Test-mode-only scan attack and countermeasure for contemporary scan architectures

Samah Mohamed Saeed, Sk Subidh Ali, Ozgur Sinanoglu, Ramesh Karri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.

Original languageEnglish (US)
Title of host publicationProceedings - 2014 IEEE International Test Conference, ITC 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Volume2015-February
ISBN (Print)9781479947225
DOIs
StatePublished - Feb 6 2015
Event45th IEEE International Test Conference, ITC 2014 - Seattle, United States
Duration: Oct 21 2014Oct 23 2014

Other

Other45th IEEE International Test Conference, ITC 2014
CountryUnited States
CitySeattle
Period10/21/1410/23/14

Fingerprint

Countermeasures
Attack
Design for testability
Architecture
Chip
Normal Modes
Flip
Regular hexahedron
Manufacturing
Path
Unit

Keywords

  • AES
  • Decompressor
  • Scan Attack
  • Scan Chain
  • Scan-based DFT
  • Security
  • Testability

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Applied Mathematics

Cite this

Saeed, S. M., Ali, S. S., Sinanoglu, O., & Karri, R. (2015). Test-mode-only scan attack and countermeasure for contemporary scan architectures. In Proceedings - 2014 IEEE International Test Conference, ITC 2014 (Vol. 2015-February). [7035357] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/TEST.2014.7035357

Test-mode-only scan attack and countermeasure for contemporary scan architectures. / Saeed, Samah Mohamed; Ali, Sk Subidh; Sinanoglu, Ozgur; Karri, Ramesh.

Proceedings - 2014 IEEE International Test Conference, ITC 2014. Vol. 2015-February Institute of Electrical and Electronics Engineers Inc., 2015. 7035357.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Saeed, SM, Ali, SS, Sinanoglu, O & Karri, R 2015, Test-mode-only scan attack and countermeasure for contemporary scan architectures. in Proceedings - 2014 IEEE International Test Conference, ITC 2014. vol. 2015-February, 7035357, Institute of Electrical and Electronics Engineers Inc., 45th IEEE International Test Conference, ITC 2014, Seattle, United States, 10/21/14. https://doi.org/10.1109/TEST.2014.7035357
Saeed SM, Ali SS, Sinanoglu O, Karri R. Test-mode-only scan attack and countermeasure for contemporary scan architectures. In Proceedings - 2014 IEEE International Test Conference, ITC 2014. Vol. 2015-February. Institute of Electrical and Electronics Engineers Inc. 2015. 7035357 https://doi.org/10.1109/TEST.2014.7035357
Saeed, Samah Mohamed ; Ali, Sk Subidh ; Sinanoglu, Ozgur ; Karri, Ramesh. / Test-mode-only scan attack and countermeasure for contemporary scan architectures. Proceedings - 2014 IEEE International Test Conference, ITC 2014. Vol. 2015-February Institute of Electrical and Electronics Engineers Inc., 2015.
@inproceedings{9c773dea450f40678eddccbf9ee651bd,
title = "Test-mode-only scan attack and countermeasure for contemporary scan architectures",
abstract = "Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.",
keywords = "AES, Decompressor, Scan Attack, Scan Chain, Scan-based DFT, Security, Testability",
author = "Saeed, {Samah Mohamed} and Ali, {Sk Subidh} and Ozgur Sinanoglu and Ramesh Karri",
year = "2015",
month = "2",
day = "6",
doi = "10.1109/TEST.2014.7035357",
language = "English (US)",
isbn = "9781479947225",
volume = "2015-February",
booktitle = "Proceedings - 2014 IEEE International Test Conference, ITC 2014",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Test-mode-only scan attack and countermeasure for contemporary scan architectures

AU - Saeed, Samah Mohamed

AU - Ali, Sk Subidh

AU - Sinanoglu, Ozgur

AU - Karri, Ramesh

PY - 2015/2/6

Y1 - 2015/2/6

N2 - Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.

AB - Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.

KW - AES

KW - Decompressor

KW - Scan Attack

KW - Scan Chain

KW - Scan-based DFT

KW - Security

KW - Testability

UR - http://www.scopus.com/inward/record.url?scp=84954288400&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954288400&partnerID=8YFLogxK

U2 - 10.1109/TEST.2014.7035357

DO - 10.1109/TEST.2014.7035357

M3 - Conference contribution

SN - 9781479947225

VL - 2015-February

BT - Proceedings - 2014 IEEE International Test Conference, ITC 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -