Scan Chain Based Attacks and Countermeasures: A Survey

Li, Xiaowei; Li, Wenjie; Ye, Jing; Li, Huawei; Hu, Yu

doi:10.1109/access.2019.2925237

Cited by 19 publications

(10 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A recent survey paper [29] lists various scan obfuscation/masking defenses. In this section, we categorize these defenses into three classes as shown in Table 7: (i) REvulnerable: those that are vulnerable to any basic reverse engineering (RE) attack; e.g., the position of added gates identified via RE can be used to compromise the defense; ScanSAT does not need to be applied.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Alrahis

Yasin

Limaye

et al. 2021

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

While financially advantageous, outsourcing key steps, such as testing, to potentially untrusted Outsourced Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hides the transformation functions that map the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). While static scan obfuscation utilizes the same secret key, and thus, the same secret transformation functions throughout the lifetime of the chip, dynamic scan obfuscation updates the key periodically. In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. We implement our attack, apply on representative scan obfuscation techniques, and show that ScanSAT can break both static and dynamic scan obfuscation schemes with 100% success rate. Moreover, ScanSAT is effective even for large key sizes and in the presence of scan compression.

show abstract

Section: Discussionmentioning

confidence: 99%

“…(iii) ScanSAT-resilient: those that are resilient to our attack ScanSAT but at the expense of other implications such as hindered debug, etc. Details about these defenses can be found in [29].…”

Section: Discussionmentioning

confidence: 99%

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Alrahis

Yasin

Limaye

et al. 2021

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

show abstract

“…In this survey paper, we will provide a holistic overview of this breed of countermeasures in terms of security, test time/complexity, and overhead. Since securing the scan chain was first originated in the presence of cryptographic engines, there exist some survey papers that review and evaluate such techniques [52].…”

Section: E the Survey Overviewmentioning

confidence: 99%

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

et al. 2021

View full text Add to dashboard Cite

The availability of access to Integrated Circuits' scan chain is an inevitable requirement of modern ICs for testability/debugging purposes. However, leaving access to the scan chain OPEN resulted in numerous security threats on ICs. It raises challenging concerns particularly when the secret asset, like secret information, is placed within the chip, such as the keys of cryptographic algorithms, or similarly logic obfuscation key. So, to combat these threats, numerous secure scan chain architectures have been proposed in the literature to prevent any unauthorized access to the scan chain. They also keep the availability of the scan chain for testability/debugging. In this paper, we first show why a secure scan chain architecture is required when security primitives, like logic obfuscation, are in place. Then, we provide a holistic overview of all secure scan chain architectures starting from preliminary methods introduced when cryptography is in place and the adversary threat model is very limited. It is then followed by newer and more advanced methods introduced when logic obfuscation is in place and the adversary threat model is much stronger. Hence, we have more concentration on the architecture proposed more recently on logic obfuscation. We evaluate all secure scan chain architectures in terms of security and resiliency, testability/debugging time and complexity, and area/power/delay overhead.

show abstract

“…Existing scan-based side-channel attacks can be categorized into mode-switching attacks [15]- [21] and testmode-only attacks [22]- [27].…”

Section: A Scan-based Side-channel Attacksmentioning

confidence: 99%

“…A full-scan design simplifies automatic test-pattern generation (ATPG). However, scan chain can also be exploited as a side-channel to gain access to the intermediate computation results of selected functional unit of a cryptographic core for secret key extraction [15]- [27]. When the FSM state registers are included in the scan chain, the outputs of the FSM state registers are reachable, and their inputs are controllable.…”

Section: Introductionmentioning

confidence: 99%

Identification of FSM State Registers by Analytics of Scan-Dump Data

Cui

Chang

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Big data analytics have gained tremendous successes in mining valuable information in various fields. However, its potential to solve complex problems in hardware security has not been adequately tapped. This paper presents a non-invasive approach to identify the state registers of a finite state machine (FSM) in an integrated chip. The state registers of the FSM are mined from the scan-dump data by exploiting the strongly connected property and chronologically correlated state codes of the FSM. The sequence of data scanned out of each scan register is partitioned into non-overlapping strings of high weighted frequencies by a string-matching algorithm. A coherency between a pair of registers is defined and computed based on the partitioned strings. The dimension of the coherency matrix is first reduced by pruning some registers of low influence by a regression analysis. The registers are then clustered to minimize the within-cluster variances based on their coherency values. The proposed scheme is applied to some IP cores from OpenCores. The experimental results show that our scheme can correctly identify the FSM state registers in most designs with high hit rate.

show abstract

Scan Chain Based Attacks and Countermeasures: A Survey

Cited by 19 publications

References 49 publications

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

Identification of FSM State Registers by Analytics of Scan-Dump Data

Contact Info

Product

Resources

About