cycle
play

Cycle Jerry Backer (1) , David Hly (2) and Ramesh Karri (1) - PowerPoint PPT Presentation

Dec 31, 2023 •447 likes •1.07k views

SoC Security Through the Life Cycle Jerry Backer (1) , David Hly (2) and Ramesh Karri (1) Polytechnic School of Engineering, New York University Universit Grenoble Alpes, LCIS, Valence 1 Agenda Introduction SoC lifecycle Test

  1. SoC Security Through the Life Cycle Jerry Backer (1) , David Hély (2) and Ramesh Karri (1) Polytechnic School of Engineering, New York University Université Grenoble Alpes, LCIS, Valence 1

  2. Agenda  Introduction – SoC lifecycle – Test and Debug – Motivations  Focus on Debug Security – Debug and SoC – Debug Threats – A secure Debug mechanism  Leveraging Test and Debug features for System Security – Software threats – Test based countermeasure – Debug based countermeasure Conclusions and Perspectives  2

  3. Syste System On Chip: T m On Chip: The he Stak Stakeholder eholders • System on Chip Architect • Specify the system • Components designers • Design on purpose components • System Integrator • Integrates the components • Fabrication Engineers • Manufacture the IC • Test the IC • Package the IC • Personalization Engineers • Configure the IC to the customers • OS Providers • 3 rd Party SW developers J. Backer, D. Hely and R. Karri 3

  4. System System On Chi On Chip: T p: Test and est and Debug De bug All need dedicated access to the system in order to: • Test the SoC: Check Fabrication has been properly carried out • Debug the system (either hardware or software) Extra Hardware is added to offer to the SoC stakeholders extra observability/controllability of the internal system What about Security ? 4

  5.  SoC Integration SoC Inte SoC Integration tion  SoC Integration Main 8051 DMAC CPU μCont Mem OTP AES Cont. 5

  6.  SoC Integration SoC Inte SoC Integration tion  SoC Integration • Test/Debug Layer: IP cores configured with internal scan chains, wrapped for test, and connected via a test access mechanism (TAM) bus 3PIP Internal Logic 6

  7.  SoC Integration SoC SoC Inte Integration tion  SoC Integration • Test/Debug Layer: IP cores configured with internal scan chains, wrapped for test, and connected via a test access mechanism (TAM) bus internal scan cells 7

  8.  SoC Integration SoC Inte SoC Integration tion  SoC Integration • Test/Debug Layer: IP cores configured with internal scan chains, wrapped for test, and connected via a test access mechanism (TAM) bus WSO WBR WIR WBY WSC WBR WSI 8

  9.  SoC Integration SoC Inte SoC Integration tion  SoC Integration • Test/Debug Layer: IP cores configured with internal scan chains, wrapped for test, and connected via a test access mechanism (TAM) bus WSO WBR • Wrapper Boundary Register (WBR) • Wrapper Serial Control (WSC) • Wrapper Serial Input (WSI) o selectWIR • Wrapper Serial Output (WSO o shiftWR • Wrapper Bypass Register (WBY) o captureWR • Wrapper Instruction Register (WIR) o updateWR WIR WBY WSC WBR WSI 9

  10.  SoC Integration SoC Inte SoC Integration tion  SoC Integration • Test/Debug Layer: IP cores configured with internal scan chains, wrapped for test, and connected via a test access mechanism (TAM) bus Test Interface WSI WBR WSO WBR WSI WBR WSI WSO WSO OTP Main CPU 8051 μCont WSC WSC WSC TAM Bus 10

  11.  SoC Integration  SoC Integration • Functional Layer: IP cores interconnected to meet functional specifications. Connections done via system bus, network-on-chip (NoC), sideband and coherence interfaces Main 8051 DMAC CPU μCont System bus Mem OTP AES Cont. 11

  12.  Scan-based Side Channel Attack Test Lay est Layer er Attac Attack  Scan-based side-channel attack via test layer • Goal: Use internal scan cells to leak assets such as encryption keys • Case study: AES core [1][2] 1. Put SoC in normal mode 2. Use functional input ports to set AES plaintext 3. Run AES for one round 4. Switch SoC to test mode 5. Shift out round output via test output port (e.g. WSO port) 6. Analyze output* 7. Repeat until key is obtain * Differential analysis by tracing bit flips between plaintexts and ciphertexts  12

  13. Motivations  Securing Test and Debug Mecanisms: – How to keep high observability and controllability for test and debug while guaranteeing a high level of security for the SoC assets?  Leveraging Test and Debug hardware for mission mode security: – How to reuse the unused test and debug hardware in mission mode to provide new security services? 13

