Security Issues in IC

Joon-Sung Yang

DATES(Design and Test for Systems) Lab

Sungkyunkwan University

DATES Lab

Page 2

Security

<source : http://www.goophone.net>

DATES Lab

Copycat

Ex) Goophone

Page 3

Security

<source : http://www.gizchina.com/2013/10/13/goophone-open-international-webstore/>

DATES Lab

Smartphone

Penetration by Country

Page 4

IC Market

DATES Lab

Smartphone

Increasing Market

Page 5

IC Market

DATES Lab

What is this?

Page 6

Smartphone

<source : http://www.donga.com>

DATES Lab

Copycat

Page 7

Smartphone

<source : http://www.donga.com>

DATES Lab

Specification

Page 8

Smartphone

<source : http://www.donga.com>

DATES Lab

Past..

Counterfeit

Examples

Deliberately Misrepresented Part Its Identity (e.g. manufacturer, part number, date code, lot code)

Copied (reverse engineered) Part

Used Parts Sold as New

Defective Parts Sold as New or Working Used Parts

Fake Parts

Page 9

Security

<source : http://www.kozio.com>

DATES Lab

Mission Critical Applications

Military Defense Systems

Fighter Jet Case : Jet Failure at High Altitude (Temperature Issue)

Medical Systems

Health & Safety Issues

Page 10

Security

<source : http://www.kozio.com/blog/scripting-a-counterfeit-ic-detection-strategy>

DATES Lab

Economic Impact

Expecting

Semiconductor Industry Revenue Loss (2011)

– 7.5 Billion Dollars

– 11,000 US Job Positions

Page 11

Security

DATES Lab

General Counterfeit Detection Process

Page 12

Security

DATES Lab

How to Avoid Unauthentic ICs Use?

Can We Monitor them?

H/W Metering

Need for IP Owner to Track Manufacture Chips

Ways to Enable IP Owners Accessing ICs at Post-Si

Methods to Uniquely Tag Each Chip for Tracing Them

Page 13

Hardware Metering

DATES Lab

Authentication Flow

Page 14

Authentication

DATES Lab

Traditional Method

Embed Unique Secret Key in NVM

Challenge -> Response

Limitation

Side Channel Attacks on NVM

Resource Intensive Cryptography

Page 15

Authentication

DATES Lab

Physically Unclonable Function (PUF)

Find Something Unique per Chip

Process Variation

– Arbiter PUF

Page 16

ID Generation

DATES Lab

Physically Unclonable Function (PUF)

Find Something Unique per Chip

Process Variation

– Ring Oscillator PUF

Page 17

ID Generation

DATES Lab

Physically Unclonable Function (PUF)

Find Something Unique per Chip

Process Variation

– SRAM PUF

Page 18

ID Generation

DATES Lab

Physically Unclonable Function (PUF)

Find Something Unique per Chip

Process Variation

– SCAN PUF

Page 19

ID Generation

DATES Lab

Authentication Flow

Page 20

PUF

DATES Lab

Authentication Flow

Page 21

PUF

DATES Lab

Authentication Flow

Page 22

PUF

DATES Lab

Pros & Cons

Pros

No Need to Store NVM based Key (ID)

Random and Vast Number or Challenge-Response Pairs

Cons

Non-Deterministic

– Multiple Iteration Required

Process Variation Affected by Aging

Need to Enhance Determinism

Page 23

PUF

DATES Lab

Trojan Virus – S/W

Illegal S/W Download

Computers, Smart Phones

Erase Memory, Send Password & Credit Card Information

Page 24

Another Security Issue

DATES Lab

H/W Trojan? (HTH : Hardware Trojan Horse)

Business Model Shift

Fabless Company

Threat Holes

Page 25

Another Security Issue

IP Vendor

System

Integrator Manufacturer

Trusty?

Trusty? Trusty?

DATES Lab

Threat Holes

HTH Inserted IC to Customer

Possible Damage

H/W Performance Degradation

Authentication Flow Incapacitation

Secret Data Leak.. Backdoor.

