Anti Tamper Basics

Anti-tamper JTAG FPGA
Secure Hardware: What are the BIG challenges?
CJ Clark is the president and CEO of Intellitech Corp

Corp..
He was the elected chairperson of the IEEE 1149.1149.1 JTAG working
group from 1996 to 2002
2002.. He has been active in other IEEE 1149.
1149.x
working groups and has presented at International Test
Conference, TECS (Testing Embedded Cores- Cores-Based Systems)
W k h
Workshop, th
the Board
B d T Testt Workshop,
W k h Ott
Ottawa T Testt Workshop
W k h and d
VLSI Test Symposium
Symposium..
CJ serves on the University of New Hampshire College of

Engineering and Physical Science (CEPS) Advisory Board.
Board. He also
serves on the UNH Department of Electrical Engineering Advisory
Board.
Board. He is coco--inventor on three US patent related to scan
scan--based
test, two Canadian, one Taiwanese patent with others pending
world--wide
world wide.. His first job in test was in 1978 with
Plantronics//Wilcom
Plantronics Wilcom..
cclarkATintellitechdotcom
HOST 2009 1
JTAG Security
JTAG Hack – 169,000 results
HOST 2009 2
JTAG Security
Hacking Encouraged by Legit Biz
HOST 2009 3
JTAG Security
PCB Design Exposed
Andrew Huang – Hacking the Xbox

HOST 2009 4
JTAG Security
FPGAs and tools make it easier
Andrew Huang –
Hacking the Xbox
Small PCB with

FPGA is designed
to match traces on
XBOX. Once in
place, it is used to
snoop
HyperTransport
Bus
HOST 2009 5
JTAG Security
JTAG friend or foe?
Sophisticated
Company
With
No security
Experience?
Or
Intentionally
making
It easier?
HOST 2009 6
JTAG Security
DFT Standards – also give access

•IEEE 1149
1149.1
1 – Test
T Access
A Port
P &B
Boundary
d S
Scan S
Standard
d d
Layered
y on top
p of the 4 pin
p IC access of 1149.1:
•IEEE 1149.6 - Boundary Scan for AC coupled nets
•IEEE 1149.4 – Boundary Scan for Mixed Signal
•IEEE 1532 - FPGA configuration over 1149
1149.1
1
•IEEE P1687 - Internal Instrument access w/ 1149.1
•IEEE ????? - A-Toggle Study Group
•IEEE ????? - SERDES BIST Study
St d G Group
IEEE P1149.7 – 2 Wire low-
low-cost 1149.1
IEEE 1500 - SoC & Core test standard
IEEE P1581 - Static Interconnect for memories
Is it practical to shut JTAG off? (such as IMX32)
HOST 2009 7
JTAG Security
Cloning – doesn’t need JTAG
HOST 2009 8
JTAG Security
Future?
HOST 2009 9
JTAG Security
Trojan Bitstreams
Non-authenticated
Non- Need protection:
bitstream loaded Military
through JTAG into flash
Telecomm
Gaming
FLASH
Voting
J Consumer
T
A Backdoor
G Trojan Plain Text
Comm Design
Comm.
Plain Inserted with Cipher
Text backdoor Text
FPGA accepts Key
Unencrypted
Design despite FPGA
P
Presence off AES k
key
HOST 2009 10
JTAG Security
AES Security to the rescue?

Xilinx Virtex 4/5
RAM based key – battery backed
Use JTAG to program key
256
56 bit
b keyy
Accepts bitstreams unencrypted
Keys exposed to CM
Alt
Altera St ti III
Stratix
RAM or ROM Battery
II – ROM based
Need network blaster to program key
256 bit key
Accepts bitstreams unencrypted
Keys
y exposed
p to CM
Good for protection of IP
No pre
pre--programming IC
Assumes attacker is not loading a trojan bitstream
Not available in Spartans and Cyclones
Battery/Key programmed PER FPGA HOST 2009 11
JTAG Security
Alternate Security
Common key Security initiated by FPGA
Maxim Program both FPGA

DS28E01
Key and pre-
pre-program Maxim
1-wire Device with 64 bit
Design SHA1
Enable SHA1 SHA1 Key
Key
Some logistics for
USER manufacturing required
DESIGN PROM for OBP over 1-
1-wire
- keys exposed to CM
FPGA JTAG
Trojan in PROM
- PROM/FLASH open to
JTAG
non-
non-authenticated
bitstream
HOST 2009 12
JTAG Security
Trojan/Hack proof FPGA Config

