A Hardware Security Solution against Scan-Based Attacks

Scan based Design for Test (DfT) schemes have been widely used to achieve high fault coverage for integrated circuits. The scan technique provides full access to the internal nodes of the device-under-test to control them or observe their response to input test vectors. While such comprehensive access is highly desirable for testing, it is not acceptable for secure chips as it is subject to exploitation by various attacks. In this work, new methods are presented to protect the security of critical information against scan-based attacks. In the proposed methods, access to the circuit containing secret information via the scan chain has been severely limited in order to reduce the risk of a security breach. To ensure the testability of the circuit, a built-in self-test which utilizes an LFSR as the test pattern generator (TPG) is proposed. The proposed schemes can be used as a countermeasure against side channel attacks with a low area overhead as compared to the existing solutions in literature

Design for Test and Hardware Security Utilizing Tester Authentication Techniques

Design-for-Test (DFT) techniques have been developed to improve testability of integrated circuits. Among the known DFT techniques, scan-based testing is considered an efficient solution for digital circuits. However, scan architecture can be exploited to launch a side channel attack. Scan chains can be used to access a cryptographic core inside a system-on-chip to extract critical information such as a private encryption key. For a scan enabled chip, if an attacker is given unlimited access to apply all sorts of inputs to the Circuit-Under-Test (CUT) and observe the outputs, the probability of gaining access to critical information increases. In this thesis, solutions are presented to improve hardware security and protect them against attacks using scan architecture. A solution based on tester authentication is presented in which, the CUT requests the tester to provide a secret code for authentication. The tester authentication circuit limits the access to the scan architecture to known testers. Moreover, in the proposed solution the number of attempts to apply test vectors and observe the results through the scan architecture is limited to make brute-force attacks practically impossible. A tester authentication utilizing a Phase Locked Loop (PLL) to encrypt the operating frequency of both DUT/Tester has also been presented. In this method, the access to the critical security circuits such as crypto-cores are not granted in the test mode. Instead, a built-in self-test method is used in the test mode to protect the circuit against scan-based attacks. Security for new generation of three-dimensional (3D) integrated circuits has been investigated through 3D simulations COMSOL Multiphysics environment. It is shown that the process of wafer thinning for 3D stacked IC integration reduces the leakage current which increases the chip security against side-channel attacks

Test Planning and Test Access Mechanism Design for 3D SICs

In this paper we propose a scheme for test planning and test access mechanism (TAM) design for stacked integrated circuits (SICs) that are designed in a core-based manner. Our scheme minimizes the test cost, which is given as the weighted sum of the test time and the TAM width. The test cost is evaluated for a test flow that consists of a wafer sort test of each individual chip and a package test of the complete stack of chips. We use an Integer Linear Programming (ILP) model to find the optimal test cost. The ILP model is implemented on several designs constructed from ITC’02 benchmarks. The experimental results show significant reduction in test cost compared to when using schemes, which are optimized for non-stacked chips

Design of a Scan Chain for Side Channel Attacks on AES Cryptosystem for Improved Security

Scan chain-based attacks are side-channel attacks focusing on one of the most significant features of hardware test circuitry. A technique called Design for Testability (DfT) involves integrating certain testability components into a hardware design. However, this creates a side channel for cryptanalysis, providing crypto devices vulnerable to scan-based attacks. Advanced Encryption Standard (AES) has been proven as the most powerful and secure symmetric encryption algorithm announced by USA Government and it outperforms all other existing cryptographic algorithms. Furthermore, the on-chip implementation of private key algorithms like AES has faced scan-based side-channel attacks. With the aim of protecting the data for secure communication, a new hybrid pipelined AES algorithm with enhanced security features is implemented. This paper proposes testing an AES core with unpredictable response compaction and bit level-masking throughout the scan chain process. A bit-level scan flipflop focused on masking as a scan protection solution for secure testing. The experimental results show that the best security is provided by the randomized addition of masked scan flipflop through the scan chain and also provides minimal design difficulty and power expansion overhead with some negligible delay measures. Thus, the proposed technique outperforms the state-of-the-art LUT-based S-box and the composite sub-byte transformation model regarding throughput rate 2 times and 15 times respectively. And security measured in the avalanche effect for the sub-pipelined model has been increased up to 95 per cent with reduced computational complexity. Also, the proposed sub-pipelined S-box utilizing a composite field arithmetic scheme achieves 7 per cent area effectiveness and 2.5 times the hardware complexity compared to the LUT-based model

