Slides
Transcription
Slides
Financial Implications of Security in VLSI Test Ozgur Sinanoglu Computer Engineering Department y – Abu Dhabi New York University Outline • Manufacturing & test of integrated circuits • Design-for-Testability (DfT) • Cost vs benefits of DfT and test • Test: Threat for security • Design-for-Secure-Testability • Hardware trojans • Test: Tool for checking trustworthiness • Design-for-Trust Reliability of Integrated Circuits (ICs) Main-stream Main stream applications Mission-critical applications • Deliveryy of defect-free p products is crucial • Every single manufactured chip must be tested IC Manufacturing g Process Blank wafer with defects 30-60 cm 30-60 cm Silicon crystal ingot g Slicer 15-30 15-30 cm cm x x x x x x x x x x x Patterned wafer Processing: 20-30 steps (100s of simple or scores of complex processors) 0 2 cm 0.2 Dicer Die ~1 cm Die tester Good die ~1 cm Microchip or other part Mounting Part tester Usable U bl part to ship It uses light to transfer a geometric pattern from a photo mask to a light-sensitive chemical photo resist on the substrate. A series of chemical h i l treatments t t t then th engraves the th exposure pattern tt i t the into th material underneath the photo resist. In a modern CMOS, a wafer will go through the photolithographic cycle up to 50 times IC Manufacturing g Process Blank wafer with defects 30-60 cm 30-60 cm Silicon crystal ingot g Slicer 15-30 15-30 cm cm x x x x x x x x x x x Patterned wafer Processing: 20-30 steps (100s of simple or scores of complex processors) 0 2 cm 0.2 Dicer Die ~1 cm Die tester Good die ~1 cm Microchip or other part Mounting Part tester Usable U bl part to ship Defective ICs Manufacturing defects: – – – – – Metal bridges Silicon substrate defects Photolithographic defects Process variations Oxide defects Impact p at electrical level: – Transistor stuck-on, stuck-open – Resistive shorts, opens – Excessive steady-state currents Types of failures: • Catastrophic failures: ICs that don’t don t work • Performance failures: ICs that can operate only at a slower speed Manufacturing Test Process Automatic Tester Equipment (ATE) Every manufactured chip goes through testing: • Test patterns applied one at a time • Observed response compared to expected response Mismatch Defect Test cost is a recurring cost • ~30% of overall cost is due to test today • Getting g worse Manufacturing vs Test Cost C t ((cents) Cost t ) per chip hi 100000 10000 Design + Manufacturing 1000 100 Test 10 1 1980 1985 1990 1995 2000 2005 2010 2015 Source: International Technology Roadmap for Semiconductors (ITRS) 2001 (High-performance microprocessor product segment) Testing g as Filter Process Good chips pass Fabricated Defective chips ? Mostly good chips Shipped out fail Mostly bad chips Higher g quality q y test Fewer test escapes More test M t t patterns tt Higher test cost Test Pattern Generation Goal: • Generate minimum number of patterns • Detect maximum number of faults NP-Complete p … … f Correctt response e Circuit Faulty response Testt vector Fault: Logic level abstraction for physical defects Logic tracing for: •Activating the fault •Propagating the fault effect • Commercial software tools available Design g for Testability y ((DFT)) Hardware design styles or added hardware for: • Reducing test generation time • Reducing test application time • Improving test quality Example: PI Logic L i block A Int. Int bus Logic L i block B Test input PO Test output Test generation on the entire design individual blocks IC Development Stages Involving Test … … f Design for Testability Test Generation Pre-fabrication Correcct responsse Ci it Circuit Faultyy response e Tesst vector PIs Chip Under Test POs Tester Test vectors Expected responses Test Application Post-fabrication Costs of Testing g • Design for testability (DFT) – Chip area overhead and yield reduction – Performance overhead • Software processes of test – Test g generation and fault simulation – Test programming and debugging • Test Application – Automatic test equipment (ATE) capital cost – Test center operational cost Uses of DfT Hardware & Testing • Detection: Is the device under test (DUT) is defective? • Diagnosis: What/where is the physical defect that caused the IC to fail? – On devices that failed the test – On devices returned by customers • Failure mode analysis: What kind of errors/practices in the design and manufacturing process caused defects? Rules and guidelines to improve design and manufacturing Outline • Manufacturing & test of integrated circuits • Design-for-Testability (DfT) • Cost vs benefits of DfT and test • Test: Threat for security • Design-for-Secure-Testability • Hardware trojans • Test: Tool for checking trustworthiness • Design-for-Trust Test: Security Threat • Testability and security may be conflicting goals o Testability requires access, which is restricted by security Functional pins • (IEEE) standard t d d 1149.1: 1149 1 Standard Test Access Port and Boundaryy Scan Architecture byy Joint Test Access Group (JTAG) o 5-pin serial interface o Provide access for testing Internal chip logic JTAG Test access pins External interconnects (PCB) • Security threat! Microsoft Xbox 360 - Hacked • The Xbox is a gaming console that attempts to enforce a policy of only running code that has been signed by Microsoft or parties authorized by Microsoft. • The JTAG port on the Xbox was exploited to circumvent the security policy and run arbitrary code on the platform. platform • Step-by-step