Abstract
Post-silicon debug requires high observability and controllability of the SoC, which is realized by access to the internal registers and memory via external debug interfaces and on-chip instrumentation. However, the existence of hardware debug circuitry increases the risk of exposing the vulnerabilities of the SoC. Attackers or malicious users might take advantage of the debug circuitry to get illegitimate access to secret information stored on the SoC. This chapter gives an introduction to SoC debug architectures and their components, and then discusses security hazards induced by the SoC debug circuitry. We review existing solutions proposed by academia and industry to address this problem, most of which focus on using authentication mechanisms to prevent unauthorized debug access without compromising the debug capacities of post-silicon validation and field return evaluation. Emerging research subjects related with the trade-off between post-silicon debug and security are also surveyed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Freescale and the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. All other product or service names are the property of their respective owners. ARM and Cortex are trademark(s) or registered trademarks of ARM Ltd or its subsidiaries. 2014 Freescale Semiconductor, Inc.
References
Ali, S., Sinanoglu, O., Saeed, S., Karri, R.: New scan-based attack using only the test mode. In: 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC), pp. 234–239 (2013)
ARM: Designing with trustzone hardware requirements. ARM whitepaper (2005)
ARM: Coresight technical Introduction. ARM whitepaper (2013)
Ashfield, E., Field, I., Harrod, P., Houlihane, S., Orme, W., Woodhouse, S.: Serial wire debug and the coresighttm debug and trace architecture (2006)
Ashkenazi, A.: Security features in the i.mx31 and i.mx31l multimedia applications processors. Freescale Semiconductor Inc. (2006)
Bennetts, B.: IEEE 1149.1 JTAG and boundary scan tutorial. http://www.asset-intertech.com/Products/Boundary-Scan-Test/e-Book-JTAG-Tutorial (2012)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology. CRYPTO ’97, pp. 513–525. Springer, London (1997)
Buskey, R., Frosik, B.: Protected JTAG. In: 2006 International Conference on Parallel Processing Workshops. ICPP 2006 Workshops, pp. 8–414 (2006)
Case, L., Ashkenazi, A., Chhabra, R., Covey, C., Hartley, D., Mackie, T., Muir, A., Redman, M., Tkacik, T., Vaglica, J., et al.: Authenticated debug access for field returns. https://www.google.com.ar/patents/US20100199077 (2010). US Patent App. 12/363,259
Chiu, G.M., Li, J.M.: A secure test wrapper design against internal and boundary scan attacks for embedded cores. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 20(1), 126–134 (2012)
Clark, C.: Anti-tamper JTAG TAP design enables DRM to JTAG registers and P1687 on-chip instruments. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 19–24 (2010)
Da Rolt, J., Das, A., Di Natale, G., Flottes, M., Rouzeyre, B., Verbauwhede, I.: A scan-based attack on elliptic curve cryptosystems in presence of industrial design-for-testability structures. In: 2012 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), pp. 43–48 (2012)
Da Rolt, J., Das, A., Di Natale, G., Flottes, M.L., Rouzeyre, B., Verbauwhede, I.: A new scan attack on RSA in presence of industrial countermeasures. In: Proceedings of the Third International Conference on Constructive Side-Channel Analysis and Secure Design. COSADE’12, pp. 89–104. Springer, Berlin (2012)
Da Rolt, J., Das, A., Di Natale, G., Flottes, M.L., Rouzeyre, B., Verbauwhede, I.: Test versus security: past and present. IEEE Trans. Emerg. Top. Comput. 2(1), 50–62 (2014). doi:10.1109/TETC.2014.2304492
Da Rolt, J., Di Natale, G., Flottes, M.L., Rouzeyre, B.: Are advanced DFT structures sufficient for preventing scan-attacks? In: VLSI Test Symposium (VTS), 2012 IEEE 30th, pp. 246–251 (2012)
DaRolt, J., Di Natale, G., Flottes, M.L., Rouzeyre, B.: Scan attacks and countermeasures in presence of scan response compactors. In: European Test Symposium (ETS), 2011 16th IEEE, pp. 19–24 (2011)
Dishnet: In house made with locking script. http://www.satcardsrus.com/dish_net%203m.htm (2012)
Ege, B., Das, A., Gosh, S., Verbauwhede, I.: Differential scan attack on AES with x-tolerant and x-masked test response compactor. In: 2012 15th Euromicro Conference on Digital System Design (DSD), pp. 545–552 (2012)
Freescale: Introduction to HCS08 background debug mode (2006)
