Slides

Financial Implications of
Security in VLSI Test
Ozgur Sinanoglu
Computer Engineering Department
y – Abu Dhabi
New York University
Outline
• Manufacturing & test of integrated circuits
• Design-for-Testability (DfT)
• Cost vs benefits of DfT and test
• Test: Threat for security
• Design-for-Secure-Testability
• Hardware trojans
• Test: Tool for checking trustworthiness
• Design-for-Trust
Reliability of Integrated Circuits (ICs)
Main-stream
Main
stream
applications
Mission-critical
applications
• Deliveryy of defect-free p
products is crucial
• Every single manufactured chip must be tested
IC Manufacturing
g Process
Blank wafer
with defects
30-60 cm
30-60 cm
Silicon
crystal
ingot
g
Slicer
15-30
15-30
cm
cm
x x
x x x
x
x
x x
x x
Patterned wafer
Processing:
20-30 steps
(100s of simple or scores
of complex processors)
0 2 cm
0.2
Dicer
Die
~1 cm
Die
tester
Good
die
~1 cm
Microchip
or other part
Mounting
Part
tester
Usable
U
bl
part
to ship
It uses light to transfer a geometric pattern from a photo mask to a
light-sensitive chemical photo resist on the substrate. A series of
chemical
h i l treatments
t t
t then
th engraves the
th exposure pattern
tt
i t the
into
th
material underneath the photo resist. In a modern CMOS, a wafer
will go through the photolithographic cycle up to 50 times
IC Manufacturing
g Process
Blank wafer
with defects
30-60 cm
30-60 cm
Silicon
crystal
ingot
g
Slicer
15-30
15-30
cm
cm
x x
x x x
x
x
x x
x x
Patterned wafer
Processing:
20-30 steps
(100s of simple or scores
of complex processors)
0 2 cm
0.2
Dicer
Die
~1 cm
Die
tester
Good
die
~1 cm
Microchip
or other part
Mounting
Part
tester
Usable
U
bl
part
to ship
Defective ICs
Manufacturing defects:
–
–
–
–
–
Metal bridges
Silicon substrate defects
Photolithographic defects
Process variations
Oxide defects
Impact
p
at electrical level:
– Transistor stuck-on, stuck-open
– Resistive shorts, opens
– Excessive steady-state currents
Types of failures:
•
Catastrophic failures: ICs that don’t
don t work
•
Performance failures: ICs that can operate only at a slower speed
Manufacturing Test Process
Automatic Tester Equipment (ATE)
Every manufactured chip
goes through testing:
• Test patterns applied one at a
time
• Observed response compared
to expected response
 Mismatch  Defect
Test cost is a recurring cost
• ~30% of overall cost is due to
test today
• Getting
g worse
Manufacturing vs Test Cost
C t ((cents)
Cost
t ) per chip
hi
100000
10000
Design + Manufacturing
1000
100
Test
10
1
1980 1985 1990 1995 2000 2005 2010 2015
Source: International Technology Roadmap for Semiconductors (ITRS) 2001
(High-performance microprocessor product segment)
Testing
g as Filter Process
Good
chips
pass
Fabricated
Defective
chips
?
Mostly good
chips
Shipped out
fail
Mostly bad
chips
Higher
g
quality
q
y test
 Fewer test escapes
More test
M
t t patterns
tt
 Higher test cost
Test Pattern Generation
Goal:
• Generate minimum number of patterns
• Detect maximum number of faults
NP-Complete
p
…
…
f

Correctt response
e
Circuit
Faulty response
Testt vector
 Fault: Logic level abstraction for physical defects
Logic tracing for:
•Activating the fault
•Propagating the fault effect
• Commercial software tools available
Design
g for Testability
y ((DFT))
Hardware design styles or added hardware for:
• Reducing test generation time
• Reducing test application time
• Improving test quality
Example:
PI
Logic
L
i
block A
Int.
