationship between the key and the
ciphertext as complex and involved as possible
• Diffusion – A change in a single bit of the plaintext should result in
changing the value of many ciphertext bits
49
Giorgio Di Natale, LIRMM
Testability
• Diffusion vs testability: – every input bit influences many output bits (i.e. every
input bit is in the logic cone of many output bits) à the circuit is very observable
– the input logic cone of every output contains many inputs
à each fault is highly controllable
• Therefore these circuits are highly testable by nature no matter the implementations
50
Giorgio Di Natale, LIRMM
Randomness
• Diffusion and confusion de-correlate the output values from the input ones (both at encryption and round levels)
• It has been demonstrated that by feeding back the output to the input, the generated output sequence has random properties. [ B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996 ]
• AES/DES better than LFSR (proved by NIST tests)
• Randomness also at round level
51
Giorgio Di Natale, LIRMM
BIST Architecture
Round
Plain Text
Controller
Internal Register
First Opera+on
Last Opera+on
Output Register
Cipher Text
Round Key Generator
K1
f()
K2
f()
K3
Kn
K1
f()
K2
f()
K3
Kn
f()
52
Giorgio Di Natale, LIRMM
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
53
Giorgio Di Natale, LIRMM
On-Chip Test Comparison
ATE
SCAN OUTs
SCAN INs
FUNCTIONAL I/O
SCAN ENABLE
Input Pa:erns
Expected Responses =
Fault/Diagnosis Information
ATE
SCAN OUT
SCAN IN
FUNCTIONAL I/O
SCAN ENABLE
Input Pa:erns
Expected Responses
Fault/Diagnosis Information
1 0 1
Sticky Mismatch
Comparator
EXPECTED RESPONSE
Results
pass/fail
54
Giorgio Di Natale, LIRMM
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism – …next class
55
Giorgio Di Natale, LIRMM
CONCLUSIONS
56
Giorgio Di Natale, LIRMM
Conclusions
• Digital Test – Necessary for secure devices
• Scan based testing – Efficient and de-facto standard, but not compatible with
security
• Countermeasures – Avoiding scan chains reduces the test quality
• Diagnostic • In-field testing
– Secure Test Access Mechanism required
57
Giorgio Di Natale, LIRMM
Further readings
Amitabh Das, Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre, Ingrid Verbauwhede Test versus Security: Past and Present, IEEE Transactions on Emerging Topics in Computing Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre Thwarting Scan-Based Attacks on Secure-ICs with On-Chip Comparison, IEEE Transaction on VLSI, DOI: 10.1109/TVLSI.2013.2257903 Amitabh Das, Jean Da Rolt, Santosh Ghosh, Stefaan Seys, Sophie Dupuis, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre, Ingrid Verbauwhede Secure JTAG Implementation Using Schnorr Protocol, Journal of Electronic Testing (JETTA), Springer, DOI: 10.1007/s10836-013-5369-9 Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre A Novel Differential Scan Attack on Advanced DFT Structures, ACM Transactions on Design Automation of Electronic Systems, Volume 18, Issue 4, October 2013, Article No. 58, DOI: 10.1145/2505014 Jean Da Rolt, Amitabh Das, Santosh Ghosh, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre and Ingrid Verbauwhede Scan Attacks on Side-channel and Fault Attack Resistant Public-key Implementations, Journal of Cryptographic Engineering, November 2012, Volume 2, Issue 4, pp 207-219, DOI: 10.1007/s13389-012-0045-z G. Di Natale, M. Doulcier, M. L. Flottes, B. Rouzeyre Self-Test Techniques for Crypto-Devices, IEEE Transaction on VLSI Systems, pp. 1-5, February 2010, Volume:18, Issue: 2, DOI: 10.1109/TVLSI.2008.2010045
58
Giorgio Di Natale, LIRMM
Further readings
Yang, B. and Wu, K. and Karri, R. Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard 2004 International Conferece on Test Nara, R. and Togawa, N. and Yanagisawa, M. and Ohtsuki, T. Scan-based attack against elliptic curve cryptosystems 2010 Asia and South Pacific Design Automation Conference Nara, R. and Satoh, K. and Yanagisawa, M. and Ohtsuki, T. and Togawa, N. Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, number = 12, pages = 2481–2489 Liu, Yu and Wu, Kaijie and Karri, Ramesh Scan-based attacks on linear feedback shift register based stream ciphers, ACM Transactions on Design Automation of Electronic Systems, volume = 16, year = 2011 Sk Subidh Ali, Ozgur Sinanoglu, Ramesh Karri Test-Mode-Only Scan Attack Using the Boundary Scan Chain 2014 19th IEEE European Test Symposium (ETS)
59