Secure Design-for-Test
I was perusing the latest version of IEEE Design & Test, which focuses on ICs for Secure Embedded Computing, and it reminded me of a small flap a couple years back about the security, or lack thereof, of scan chains (Scan design called portal for hackers, EETimes, 10/25/2004). Although I haven’t personally noticed any other discussion on the subject since then, a quick Google found a paper as recent as 2006 (A Low-Cost Solution for Protecting IPs Against Scan-Based Side-Channel Attacks, VTS ‘06).
FYI, “Side-channel Attacks” are attempts to decipher or learn encryption algorithms (or learn the IP inside a chip, maybe) by gaining information about the physical implementation of the device itself - in this case, via the scan-chains. Methods for side-channel attacks run the gamut from glitch and power analysis to fault injection attacks. It’s amazing what people can learn by causing a chip to work abnormally.
As it turns out, it’s pretty easy to hack an encryption chip using scan chains (Scan Based Side Channel Attack on Dedicated Hardware Implementations of Data Encryption Standard). So what’s the alternative? Mention was made in the EE Times article that a “primary alternative [to scan/ATPG] is built-in self-test (BIST), which is more secure because it doesn’t require visible scan chains”. And so we see another facet to the “Scan vs. BIST” debate.
Interestingly enough, there were no direct references to scan-based attacks in any of the D&T articles. So what is the status of this issue? Did it not pan out to be that much of a problem? The applications for embedded security can only be growing. Are any of you readers close to this issue?
I’d love to hear from you…