-Random data generated by FPGA
-SystemBIST Reads via JTAG
-Generates Hash
-Hash Written via JTAG
- Good matching Hash enables user logic
-2nd ‘OK’ Hash Read via JTAG
- SystemBIST
S t BIST clears
l FPGA on b
bad
dhhash
h
Altera Xilinx
Hash IP Hash IP
With With
JTAG JTAG
JTAG
Access Access
Common
key Key not exposed to CM
HOST 2009 13
JTAG Security
Biggest Challenge?
1) Convincing Hardware Designers

th t d
that despite
it size/expertise
i / ti off
company and engineer, Security
i
issues should
h ld beb lleft
ft tto security
it
experts!
2) PCB/System Level security

- Enabling JTAG w/o compromise
- Reducing snoop of system
HOST 2009 14
JTAG Security
Anti--Tamper Basics
Anti
-Ground planes on
Both sides of PCB
- Use blind vias under BGA packages to hide trace,

prevent probing except with BGA removal
-Blacktop/Remark
p parts ((0.50-
p (0.50-$1.00 ea from Intellitech))
-Conformal coat
-Consider lockable JTAG gateway devices

such as Intellitech Scan Ring Linker
-A
Anti
Anti-
ti-tamper
t FPGA C
Config
fi via
i SystemBIST
S t BIST
-JTAG – shut off or run continuously, integrated with

System mission?
HOST 2009 15
JTAG Security
Further Reading
Using the Design Security Feature in Stratix II and Stratix II GX
Devices, Altera Corporation, July 2008.
http://www.altera.com/literature/an/an341.pdf
Trusted Design in FPGAs, Steve Trimberger, Xilinx, Design
Automation Conference, 2007
http://videos.dac.com/44th/papers/1_2.pdf
Authentication of FPGA Bitstreams:
Why and How, Saar Drimer, ARC 2007
http://www.springerlink.com/content/t71pqn4g7565w806/
A Code-
Code-less BIST Processor for Embedded Test and inin--system
configuration of Boards and Systems, CJ Clark, Intellitech Corp,
Mike Ricchetti, ATI Research, ITC 2004,
http://www.intellitech.com/pdf/itc04sb.pdf
Design Security in Stratix III FPGAs, Altera Corporation
http://www.altera.com/products/devices/stratix-fpgas/stratix
http://www.altera.com/products/devices/stratix- fpgas/stratix--
iii/overview/architecture/st3--design
iii/overview/architecture/st3 design--security.html
Secure Update Mechanism for Remote Update of
FPGA--Based System, Benoît Badrignans1,2, Reouven Elbaz3 and
FPGA
Lionel Torres. SEIS 2008,
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/4569831/4577
669/04577703.pdf?temp=x
HOST 2009 16
JTAG Security
Further Reading
Physical
Ph i l Unclonable
U l bl Functions
F ti ffor D
Device
i
Authentication and Secret Key Generation
G. Edward Suh, Srinivas Devadas
http://videos.dac.com/44th/papers/1_3.pdf
http://videos dac com/44th/papers/1 3 pdf
Xilinx® FPGA IFF Copy Protection with 1-

1-Wire SHA
SHA--1
Secure Memories, Maxim,
http://www.maxim--ic.com/appnotes.cfm/an_pk/3826
http://www.maxim
An FPGA Design Security Solution Using a Secure

Memory Device, Altera,
http://www.altera.com/literature/wp/wp--01033.pdf
http://www.altera.com/literature/wp/wp
Altera
Alt C
Configuration
fi ti H
Handbook
db k
http://www.altera.com/literature/lit--config.jsp
http://www.altera.com/literature/lit
Xilinx Virtex-
Virtex-5 FPGA User Guide
http://www xilinx com/support/documentation/user gui
http://www.xilinx.com/support/documentation/user_gui
des/ug190.pdf
HOST 2009 17
JTAG Security

Anti Tamper Basics

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Anti Tamper Basics

Uploaded by

Copyright:

Available Formats

Anti-tamper JTAG FPGA

Secure Hardware: What are the BIG challenges?

CJ Clark is the president and CEO of Intellitech Corp

CJ serves on the University of New Hampshire College of

JTAG Hack – 169,000 results

Hacking Encouraged by Legit Biz

PCB Design Exposed

Andrew Huang – Hacking the Xbox

FPGAs and tools make it easier

Small PCB with

JTAG friend or foe?

DFT Standards – also give access

Is it practical to shut JTAG off? (such as IMX32)

Cloning – doesn’t need JTAG

AES Security to the rescue?

Maxim Program both FPGA

Trojan/Hack proof FPGA Config

1) Convincing Hardware Designers

2) PCB/System Level security

- Use blind vias under BGA packages to hide trace,

-Consider lockable JTAG gateway devices

-JTAG – shut off or run continuously, integrated with

Xilinx® FPGA IFF Copy Protection with 1-

An FPGA Design Security Solution Using a Secure

You might also like