Int
bus
Logic
L
i
block B
Test
input
PO
Test
output
Test generation on the entire design
individual blocks
IC Development Stages Involving Test
…
…
f
Design for
Testability
Test
Generation
Pre-fabrication

Correcct responsse
Ci it
Circuit
Faultyy response
e
Tesst vector
PIs
Chip Under
Test
POs
Tester
Test
vectors
Expected
responses
Test
Application
Post-fabrication
Costs of Testing
g
• Design for testability (DFT)
– Chip area overhead and yield reduction
– Performance overhead
• Software processes of test
– Test g
generation and fault simulation
– Test programming and debugging
• Test Application
– Automatic test equipment (ATE) capital cost
– Test center operational cost
Uses of DfT Hardware & Testing
• Detection: Is the device under test (DUT) is defective?
• Diagnosis: What/where is the physical defect that
caused the IC to fail?
– On devices that failed the test
– On devices returned by customers
• Failure
mode
analysis:
What kind of errors/practices in the
design and manufacturing process
caused defects?
Rules and guidelines to improve
design and manufacturing
Outline
• Manufacturing & test of integrated circuits
• Design-for-Testability (DfT)
• Cost vs benefits of DfT and test
• Test: Threat for security
• Design-for-Secure-Testability
• Hardware trojans
• Test: Tool for checking trustworthiness
• Design-for-Trust
Test: Security Threat
• Testability and security may be conflicting goals
o Testability requires access, which is restricted by security
Functional pins
• (IEEE) standard
t d d 1149.1:
1149 1
Standard Test Access Port and
Boundaryy Scan Architecture byy
Joint Test Access Group (JTAG)
o 5-pin serial interface
o Provide access for testing
 Internal chip logic
JTAG
Test access
pins
 External interconnects (PCB)
• Security threat!
Microsoft Xbox 360 - Hacked
• The Xbox is a gaming console that attempts to enforce a policy of only running
code that has been signed by Microsoft or parties authorized by Microsoft.
• The JTAG port on the Xbox was exploited to circumvent the security policy and
run arbitrary code on the platform.
platform
• Step-by-step instructions on http://www.tiaowiki.com/w/How_to_JTAG_XBOX_360
Satellite TV Receiver- Hacked
• Satellite TV signals are encrypted and satellite TV receivers decrypt the stream
using
i
an embedded
b dd d key.
k
Th receiver
The
i
i trusted
is
t t d to
t enforce
f
th policy
the
li
off only
l
showing content that the user subscribed for.
• JTAG has been exploited to enable widespread piracy of the video content,
reducing
d i
th revenue off the
the
th satellite
t llit TV company and
d content
t t providers.
id
• Step-by-step instructions on http://dishnewbies.com/jtag.shtml
Secure Test Interface
Functional pins
•
Failure to ensure secure test
interface  Revenue
•
loss
Blowing test access pins upon
manufacturing test
o Security ensured
JTAG
•
Test access o Debug, failure analysis
pins
i
capabilities
biliti llostt
To retain debug capabilities: Design-for-Secure-Testability
o Security features built into JTAG
 JTAG lock instruction, unlock with key Novak and Biasizzo, JETTA
`06
 Authenticity
A th ti it off devices,
d i
communication
i ti secrecy, etc.