Freescale: i.mx 6solox applications processor reference manual (2014)
Greenemeier, L.: iphone hacks annoy AT&T but are unlikely to bruise apple. Scientific American (2007)
Hely, D., Bancel, F., Flottes, M.L., Rouzeyre, B.: Test control for secure scan designs. In: Test Symposium, 2005. European, pp. 190–195 (2005)
Hely, D., Flottes, M.L., Bancel, F., Rouzeyre, B., Berard, N., Renovell, M.: Scan design and secure chip [secure IC testing]. In: On-Line Testing Symposium, 2004. IOLTS 2004. Proceedings. 10th IEEE International, pp. 219–224 (2004)
Homebrew development wiki JTAG-hack. http://dev360.wikia.com/wiki/JTAG-Hack (2012)
IEEE standard for in-system configuration of programmable devices: IEEE Std 1532–2001, pp. 1–130 (2001)
IEEE standard test access port and boundary scan architecture. IEEE Std 1149.1-2001, pp. 1–212 (2001)
Josephson, D., Poehhnan, S., Govan, V.: Debug methodology for the Mckinley processor. In: Test Conference, 2001. Proceedings. International, pp. 451–460 (2001)
Kapur, R.: Security vs. test quality: are they mutually exclusive? In: Test Conference, 2004. Proceedings. ITC 2004. International, pp. 1414– (2004)
Lee, J., Tehranipoor, M., Patel, C., Plusquellic, J.: Securing scan design using lock and key technique. In: 20th IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems, 2005. DFT 2005, pp. 51–62 (2005)
Ley, A.: Doing more with less—an IEEE 1149.7 embedded tutorial: standard for reduced-pin and enhanced-functionality test access port and boundary-scan architecture. In: Test Conference, 2009. ITC 2009. International, pp. 1–10 (2009). doi:10.1109/TEST.2009.5355572
Liu, Y., Wu, K., Karri, R.: Scan-based attacks on linear feedback shift register based stream ciphers. ACM Trans. Des. Autom. Electron. Syst. 16(2), 20:1–20:15 (2011)
Nara, R., Togawa, N., Yanagisawa, M., Ohtsuki, T.: Scan-based attack against elliptic curve cryptosystems. In: Design Automation Conference (ASP-DAC), 2010 15th Asia and South Pacific, pp. 407–412 (2010)
Novak, F., Biasizzo, A.: Security extension for IEEE Std 1149.1. J. Electron. Test. 22(3), 301–303 (2006)
Park, K., Yoo, S.G., Kim, T., Kim, J.: JTAG security system based on credentials. J. Electron. Test. 26(5), 549–557 (2010)
Park, K.Y., Yoo, S.G., Kim, J.: Debug port protection mechanism for secure embedded devices. J. Semicond. Technol. Sci. 12(2), 241 (2012)
Pierce, L., Tragoudas, S.: Multi-level secure JTAG architecture. In: 2011 IEEE 17th International On-Line Testing Symposium (IOLTS), pp. 208–209 (2011)
Pierce, L., Tragoudas, S.: Enhanced secure architecture for joint action test group systems. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 21(7), 1342–1345 (2013)
Ray, S., Yang, J., Basak, A., Bhunia, S.: Correctness and security at odds: post-silicon validation of modern SoC designs. In: Design Automation Conference (DAC), 2015 52nd ACM/EDAC/IEEE, pp. 1–6 (2015)
Rearick, J., Eklow, B., Posse, K., Crouch, A., Bennetts, B.: IJTAG (internal JTAG): a step toward a DFT standard. In: Test Conference, 2005. Proceedings. ITC 2005. IEEE International, pp. 8–815 (2005)
Rolt, J.D., Natale, G.D., Flottes, M.L., Rouzeyre, B.: A novel differential scan attack on advanced DFT structures. ACM Trans. Des. Autom. Electron. Syst. 18(4), 58:1–58:22 (2013)
Ryuta, N., Satoh, K., Yanagisawa, M., Ohtsuki, T., Togawa, N.: Scan-based side-channel attack against RSA cryptosystems using scan signatures. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 93(12), 2481–2489 (2010)
Tang, S., Xu, Q.: In-band cross-trigger event transmission for transaction-based debug. In: Design, Automation and Test in Europe, 2008. DATE ’08, pp. 414–419 (2008)
Yang, B., Wu, K., Karri, R.: Scan based side channel attack on dedicated hardware implementations of data encryption standard. In: Test Conference, 2004. Proceedings. ITC 2004. International, pp. 339–344 (2004)
Yang, B., Wu, K., Karri, R.: Secure scan: A design-for-test architecture for crypto chips. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 25(10), 2287–2293 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Chen, W., Bhadra, J., Wang, LC. (2017). SoC Security and Debug. In: Bhunia, S., Ray, S., Sur-Kolay, S. (eds) Fundamentals of IP and SoC Security. Springer, Cham. https://doi.org/10.1007/978-3-319-50057-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-50057-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-50055-3
Online ISBN: 978-3-319-50057-7
eBook Packages: EngineeringEngineering (R0)