Security Design for IEEE P 1687 Hejia Liu
- Slides: 26
Security Design for IEEE P 1687 Hejia Liu Major Professor: Vishwani D. Agrawal
Introduction �Part 1: Introduction of IEEE P 1687 (IJTAG) security risks in P 1687 �Part 2: Security design and expected unlocking time �Part 3: Discussion of a proposal and improvement in security Apr 8, 2014 Liu: MEE Project 2
IEEE 1149. 1 (JTAG) Interface Apr 8, 2014 Liu: MEE Project 3
What is P 1687/ IJTAG? �IEEE P 1687 is a valuable tool for accessing on-chip instruments during test, diagnosis, debug and board configurations. �P 1687 is a proposed IEEE Standard that has 3 components ◦ A flexible set of serial scan chain techniques for the instrument access architecture (called the network) ◦ A network description language (called instrument connectivity language, ICL) ◦ An instrument vector language (called procedure description language, PDL) Apr 8, 2014 Liu: MEE Project 4
Communication between Chips An example of communication P 1687 network between 3 chips Apr 8, 2014 Liu: MEE Project 5
Instruments, IPs �An IP (Intellectual property core) with a P 1687 compliant interface is named instrument. �IPs: Analog, digital or mixed signal circuitry performing particular functions, such as a clock a generator, an interface to an external measurement probe, a radio tuner, an analog signal converter, a digital signal processor, etc. Apr 8, 2014 Liu: MEE Project 6
P 1687 Network Rst Optional Apr 8, 2014 Liu: MEE Project 7
FSM of TAP Controller Apr 8, 2014 Liu: MEE Project 8
Security Risks �Depending on the application, data may be stored on-chip, including chip ID, codes, and encryption keys. � An attacker can access a targeted instrument and obtain the secret data easily. Apr 8, 2014 Liu: MEE Project 9
A Possible Break-in Procedure �Step 1: Load Instruction code in TAP �Step 2: Shift in an attempt vector �Step 3: Clock the TAP controller �Step 4: If attempt successful, access instrument �Step 5: Else, repeat from step 2 Apr 8, 2014 Liu: MEE Project 10
Security Levels �Insecurity: Break-in time at the level of days �Weak security: Break-in time at the level of years �Strong security: Break-in time at the level of ten years �Full Security: Break-in time in the level of thousand years Apr 8, 2014 Liu: MEE Project 11
Structure of SIB (Segment Insertion Bit) Select=1 Shift. En=1 To_TDO 1 To_TDI 2 TDI From_TDO 2 0 0 1 1 0 1 Shift cell Update cell Select 1 Shift. En Select TCK Update. En Apr 8, 2014 Liu: MEE Project 12
Structure of SIB (Segment Insertion Bit) Select=0 Shift. En=1 To_TDO 1 To_TDI 2 TDI From_TDO 2 0 0 1 1 0 1 Shift cell Update cell Select 0 Shift. En Select TCK update. E n Apr 8, 2014 Liu: MEE Project 13
The Structure of SIB (Segment Insertion Bit) Shift. En=0 Update. En=1 To_TDI 2 To_TDO 1 0 TDI From_TDO 2 0 0 1 Shift cell 1 Update cell 1 1 1 Shift. En Select TCK Update. En Apr 8, 2014 Liu: MEE Project 14
Dworak, et al. . , ”Don’t forget to lock your SIB: Hiding instrument using P 1687, ” ITC 2013 Locking-SIB With Trap To_TDO 1 To_TDI 2 0 TDI From_TDO 1 1 0 1 Shift cell RST Update cell Shift. En Select TCK Update. En Key[0] Key[n ] Whether the key and trap feedback value is 1 or 0 is decided by structure Select Trap feedback select signal Apr 8, 2014 Liu: MEE Project 15
Unsecure and Secure P 1687 Networks Apr 8, 2014 Liu: MEE Project 16
Dworak, et al. , “Don’t forget to lock your SIB: Hiding instrument using P 1687, ” ITC 2013 Break-in Procedure Cost(LSIB unlock attempt w/Trap) Prob(opening SIB with key of k bits) Apr 8, 2014 Liu: MEE Project 17
Expected Results (f = 100 MHz) Expected time to unlock LSIB with Trap Days Years Key length K Chain Length N 8 16 32 48 640 1280 2560 5120 7. 79 E-07 3. 94 E-04 5. 13 E+01 6. 69 E+06 2. 13 E-09 1. 08 E-06 1. 41 E-01 1. 83 E+04 64 10240 8. 76 E+11 2. 40 E+09 80 20480 1. 15 E+17 3. 15 E+14 96 40960 1. 50 E+22 4. 11 E+19 Apr 8, 2014 Liu: MEE Project 19
Features of Secure Structure � Apr 8, 2014 Liu: MEE Project 20
An Original Proposal: Use SLFSR (Secure LFSR) to Hide Scan Path Length Apr 8, 2014 Liu: MEE Project 21
SLFSR Example Apr 8, 2014 Liu: MEE Project 22
Break-in Procedure Apr 8, 2014 Liu: MEE Project 23
Attacker’s Strategies � Apr 8, 2014 Liu: MEE Project 24
Expected Results (f = 100 MHz) Condition 3: � Key Chain length K N Expected time to unlock LSIB with SLFSR(days) Days Years cycles %Increase Compared to Trap without SLFSR 8 32 2. 32 E-07 6. 36 E-10 2. 01 e+05 395. 9596 16 64 9. 34 E-05 2. 56 E-07 8. 07 e+07 377. 9141 32 128 1. 06 E+01 2. 90 E-02 9. 14 E+12 365. 6357 40 160 3. 28 e+03 8. 98 2. 83 E+15 362. 8169 48 192 9. 85 E+05 2. 70 E+03 8. 51 E+17 360. 8592 56 224 2. 90 E+08 7. 93 e+05 2. 50 E+20 359. 4203 64 256 8. 37 E+10 2. 29 e+08 7. 23 E+22 358. 3181 80 320 6. 74 E+15 1. 85 E+13 5. 82 E+27 356. 7407 96 384 5. 24 E+20 1. 44 E+18 4. 53 E+32 355. 6663 Apr 8, 2014 Liu: MEE Project 25
Disadvantage Compared to Structure without SLFSR � Apr 8, 2014 Liu: MEE Project 26
Conclusion �It is useful we replace the non- functional segments with SLFSR �Security SLFSR increases attacker’s effort as breaking not only depends on the structure we build up, but also the strategies that attacker chooses. �We should be concerned about the “lucky” attacker Apr 8, 2014 Liu: MEE Project 27
- Ieee 1687
- P 1687
- 1687
- Alex liu cecilia liu
- Líu líu lo lo ta ca hát say sưa
- Private securty
- Fspos
- Novell typiska drag
- Nationell inriktning för artificiell intelligens
- Returpilarna
- Varför kallas perioden 1918-1939 för mellankrigstiden?
- En lathund för arbete med kontinuitetshantering
- Personalliggare bygg undantag
- Vilotidsbok
- Anatomi organ reproduksi
- Vad är densitet
- Datorkunskap för nybörjare
- Stig kerman
- Mall för debattartikel
- Magnetsjukhus
- Nyckelkompetenser för livslångt lärande
- Påbyggnader för flakfordon
- Kraft per area
- Offentlig förvaltning
- Lyckans minut erik lindorm analys
- Presentera för publik crossboss
- Argument för teckenspråk som minoritetsspråk