t
Rosenfeld & Karri, IEEE D&T `10
o Financial Impact: Area
increase, yield loss, and test costs
Outline
• Manufacturing & test of integrated circuits
• Design-for-Testability (DfT)
• Cost vs benefits of DfT and test
• Test: Threat for security
• Design-for-Secure-Testability
• Hardware trojans
• Test: Tool for checking trustworthiness
• Design-for-Trust
System-On-a-Chip Development
Core
Core Vendor Core Vendor Core Vendor
SOC
P
P
ASIC
ASIC
P
P
Core 2
Core 1
Core 3
Core 4
SOC integrator
SOC
Si Fab
• D
Design
i complexity
l it and
d titime-to-market
t
k t
pressures
• Design
g and fabrication cost
SOCs today:
Broadcom’s wireless LAN
transceiver SOC
•Cable modem chips
•Satellite set-top box chips
•HDTV chips
Typical cores:
•Memory
Memory (DRAM,
(DRAM Flash)
•Processor (ARM, MIPS)
•Silicon-proven cores
Hardware Trojans
j
• Rogue hardware injected into
the design/chip
o Untrusted cores (design phase)
o Untrusted fab (fabrication phase)
• Triggered at mission mode by
o Special date and time
o Receipt
R
i t off a special
i l SMS/email
SMS/
il
• Attacks (p
(payload
y
= malicious action)):
o Kill switch: Breaking the system
(overt)
o Backdoor: Gaining access to the
system. E.g., sending confidential
data off-chip (covert)
The Hacker in Your Hardware, Villasenor, Sci. American 2010
Hardware Trojans
j
• Their detection is crucial
o Hardware is the root of trust;
software builds on hardware
o Near-impossible to erase trojans
from hardware (as opposed to
software virus)
• Their detection is more
challenging compared to
design bugs / manufacturing
defects
o They are intentional
o They
Th are hidden
hidd
The Hacker in Your Hardware, Villasenor, Sci. American 2010
Hardware Trojans
j
• Trojans injected during design:
o High-level design verification
techniques needed
o Different than those for design
bugs
o Identification of low activity
regions in the design
• Trojans injected during fabrication:
o In all or some chips
o Test techniques needed
o Different
than
those
for
manufacturing defects
o Design-for-Trust
The Hacker in Your Hardware, Villasenor, Sci. American 2010
The Hunt for the Kill Switch
• IEEE Spectrum, S. Adee, May `08
• Speculations on a “European
chip maker” embedding a kill
switch into its microprocessors
o Defense contractors using these
chips in military equipment
• DARPA’s “Trust in Integrated Circuits” program
o Initiated in January 2008, ongoing
o Involves contests:
• Trojan’ed chips sent to contractors
• Contractors asked to detect and locate Trojans
• Pakistan refusing help from U.S.
U S to secure its nuclear
arsenal with American technology
Test: Tool for Checking Trustworthiness
• Failure to screen out chips with trojans
 Consequences depend on application
and attack
• Multiple phases of test application
1
Wang et al, IEEE DFTS `08
2
Jin and Makris, IEEE WHOST `08
Agrawal et al, IEEE SSP `07
o Test for manufacturing defects
o Test for trojans (check current1, delay2, power3, etc.)
3
• Design-for-Trust techniques
o Improve
p
trojan
j detection and reduce time for trojan
j test
o An ID built into the design so as to expose alterations
E.g.: Ring oscillators, Rajendran et al, ongoing work
• Financial implications:
Area increase, yield loss, and test costs
Summary
• Design-for-Testability
D i f T t bilit is
i a de
d facto
f t solution
l ti to
t leash
l
h
manufacturing test costs via moderate investments
in area
• Failure to ensure a secure test interface or to
screen out chips with trojan can have costly or
catastrophic consequences
• Design-for-Secure-testability and Design-for-Trust
techniques may offer cost-effective solutions to
ensure security and re-gain trust in hardware
Serial Connection of JTAGs on PCB
•
Devices on a printed circuit board connected together through
their JTAG interface
o Device interconnects tested this way
• Possible attacks on a device
by another device:
o Sniffing secret data
o Returning false response
to tester
o Modifying chip’s state
Attacks and defenses for JTAG, Rosenfeld & Karri, IEEE D&T 2010
Uses of DfT Hardware & Testing
• Detection: Is the device under test (DUT) is defective?
• Diagnosis: What/where is the physical defect that
caused the IC to fail?
– On devices that failed the test
– On devices returned by customers
• Failure
mode
analysis:
What kind of errors/practices in the
design and manufacturing process
caused defects?
• In-field system
y
debug:
g
Does the system conform to its
specifications
Rules and guidelines to
improve design and
manufacturing