Professional Documents
Culture Documents
HOST 2009 1
JTAG Security
Anti-tamper JTAG FPGA
HOST 2009 2
JTAG Security
Anti-tamper JTAG FPGA
HOST 2009 3
JTAG Security
Anti-tamper JTAG FPGA
JTAG Security
Anti-tamper JTAG FPGA
Andrew Huang –
Hacking the Xbox
HOST 2009 5
JTAG Security
Anti-tamper JTAG FPGA
Sophisticated
Company
With
No security
Experience?
Or
Intentionally
making
It easier?
HOST 2009 6
JTAG Security
Anti-tamper JTAG FPGA
Layered
y on top
p of the 4 pin
p IC access of 1149.1:
•IEEE 1149.6 - Boundary Scan for AC coupled nets
•IEEE 1149.4 – Boundary Scan for Mixed Signal
•IEEE 1532 - FPGA configuration over 1149
1149.1
1
•IEEE P1687 - Internal Instrument access w/ 1149.1
•IEEE ????? - A-Toggle Study Group
•IEEE ????? - SERDES BIST Study
St d G Group
IEEE P1149.7 – 2 Wire low-
low-cost 1149.1
IEEE 1500 - SoC & Core test standard
IEEE P1581 - Static Interconnect for memories
HOST 2009 7
JTAG Security
Anti-tamper JTAG FPGA
HOST 2009 8
JTAG Security
Anti-tamper JTAG FPGA
Future?
HOST 2009 9
JTAG Security
Anti-tamper JTAG FPGA
Trojan Bitstreams
Non-authenticated
Non- Need protection:
bitstream loaded Military
through JTAG into flash
Telecomm
Gaming
FLASH
Voting
J Consumer
T
A Backdoor
G Trojan Plain Text
Comm Design
Comm.
Plain Inserted with Cipher
Text backdoor Text
FPGA accepts Key
Unencrypted
Design despite FPGA
P
Presence off AES k
key
HOST 2009 10
JTAG Security
Anti-tamper JTAG FPGA
JTAG Security
Anti-tamper JTAG FPGA
Alternate Security
Common key Security initiated by FPGA
FPGA JTAG
Trojan in PROM
- PROM/FLASH open to
JTAG
non-
non-authenticated
bitstream
HOST 2009 12
JTAG Security
Anti-tamper JTAG FPGA
Altera Xilinx
Hash IP Hash IP
With With
JTAG JTAG
JTAG
Access Access
Common
key Key not exposed to CM
HOST 2009 13
JTAG Security
Anti-tamper JTAG FPGA
Biggest Challenge?
HOST 2009 14
JTAG Security
Anti-tamper JTAG FPGA
Anti--Tamper Basics
Anti
-Ground planes on
Both sides of PCB
-Blacktop/Remark
p parts ((0.50-
p (0.50-$1.00 ea from Intellitech))
-Conformal coat
-A
Anti
Anti-
ti-tamper
t FPGA C
Config
fi via
i SystemBIST
S t BIST
HOST 2009 15
JTAG Security
Anti-tamper JTAG FPGA
Further Reading
Using the Design Security Feature in Stratix II and Stratix II GX
Devices, Altera Corporation, July 2008.
http://www.altera.com/literature/an/an341.pdf
Trusted Design in FPGAs, Steve Trimberger, Xilinx, Design
Automation Conference, 2007
http://videos.dac.com/44th/papers/1_2.pdf
Authentication of FPGA Bitstreams:
Why and How, Saar Drimer, ARC 2007
http://www.springerlink.com/content/t71pqn4g7565w806/
A Code-
Code-less BIST Processor for Embedded Test and inin--system
configuration of Boards and Systems, CJ Clark, Intellitech Corp,
Mike Ricchetti, ATI Research, ITC 2004,
http://www.intellitech.com/pdf/itc04sb.pdf
Design Security in Stratix III FPGAs, Altera Corporation
http://www.altera.com/products/devices/stratix-fpgas/stratix
http://www.altera.com/products/devices/stratix- fpgas/stratix--
iii/overview/architecture/st3--design
iii/overview/architecture/st3 design--security.html
Secure Update Mechanism for Remote Update of
FPGA--Based System, Benoît Badrignans1,2, Reouven Elbaz3 and
FPGA
Lionel Torres. SEIS 2008,
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/4569831/4577
669/04577703.pdf?temp=x
HOST 2009 16
JTAG Security
Anti-tamper JTAG FPGA
Further Reading
Physical
Ph i l Unclonable
U l bl Functions
F ti ffor D
Device
i
Authentication and Secret Key Generation
G. Edward Suh, Srinivas Devadas
http://videos.dac.com/44th/papers/1_3.pdf
http://videos dac com/44th/papers/1 3 pdf
Altera
Alt C
Configuration
fi ti H
Handbook
db k
http://www.altera.com/literature/lit--config.jsp
http://www.altera.com/literature/lit
Xilinx Virtex-
Virtex-5 FPGA User Guide
http://www xilinx com/support/documentation/user gui
http://www.xilinx.com/support/documentation/user_gui
des/ug190.pdf
HOST 2009 17
JTAG Security