  14. Agenda  Introduction – SoC lifecycle – Test and Debug – Motivations  Focus on Debug Security – Debug and SoC – Debug Threats – A secure Debug mechanism  Leveraging Debug features for System Security – Software threats – Test based countermeasure – Debug based countermeasure Conclusions and Perspectives  14

  15. Debug Instrumentation of Systems-on-Chip Who uses the SoC DfD infrastructure? 15

  16. Debug Instrumentation of Systems-on-Chip System Fabric • SoC DfD infrastructure Signal filter (SF) o SF WiFi LCD Trace bus o DSP Debug bus o μP μP SF JTAG Joint test Access Group (JTAG) o SF SF SF SF Debug Bus Trace Bus 16

  17. Debug Instrumentation of Systems-on-Chip Who uses the SoC DfD infrastructure? Post-silicon validation • SoC integrator/debugger • Original equipment manufacturer (OEM) • Outsourced Semiconductor test and assembly (OSAT) 17

  18. Debug Instrumentation of Systems-on-Chip Who uses the SoC DfD infrastructure? Post-silicon In-field validation • SoC integrator • OEM • O.S. vendor • 3 rd party software developer 18

  19. Debug Instrumentation of Systems-on-Chip Who uses the SoC DfD infrastructure? Post-silicon In-field retirement validation • SoC integrator • OEM 19

  20. Debug Instrumentation of Systems-on-Chip Who uses the SoC DfD infrastructure? Post-silicon retirement In-field validation • SoC • SoC integrator • SoC integrator/debug • OEM integrator ger • OS vendor • OEM • OEM • 3 rd party software • OSAT developer Security implication: rogue debugger can use DfD to illegally leak SoC assets 20

  21. Threat Model SoC Assets and Asset Owners SoC Assets • Cryptographic keys • Unique ID • Configuration/calibration data • Premium content • Proprietary firmware 21

  22. Threat Model SoC Assets and Asset Owners SoC Assets Asset Owners • IP vendors • Cryptographic keys • SoC integrator • Unique ID • OEM • Configuration/calibration data • O.S. vendor • Premium content • 3 rd party software vendors • Proprietary firmware 22

  23. Threat Model SoC Assets and Asset Owners SoC Assets Asset Owners • IP vendors • Cryptographic keys • SoC integrator • Unique ID • OEM • Configuration/calibration data • O.S. vendor • Premium content • 3 rd party software vendors • Proprietary firmware • SoC security requirement: specific assets are confidential to asset owners • DfD traces expose assets to all debuggers • Rogue debuggers leverage traces to leak SoC assets 23

  24. Threat Model trace-based debug compressed traces firmware disassembly Extract asset decompress 010111011001… MOV r0, #10 MOV r0, #10 100100100110… MOV r1, #3 MOV r1, #3 SoC 0110110110110… ADD r0, r0, r1 ADD r0, r0, r1 1110110100100… Objective: Leak confidential SoC assets such as cryptographic keys and proprietary firmware 24

  25. Threat Model trace-based debug compressed traces firmware disassembly Extract asset decompress 010111011001… MOV r0, #10 MOV r0, #10 100100100110… MOV r1, #3 MOV r1, #3 SoC 0110110110110… ADD r0, r0, r1 ADD r0, r0, r1 1110110100100… • Objective: Leak confidential SoC assets such as cryptographic keys and proprietary firmware • Assumptions 1. Only SoC integrator is trusted 2. Rogue debugger has insider knowledge of SoC design 25

  26. Threat Model trace-based debug compressed traces firmware disassembly Extract asset decompress 010111011001… MOV r0, #10 MOV r0, #10 100100100110… MOV r1, #3 MOV r1, #3 SoC 0110110110110… ADD r0, r0, r1 ADD r0, r0, r1 1110110100100… • Objective: Leak confidential SoC assets such as cryptographic keys and proprietary firmware • Assumptions 1. Only SoC integrator is trusted 2. Rogue debugger has insider knowledge of SoC design 3. No collusion among rogue debuggers • Attack: Configure DfD for trace-base debugging o Decompress debug traces to reconstruct firmware/execution o flow Extract asset from decompressed traces o 26

  27. Existing Security Mechanisms JTAG • Permanent JTAG Lock JTAG • JTAG authentication Encrypt(Trace, Key) • Trace encryption 0x00000000 – 0x000FFF : restricted • Restricted memory segments 0xFFFFE100 – 0xFFFFE4FF : restricted 27

  28. Proposed Secure DfD Infrastructure • Requirements 1. Enforce confidentiality policy of SoC assets 2. Maintain debug observability 3. Limit area, power costs 1. Have no impact on debugging time 2. Have no impact on SoC horizontal design flow and supply chain 28