Memory built-in self-repair and correction for improving yield: a review

Nanometer memories are highly prone to defects due to dense structure, necessitating memory built-in self-repair as a must-have feature to improve yield. Today’s system-on-chips contain memories occupying an area as high as 90% of the chip area. Shrinking technology uses stricter design rules for memories, making them more prone to manufacturing defects. Further, using 3D-stacked memories makes the system vulnerable to newer defects such as those coming from through-silicon-vias (TSV) and micro bumps. The increased memory size is also resulting in an increase in soft errors during system operation. Multiple memory repair techniques based on redundancy and correction codes have been presented to recover from such defects and prevent system failures. This paper reviews recently published memory repair methodologies, including various built-in self-repair (BISR) architectures, repair analysis algorithms, in-system repair, and soft repair handling using error correcting codes (ECC). It provides a classification of these techniques based on method and usage. Finally, it reviews evaluation methods used to determine the effectiveness of the repair algorithms. The paper aims to present a survey of these methodologies and prepare a platform for developing repair methods for upcoming-generation memories

Quiescent current testing of CMOS data converters

Power supply quiescent current (IDDQ) testing has been very effective in VLSI circuits designed in CMOS processes detecting physical defects such as open and shorts and bridging defects. However, in sub-micron VLSI circuits, IDDQ is masked by the increased subthreshold (leakage) current of MOSFETs affecting the efficiency of I¬DDQ testing. In this work, an attempt has been made to perform robust IDDQ testing in presence of increased leakage current by suitably modifying some of the test methods normally used in industry. Digital CMOS integrated circuits have been tested successfully using IDDQ and IDDQ methods for physical defects. However, testing of analog circuits is still a problem due to variation in design from one specific application to other. The increased leakage current further complicates not only the design but also testing. Mixed-signal integrated circuits such as the data converters are even more difficult to test because both analog and digital functions are built on the same substrate. We have re-examined both IDDQ and IDDQ methods of testing digital CMOS VLSI circuits and added features to minimize the influence of leakage current. We have designed built-in current sensors (BICS) for on-chip testing of analog and mixed-signal integrated circuits. We have also combined quiescent current testing with oscillation and transient current test techniques to map large number of manufacturing defects on a chip. In testing, we have used a simple method of injecting faults simulating manufacturing defects invented in our VLSI research group. We present design and testing of analog and mixed-signal integrated circuits with on-chip BICS such as an operational amplifier, 12-bit charge scaling architecture based digital-to-analog converter (DAC), 12-bit recycling architecture based analog-to-digital converter (ADC) and operational amplifier with floating gate inputs. The designed circuits are fabricated in 0.5 μm and 1.5 μm n-well CMOS processes and tested. Experimentally observed results of the fabricated devices are compared with simulations from SPICE using MOS level 3 and BSIM3.1 model parameters for 1.5 μm and 0.5 μm n-well CMOS technologies, respectively. We have also explored the possibility of using noise in VLSI circuits for testing defects and present the method we have developed

Power Droop Reduction In Logic BIST By Scan Chain Reordering

Significant peak power (PP), thus power droop (PD), during test is a serious concern for modern, complex ICs. In fact, the PD originated during the application of test vectors may produce a delay effect on the circuit under test signal transitions. This event may be erroneously recognized as presence of a delay fault, with consequent generation of an erroneous test fail, thus increasing yield loss. Several solutions have been proposed in the literature to reduce the PD during test of combinational ICs, while fewer approaches exist for sequential ICs. In this paper, we propose a novel approach to reduce peak power/power droop during test of sequential circuits with scan-based Logic BIST. In particular, our approach reduces the switching activity of the scan chains between following capture cycles. This is achieved by an original generation and arrangement of test vectors. The proposed approach presents a very low impact on fault coverage and test time

REDUCING POWER DURING MANUFACTURING TEST USING DIFFERENT ARCHITECTURES

Power during manufacturing test can be several times higher than power consumption in functional mode. Excessive power during test can cause IR drop, over-heating, and early aging of the chips. In this dissertation, three different architectures have been introduced to reduce test power in general cases as well as in certain scenarios, including field test. In the first architecture, scan chains are divided into several segments. Every segment needs a control bit to enable capture in a segment when new faults are detectable on that segment for that pattern. Otherwise, the segment should be disabled to reduce capture power. We group the control bits together into one or more control chains. To address the extra pin(s) required to shift data into the control chain(s) and significant post processing in the first architecture, we explored a second architecture. The second architecture stitches the control bits into the chains they control as EECBs (embedded enable capture bits) in between the segments. This allows an ATPG software tool to automatically generate the appropriate EECB values for each pattern to maintain the fault coverage. This also works in the presence of an on-chip decompressor. The last architecture focuses primarily on the self-test of a device in a 3D stacked IC when an existing FPGA in the stack can be programmed as a tester. We show that the energy expended during test is significantly less than would be required using low power patterns fed by an on-chip decompressor for the same very short scan chains