instructions on http://www.tiaowiki.com/w/How_to_JTAG_XBOX_360 Satellite TV Receiver- Hacked • Satellite TV signals are encrypted and satellite TV receivers decrypt the stream using i an embedded b dd d key. k Th receiver The i i trusted is t t d to t enforce f th policy the li off only l showing content that the user subscribed for. • JTAG has been exploited to enable widespread piracy of the video content, reducing d i th revenue off the the th satellite t llit TV company and d content t t providers. id • Step-by-step instructions on http://dishnewbies.com/jtag.shtml Secure Test Interface Functional pins • Failure to ensure secure test interface Revenue • loss Blowing test access pins upon manufacturing test o Security ensured JTAG • Test access o Debug, failure analysis pins i capabilities biliti llostt To retain debug capabilities: Design-for-Secure-Testability o Security features built into JTAG JTAG lock instruction, unlock with key Novak and Biasizzo, JETTA `06 Authenticity A th ti it off devices, d i communication i ti secrecy, etc. t Rosenfeld & Karri, IEEE D&T `10 o Financial Impact: Area increase, yield loss, and test costs Outline • Manufacturing & test of integrated circuits • Design-for-Testability (DfT) • Cost vs benefits of DfT and test • Test: Threat for security • Design-for-Secure-Testability • Hardware trojans • Test: Tool for checking trustworthiness • Design-for-Trust System-On-a-Chip Development Core Core Vendor Core Vendor Core Vendor SOC P P ASIC ASIC P P Core 2 Core 1 Core 3 Core 4 SOC integrator SOC Si Fab • D Design i complexity l it and d titime-to-market t k t pressures • Design g and fabrication cost SOCs today: Broadcom’s wireless LAN transceiver SOC •Cable modem chips •Satellite set-top box chips •HDTV chips Typical cores: •Memory Memory (DRAM, (DRAM Flash) •Processor (ARM, MIPS) •Silicon-proven cores Hardware Trojans j • Rogue hardware injected into the design/chip o Untrusted cores (design phase) o Untrusted fab (fabrication phase) • Triggered at mission mode by o Special date and time o Receipt R i t off a special i l SMS/email SMS/ il • Attacks (p (payload y = malicious action)): o Kill switch: Breaking the system (overt) o Backdoor: Gaining access to the system. E.g., sending confidential data off-chip (covert) The Hacker in Your Hardware, Villasenor, Sci. American 2010 Hardware Trojans j • Their detection is crucial o Hardware is the root of trust; software builds on hardware o Near-impossible to erase trojans from hardware (as opposed to software virus) • Their detection is more challenging compared to design bugs / manufacturing defects o They are intentional o They Th are hidden hidd The Hacker in Your Hardware, Villasenor, Sci. American 2010 Hardware Trojans j • Trojans injected during design: o High-level design verification techniques needed o Different than those for design bugs o Identification of low activity regions in the design • Trojans injected during fabrication: o In all or some chips o Test techniques needed o Different than those for manufacturing defects o Design-for-Trust The Hacker in Your Hardware, Villasenor, Sci. American 2010 The Hunt for the Kill Switch • IEEE Spectrum, S. Adee, May `08 • Speculations on a “European chip maker” embedding a kill switch into its microprocessors o Defense contractors using these chips in military equipment • DARPA’s “Trust in Integrated Circuits” program o Initiated in January 2008, ongoing o Involves contests: • Trojan’ed chips sent to contractors • Contractors asked to detect and locate Trojans • Pakistan refusing help from U.S. U S to secure its nuclear arsenal with American technology Test: Tool for Checking Trustworthiness • Failure to screen out chips with trojans Consequences depend on application and attack • Multiple phases of test application 1 Wang et al, IEEE DFTS `08 2 Jin and Makris, IEEE WHOST `08 Agrawal et al, IEEE SSP `07 o Test for manufacturing defects o Test for trojans (check current1, delay2, power3, etc.) 3 • Design-for-Trust techniques o Improve p trojan j detection and reduce time for trojan j test o An ID built into the design so as to expose alterations E.g.: Ring oscillators, Rajendran et al, ongoing work • Financial implications: Area increase, yield loss, and test costs Summary • Design-for-Testability D i f T t bilit is i a de d facto f t solution l ti to t leash l h manufacturing test costs via moderate investments in area • Failure to ensure a secure test interface or to screen out chips with trojan can have costly or catastrophic consequences • Design-for-Secure-testability and Design-for-Trust techniques may offer cost-effective solutions to ensure security and re-gain trust in hardware Serial Connection of JTAGs on PCB • Devices on a printed circuit board connected together through their JTAG interface o Device interconnects tested this way • Possible attacks on a device by another device: o Sniffing secret data o Returning false response to tester o Modifying chip’s state Attacks and defenses for JTAG, Rosenfeld & Karri, IEEE D&T 2010 Uses of DfT Hardware & Testing • Detection: Is the device under test (DUT) is defective? • Diagnosis: What/where is the physical defect that caused the IC to fail? – On devices that failed the test – On devices returned by customers • Failure mode analysis: What kind of errors/practices in the design and manufacturing process caused defects? • In-field system y debug: g Does the system conform to its specifications Rules and guidelines to improve design and manufacturing