  29. Proposed Secure DfD Infrastructure 0001 0001 0x0000 … 0100 JTAG = debugger 1000 ID DfD funnel debugger ID Asset filtering Secure asset tagging Debugger authentication • Secure asset tagging Tag size = # debuggers o • Debugger authentication Debugger ID = tag size o No confidentiality requirement for debugger ID o • Asset filtering 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New hysteresis cycle for low energy operation C. Liu Mar. 16, 2018 New cycle vs. old cycle

New hysteresis cycle for low energy operation C. Liu Mar. 16, 2018 New cycle vs. old cycle

New hysteresis cycle for low energy operation C. Liu Mar. 16, 2018 New cycle vs. old cycle Current (181.593A) at which we inject and collide beams. old new History P. Thieberger proposed a new hysteresis in 2012 APEX workshop to reduce

374 views • 5 slides
200711473 Software life cycle SDD within the life cycle SDD

200711473 Software life cycle SDD within the life cycle SDD

200711473 Software life cycle SDD within the life cycle SDD within the life cycle Purpose of an SDD - Period of time that starts when a software product is conceived and ends. -The life cycle approach is an

1.12k views • 28 slides
EMA Concerns With Draft Off-Cycle GTR Effective Off-Cycle Control Should Include: a. A set of

EMA Concerns With Draft Off-Cycle GTR Effective Off-Cycle Control Should Include: a. A set of

OCE Informal Document No. 18 Ninth Plenary Meeting of the Working Group On Off-Cycle Emissions 11&12 January 2005 Palais des Nations, Geneva EMA Concerns With Draft Off-Cycle GTR Effective Off-Cycle Control Should Include: a. A set of

594 views • 18 slides
Multi-Cycle CPU: Datapath and Control CSE 141, S2'06 Jeff Brown Why a Multiple Clock Cycle CPU?

Multi-Cycle CPU: Datapath and Control CSE 141, S2'06 Jeff Brown Why a Multiple Clock Cycle CPU?

Multi-Cycle CPU: Datapath and Control CSE 141, S2'06 Jeff Brown Why a Multiple Clock Cycle CPU? the problem => single-cycle cpu has a cycle time long enough to complete the longest instruction in the machine the solution => break

559 views • 38 slides
Cycle 4c: R-type result write (add, and) Inf2C Computer Systems - 2013-2014 19 What happens in

Cycle 4c: R-type result write (add, and) Inf2C Computer Systems - 2013-2014 19 What happens in

Lecture 9: Processor design multi cycle Aren t single cycle processors good enough? No! Speed: cycle time must be long enough for the most complex instruction to complete But the average instruction needs less time Cost:

458 views • 22 slides
Multi Cycle CPU Jason Mars Monday, February 4, 13 Why a Multiple Cycle CPU? Monday, February 4,

Multi Cycle CPU Jason Mars Monday, February 4, 13 Why a Multiple Cycle CPU? Monday, February 4,

Multi Cycle CPU Jason Mars Monday, February 4, 13 Why a Multiple Cycle CPU? Monday, February 4, 13 Why a Multiple Cycle CPU? The problem => single-cycle cpu has a cycle time long enough to complete the longest instruction in the machine

1.07k views • 93 slides
The Great Depression The Business Cycle Business Cycle: model representing the nations 1.

The Great Depression The Business Cycle Business Cycle: model representing the nations 1.

The Great Depression The Business Cycle Business Cycle: model representing the nations 1. economic activity and strength The Business Cycle 2. Phases within a Business Cycle: Recession (Rc): a slow - down in the economy for two consecutive a.

560 views • 8 slides
Introductions Panelists: Angela L. Confoey, Director of Revenue Cycle and Patient Financial

Introductions Panelists: Angela L. Confoey, Director of Revenue Cycle and Patient Financial

Championship Revenue Cycle: Passion & Purpose Back End Revenue Cycle Current Issues Thursday, January 18 th , 2018 Gillette Stadium Clubhouse Tim Bavosi, VP Consulting at RevSpring Inc. Championship Revenue Cycle: Passion &

299 views • 12 slides
Conflict, Crisis and Disaster Affected Populations Thanks to AED/ USAI D Cycle I V Kenya C

Conflict, Crisis and Disaster Affected Populations Thanks to AED/ USAI D Cycle I V Kenya C

Conflict, Crisis and Disaster Affected Populations Thanks to AED/ USAI D Cycle I V Kenya C Cycle I V Thailand l I V Th il d Cycle V Thailand Cycle VI Thailand & Ethiopia p CYCLE VI Evaluating Refraction Accuracy Pilot Testing

496 views • 32 slides
Simple Cycle (SC) Operation at Combined Cycle (CC) Plants Disadvantages of SC over CC: Less MW

Simple Cycle (SC) Operation at Combined Cycle (CC) Plants Disadvantages of SC over CC: Less MW

Simple Cycle (SC) Operation at Combined Cycle (CC) Plants Disadvantages of SC over CC: Less MW output Worse Heat Rate May require Hot SCR to meet air permit requirements, adding significantly to installed cost and auxiliary load.

