TY - GEN
T1 - Test-mode-only scan attack and countermeasure for contemporary scan architectures
AU - Saeed, Samah Mohamed
AU - Ali, Sk Subidh
AU - Sinanoglu, Ozgur
AU - Karri, Ramesh
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2015/2/6
Y1 - 2015/2/6
N2 - Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.
AB - Scan design is a de facto design-for-testability technique that enhances access during the manufacturing test process. However, it can also be exploited to leak secret information off a secure chip. A mode-reset countermeasure has been used to thwart all the existing scan attacks, as they all rely on switching between the test and normal modes. Recently, the countermeasure was circumvented by a new scan attack that utilizes only the test mode to identify the secret key of an AES chip. However, this test-mode-only attack has overlooked the other test structures, such as a decompressor and a compactor, on the scan path, which act as fortuitous countermeasures against test-mode-only scan attacks. In this work, we present a scan attack analysis for contemporary scan architectures with a stimulus decompressor unit. A stimulus decompressor poses a challenge for the test-mode-only attack, as the bit-flips required to launch the attack may not be created through the decompressor. The problem bears similarities to the test pattern encodability problem, where certain test cubes cannot be delivered due to the correlation induced by the stimulus decompressor. This paper sheds light to the intrinsic connections between the scan attack and the test pattern encodability problem, and presents a new test-mode-only scan attack in the presence of a decompressor of any type. Our analysis on an AES design shows that the proposed attack is successful for contemporary scan architectures. We also propose countermeasures that diminish the success of the proposed attack.
KW - AES
KW - Decompressor
KW - Scan Attack
KW - Scan Chain
KW - Scan-based DFT
KW - Security
KW - Testability
UR - http://www.scopus.com/inward/record.url?scp=84954288400&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954288400&partnerID=8YFLogxK
U2 - 10.1109/TEST.2014.7035357
DO - 10.1109/TEST.2014.7035357
M3 - Conference contribution
AN - SCOPUS:84954288400
T3 - Proceedings - International Test Conference
BT - Proceedings - 2014 IEEE International Test Conference, ITC 2014
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 45th IEEE International Test Conference, ITC 2014
Y2 - 21 October 2014 through 23 October 2014
ER -