Skip to main content
SpringerLink
Log in

SoC Security and Debug

  • Chapter
  • First Online:
Fundamentals of IP and SoC Security

Abstract

Post-silicon debug requires high observability and controllability of the SoC, which is realized by access to the internal registers and memory via external debug interfaces and on-chip instrumentation. However, the existence of hardware debug circuitry increases the risk of exposing the vulnerabilities of the SoC. Attackers or malicious users might take advantage of the debug circuitry to get illegitimate access to secret information stored on the SoC. This chapter gives an introduction to SoC debug architectures and their components, and then discusses security hazards induced by the SoC debug circuitry. We review existing solutions proposed by academia and industry to address this problem, most of which focus on using authentication mechanisms to prevent unauthorized debug access without compromising the debug capacities of post-silicon validation and field return evaluation. Emerging research subjects related with the trade-off between post-silicon debug and security are also surveyed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Freescale and the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. All other product or service names are the property of their respective owners. ARM and Cortex are trademark(s) or registered trademarks of ARM Ltd or its subsidiaries. 2014 Freescale Semiconductor, Inc.

References

  1. Ali, S., Sinanoglu, O., Saeed, S., Karri, R.: New scan-based attack using only the test mode. In: 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC), pp. 234–239 (2013)

    Google Scholar 

  2. ARM: Designing with trustzone hardware requirements. ARM whitepaper (2005)

    Google Scholar 

  3. ARM: Coresight technical Introduction. ARM whitepaper (2013)

    Google Scholar 

  4. Ashfield, E., Field, I., Harrod, P., Houlihane, S., Orme, W., Woodhouse, S.: Serial wire debug and the coresighttm debug and trace architecture (2006)

    Google Scholar 

  5. Ashkenazi, A.: Security features in the i.mx31 and i.mx31l multimedia applications processors. Freescale Semiconductor Inc. (2006)

    Google Scholar 

  6. Bennetts, B.: IEEE 1149.1 JTAG and boundary scan tutorial. http://www.asset-intertech.com/Products/Boundary-Scan-Test/e-Book-JTAG-Tutorial (2012)

  7. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology. CRYPTO ’97, pp. 513–525. Springer, London (1997)

    Google Scholar 

  8. Buskey, R., Frosik, B.: Protected JTAG. In: 2006 International Conference on Parallel Processing Workshops. ICPP 2006 Workshops, pp. 8–414 (2006)

    Google Scholar 

  9. Case, L., Ashkenazi, A., Chhabra, R., Covey, C., Hartley, D., Mackie, T., Muir, A., Redman, M., Tkacik, T., Vaglica, J., et al.: Authenticated debug access for field returns. https://www.google.com.ar/patents/US20100199077 (2010). US Patent App. 12/363,259

  10. Chiu, G.M., Li, J.M.: A secure test wrapper design against internal and boundary scan attacks for embedded cores. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 20(1), 126–134 (2012)

    Google Scholar 

  11. Clark, C.: Anti-tamper JTAG TAP design enables DRM to JTAG registers and P1687 on-chip instruments. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 19–24 (2010)

    Google Scholar 

  12. Da Rolt, J., Das, A., Di Natale, G., Flottes, M., Rouzeyre, B., Verbauwhede, I.: A scan-based attack on elliptic curve cryptosystems in presence of industrial design-for-testability structures. In: 2012 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), pp. 43–48 (2012)

    Google Scholar 

  13. Da Rolt, J., Das, A., Di Natale, G., Flottes, M.L., Rouzeyre, B., Verbauwhede, I.: A new scan attack on RSA in presence of industrial countermeasures. In: Proceedings of the Third International Conference on Constructive Side-Channel Analysis and Secure Design. COSADE’12, pp. 89–104. Springer, Berlin (2012)

    Google Scholar 

  14. Da Rolt, J., Das, A., Di Natale, G., Flottes, M.L., Rouzeyre, B., Verbauwhede, I.: Test versus security: past and present. IEEE Trans. Emerg. Top. Comput. 2(1), 50–62 (2014). doi:10.1109/TETC.2014.2304492

    Article  Google Scholar 

  15. Da Rolt, J., Di Natale, G., Flottes, M.L., Rouzeyre, B.: Are advanced DFT structures sufficient for preventing scan-attacks? In: VLSI Test Symposium (VTS), 2012 IEEE 30th, pp. 246–251 (2012)

    Google Scholar 

  16. DaRolt, J., Di Natale, G., Flottes, M.L., Rouzeyre, B.: Scan attacks and countermeasures in presence of scan response compactors. In: European Test Symposium (ETS), 2011 16th IEEE, pp. 19–24 (2011)

    Google Scholar 

  17. Dishnet: In house made with locking script. http://www.satcardsrus.com/dish_net%203m.htm (2012)

  18. Ege, B., Das, A., Gosh, S., Verbauwhede, I.: Differential scan attack on AES with x-tolerant and x-masked test response compactor. In: 2012 15th Euromicro Conference on Digital System Design (DSD), pp. 545–552 (2012)

    Google Scholar 

  19. Freescale: Introduction to HCS08 background debug mode (2006)

    Google Scholar 

  20. Freescale: i.mx 6solox applications processor reference manual (2014)

    Google Scholar 

  21. Greenemeier, L.: iphone hacks annoy AT&T but are unlikely to bruise apple. Scientific American (2007)

    Google Scholar 

  22. Hely, D., Bancel, F., Flottes, M.L., Rouzeyre, B.: Test control for secure scan designs. In: Test Symposium, 2005. European, pp. 190–195 (2005)