269 views • 7 slides
Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis

Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis

Intro to Life Cycle Analysis Intro to Life Cycle Analysis Intro to Life Cycle Analysis 2.83/2.813 2.83/2.813 2.83/2.813 Manufacturing End of Life Mining Use Phase References 1. Allen and Shonnard, Ch 13 1. Life Cycle Concepts Life

680 views • 54 slides
1 If it's not merely programming Life Cycle What is it? Software life cycle Life Cycle

1 If it's not merely programming Life Cycle What is it? Software life cycle Life Cycle

Announcements CSE 403, Software Engineering Quiz section will be held in CSE 305 Lecture 2 Software Life Cycle Project Schedule Writing assignment Preliminary Design, April 15 Due Monday, 1:30 pm, April 4 Preliminary Release,

162 views • 4 slides
Fatigue - Keywords Cyclic Process High Cycle Low Cycle Example Aeroplane

Fatigue - Keywords Cyclic Process High Cycle Low Cycle Example Aeroplane

Fatigue - Keywords Cyclic Process High Cycle Low Cycle Example Aeroplane turbines Power Plants Bridges, Flyovers Cranes Basquin Equation : N a p = C Mechanism Appearance of Fracture Surface A smooth

606 views • 14 slides
LORETO COLLEGE FOXROCK SUBJECT CHOICES FOR JUNIOR CYCLE INTRODUCTION TO NEW JUNIOR CYCLE The

LORETO COLLEGE FOXROCK SUBJECT CHOICES FOR JUNIOR CYCLE INTRODUCTION TO NEW JUNIOR CYCLE The

LORETO COLLEGE FOXROCK SUBJECT CHOICES FOR JUNIOR CYCLE INTRODUCTION TO NEW JUNIOR CYCLE The Framework for Junior Cycle (2015) outlines the key educational changes that the Department of Education and Skills (DES) has put in place for the first

1.07k views • 18 slides
The CNO Cycle - The main nuclear reaction sequence in the sun is the p-p cycle which we discussed

The CNO Cycle - The main nuclear reaction sequence in the sun is the p-p cycle which we discussed

The CNO Cycle - The main nuclear reaction sequence in the sun is the p-p cycle which we discussed last week. - Other nuclear reactions do occur and produce neutrinos that are detectable on Earth. - In stars more massive than the sun, H is

305 views • 5 slides
Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle Assessment LCA is a methodology to account for and assess the environmental impacts from all phases / stages of a product life cycle Mining

993 views • 72 slides
GLOBE. WE ARE THE U.S. ARMY SERVICE COMPONENT COMMAND OF THE U.S. TRANSPORTATION COMMAND A N D A

GLOBE. WE ARE THE U.S. ARMY SERVICE COMPONENT COMMAND OF THE U.S. TRANSPORTATION COMMAND A N D A

UNCLASSIFIED M I L I TA RY S U R FAC E D E P L OY M E N T & D I S T R I BU T I O N C O M M A N D MILITA RY S U R FAC E DE P LOYME NT & D I S TR I BU TION CO MMA N D SDDC Systems S D D C M O V E S Mr. Christopher Heiby A N D S U S T A

291 views • 15 slides
Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas Kumar Indian Institute of Science, Bangalore November 2, 2013 Galindo-Garcia Identity-Based

584 views • 57 slides
Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab

Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab

Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab APS-DPF meeting July 31 - August 4, 2017 Fermilab, Batavia, IL Talk Objectives Beam cooling at collision energies is required for future hadron

671 views • 22 slides
From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

1.34k views • 44 slides
Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation

Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation

Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation Current projections call for each chip in an Exascale system to contain 100s to 1000s of processing cores Already (~10 cores/chip) memory

884 views • 22 slides
Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland

Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland

Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland Fields Institute Toronto, Canada March 27, 2013 Kyle and Obizhaeva Market Microstructure Invariance 1/64 Overview Our goal is to explain how order

1.07k views • 64 slides
A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound Sanjit

A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound Sanjit

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore

571 views • 56 slides
On Content Indexing for Off-Path Caching in Information-Centric Networks Suzan Bayhan, Liang

On Content Indexing for Off-Path Caching in Information-Centric Networks Suzan Bayhan, Liang

On Content Indexing for Off-Path Caching in Information-Centric Networks Suzan Bayhan, Liang Wang, Jrg Ott, Jussi Kangasharju, Arjuna Sathiaseelan, Jon Crowcroft University of Helsinki (Finland), TU Munich (Germany), University of Cambridge

900 views • 36 slides

More recommend