IC Destruction

Page 26

HTH : Hardware Trojan Horse

DATES Lab

How It Works..

Time Bomb

Page 27

HTH Insertion

<source : Y. Alkabani and F. Koushanfar, “Extended Abstract : Designer’s Hardware Trojan Horse”, Proc. IEEE Int’l Workshop Hardware-Oriented Security and Trust>

DATES Lab

Action

UK, US, Canada, New Zealand and Australia

Use & Import Ban due to Backdoor Vulnerability

Page 28

HTH : Hardware Trojan Horse

<source : http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban>

DATES Lab

Classification

Page 29

HTH

<source : X. Wang, M. Tehranipoor, and J. Plusquellic, “Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions”, IEEE HOST, 2008>

DATES Lab

How Hard is it to Find HTHs?

A Number of IPs Integrated in SoC

Soft, Firm and Hard IP, Hidden Small HTH

Almost Impossible Physical Detection in Nanometer Technology

Too Much Effort for Reverse Engineering

Conditional Activation

Activated in Special Case (Test Will Not Cover)

Page 30

HTH

DATES Lab

HTH Detection Approaches

Side-Channel Analysis

Using Power, Delay, Electromagnetic Wave, Thermal Emission, etc.

Analysis Flow

– 1) Selecting Chips

– 2) Iterative I/O Test -> Capturing Side-Channel Characteristics

– 3) Building Finger Print

– 4) Perform 2) and 3) for Golden Chip (Reference Chip)

– 5) Compare Finger Prints

Page 31

HTH

DATES Lab

HTH Detection Approaches

Side-Channel Analysis

Power Analysis Example

– Green Lines : Golden Chip

– Blue Lines : HTH Inserted Chip

Page 32

HTH

<source : X. Wang, M. Tehranipoor, and J. Plusquellic, “Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions”, IEEE HOST, 2008>

DATES Lab

HTH Detection Approaches

Side-Channel Analysis

Advantage

– Can Check Different Characteristics (Power, Delay, Thermal Diagram, etc.)

– No Need to Intentionally Activate HTH (Iterative Stress Test and HTHs Activated Always)

Disadvantage

– Very Susceptible to Noise

– Hard to Distinguish between HTH and Process Variation

– Cannot Detect Conditionally Activating HTHs

Page 33

HTH

DATES Lab

HTH Detection Approaches

Test Vector based Analysis

Trying to Activate HTHs

– Region Free Method

– Region Aware Method

Page 34

HTH

DATES Lab

HTH Detection Approaches

Test Vector based Analysis

Region Free Method

– Try to Active HTH Without Knowing CKT Information

– Applying Test Patterns

– Not Effective

Page 35

HTH

DATES Lab

HTH Detection Approaches

Test Vector based Analysis

Region Aware Method

– Try to Active HTH With Knowing CKT Information

– Flow

o 1) Partition CKT to Sub-CKTs (Clustering)

o 2) Generate Patterns for Sub-CKTs : Try to Increase Switching Activity, Power ONLY IN SELECTED Sub-CKT and Reduce Activity in Other Sub-CKTs

o 3) Perform 2) for Each Sub-CKT

Page 36

HTH

DATES Lab

HTH Detection Approaches

Test Vector based Analysis

Region Aware Method Example

– ISCAS Benchmark s3271 Switching Activity

– Blue Line : Golden Chip

– Red Line : HTH Inserted Chip

Page 37

HTH

DATES Lab

IoT (Internet of Things)

Page 38

Security

Data Acquisition

Data Aggregation

Data Analysis

DATES Lab

IoT (Internet of Things)

Page 39

Security

Data Acquisition

Data Aggregation

Data Analysis

DATES Lab

IoT (Internet of Things)

Page 40

Security

<source : http://www.digikey.com/en/articles/techzone/2014/jan/short-range-low-power-wireless-devices-and-internet-of-things-iot>

DATES Lab

Security Concerns

Need for Design for Security (DFS)

Secure Authentication

Supporting Side-Channel Analysis by CAD Tools

CKT Obfuscation : IP Protection

Test vs. Security

Page 41

Security