    Google Scholar 

  23. Hely, D., Flottes, M.L., Bancel, F., Rouzeyre, B., Berard, N., Renovell, M.: Scan design and secure chip [secure IC testing]. In: On-Line Testing Symposium, 2004. IOLTS 2004. Proceedings. 10th IEEE International, pp. 219–224 (2004)

    Google Scholar 

  24. Homebrew development wiki JTAG-hack. http://dev360.wikia.com/wiki/JTAG-Hack (2012)

  25. IEEE standard for in-system configuration of programmable devices: IEEE Std 1532–2001, pp. 1–130 (2001)

    Google Scholar 

  26. IEEE standard test access port and boundary scan architecture. IEEE Std 1149.1-2001, pp. 1–212 (2001)

    Google Scholar 

  27. Josephson, D., Poehhnan, S., Govan, V.: Debug methodology for the Mckinley processor. In: Test Conference, 2001. Proceedings. International, pp. 451–460 (2001)

    Google Scholar 

  28. Kapur, R.: Security vs. test quality: are they mutually exclusive? In: Test Conference, 2004. Proceedings. ITC 2004. International, pp. 1414– (2004)

    Google Scholar 

  29. Lee, J., Tehranipoor, M., Patel, C., Plusquellic, J.: Securing scan design using lock and key technique. In: 20th IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems, 2005. DFT 2005, pp. 51–62 (2005)

    Google Scholar 

  30. Ley, A.: Doing more with less—an IEEE 1149.7 embedded tutorial: standard for reduced-pin and enhanced-functionality test access port and boundary-scan architecture. In: Test Conference, 2009. ITC 2009. International, pp. 1–10 (2009). doi:10.1109/TEST.2009.5355572

  31. Liu, Y., Wu, K., Karri, R.: Scan-based attacks on linear feedback shift register based stream ciphers. ACM Trans. Des. Autom. Electron. Syst. 16(2), 20:1–20:15 (2011)

    Google Scholar 

  32. Nara, R., Togawa, N., Yanagisawa, M., Ohtsuki, T.: Scan-based attack against elliptic curve cryptosystems. In: Design Automation Conference (ASP-DAC), 2010 15th Asia and South Pacific, pp. 407–412 (2010)

    Google Scholar 

  33. Novak, F., Biasizzo, A.: Security extension for IEEE Std 1149.1. J. Electron. Test. 22(3), 301–303 (2006)

    Article  Google Scholar 

  34. Park, K., Yoo, S.G., Kim, T., Kim, J.: JTAG security system based on credentials. J. Electron. Test. 26(5), 549–557 (2010)

    Article  Google Scholar 

  35. Park, K.Y., Yoo, S.G., Kim, J.: Debug port protection mechanism for secure embedded devices. J. Semicond. Technol. Sci. 12(2), 241 (2012)

    Google Scholar 

  36. Pierce, L., Tragoudas, S.: Multi-level secure JTAG architecture. In: 2011 IEEE 17th International On-Line Testing Symposium (IOLTS), pp. 208–209 (2011)

    Google Scholar 

  37. Pierce, L., Tragoudas, S.: Enhanced secure architecture for joint action test group systems. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 21(7), 1342–1345 (2013)

    Google Scholar 

  38. Ray, S., Yang, J., Basak, A., Bhunia, S.: Correctness and security at odds: post-silicon validation of modern SoC designs. In: Design Automation Conference (DAC), 2015 52nd ACM/EDAC/IEEE, pp. 1–6 (2015)

    Google Scholar 

  39. Rearick, J., Eklow, B., Posse, K., Crouch, A., Bennetts, B.: IJTAG (internal JTAG): a step toward a DFT standard. In: Test Conference, 2005. Proceedings. ITC 2005. IEEE International, pp. 8–815 (2005)

    Google Scholar 

  40. Rolt, J.D., Natale, G.D., Flottes, M.L., Rouzeyre, B.: A novel differential scan attack on advanced DFT structures. ACM Trans. Des. Autom. Electron. Syst. 18(4), 58:1–58:22 (2013)

    Google Scholar 

  41. Ryuta, N., Satoh, K., Yanagisawa, M., Ohtsuki, T., Togawa, N.: Scan-based side-channel attack against RSA cryptosystems using scan signatures. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 93(12), 2481–2489 (2010)

    Google Scholar 

  42. Tang, S., Xu, Q.: In-band cross-trigger event transmission for transaction-based debug. In: Design, Automation and Test in Europe, 2008. DATE ’08, pp. 414–419 (2008)

    Google Scholar 

  43. Yang, B., Wu, K., Karri, R.: Scan based side channel attack on dedicated hardware implementations of data encryption standard. In: Test Conference, 2004. Proceedings. ITC 2004. International, pp. 339–344 (2004)

    Google Scholar 

  44. Yang, B., Wu, K., Karri, R.: Secure scan: A design-for-test architecture for crypto chips. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 25(10), 2287–2293 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NXP Semiconductors N.V., Austin, USA

    Wen Chen & Jayanta Bhadra

  2. University of California, Santa Barbara, USA

    Li-C. Wang

Authors
  1. Wen Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jayanta Bhadra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Li-C. Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wen Chen .

Editor information

Editors and Affiliations

  1. University of Florida , Gainesville, Florida, USA

    Swarup Bhunia

  2. NXP Semiconductors (United States) , Austin, Texas, USA

    Sandip Ray

  3. Advanced Computing and Microelectronics, Indian Statistical Institute, Kolkata, India

    Susmita Sur-Kolay

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Chen, W., Bhadra, J., Wang, LC. (2017). SoC Security and Debug. In: Bhunia, S., Ray, S., Sur-Kolay, S. (eds) Fundamentals of IP and SoC Security. Springer, Cham. https://doi.org/10.1007/978-3-319-50057-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-50057-7_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-50055-3

  • Online ISBN: 978-3-319-50057-7

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation