Design-for-Security vs. Design-for-Testability: A Case Study on DFT Chain in Cryptographic Circuits

Abstract-Relying on a recently developed gate-level information assurance scheme, we formally analyze the security of design-for-test (DFT) scan chains, the industrial standard testing methods for fabricated chips and, for the first time, formally prove that a circuit with scan chain inserted can violate security properties. The same security assessment method is then applied to a built-in-self-test (BIST) structure where it is shown that even BIST structures can cause security vulnerabilities. To balance trustworthiness and testability, a new design-for-security (DFS) methodology is proposed which, through the modification of scan chain structure, can achieve high security without compromising the testability of the inserted scan structure. To support the task of secure scan chain insertion, a method of scan chain reshuffling is introduced. Using an AES encryption core as the testing platform, we elaborated the security assessment procedure as well as the DFS technique in balancing security and testability of cryptographic circuits

A Survey on Security Threats and Countermeasures in IEEE Test Standards

International audienceEditor's note: Test infrastructure has been shown to be a portal for hackers. This article reviews the threats and countermeasures for IEEE test infrastructure standards

Are Advanced DfT Structures Sufficient for Preventing Scan-Attacks?

International audienceStandard Design for Testability (DfT) structures are well known as potential sources of confidential information leakage. Scan-based attacks have been reported in publications since the early 2000s. It has been shown for instance that the secret key for symmetric encryption standards (DES, AES) could be retrieved from information gathered on scan-out pins when scan-chains are fully observed through these pins. However DfT practices have progressed to adapt to large and complex designs such as test response compaction, associated Xmasking structure, partial scan, etc. As a side effect, these techniques mask part of the information collected on scan outputs. Thus, at first glance, they may appear as countermeasures against scan-based attacks. Nevertheless, in this paper we show that DfT structures, regardless of their nature, do not inherently enhance security and that specific additional countermeasures are still needed. We propose a newscan attack able to deal with designs where only part of the internal circuit's state is observed for test purpose