Novel Approaches for Microelectronics Security and Test

Abstract

Due to the globalization in semiconductor industry, the cost of maintaining a foundry is enormous. Hence, most integrated circuit (IC) design houses have become fabless. Typically, a design house acquires multiple third party intellectual property (IP) cores for a system on a chip (SoC) and sends a contract to a foundry/fab for manufacturing and test. The global supply chain of semiconductor design, manufacture, and test opens up a Pandora’s box of harmful threats. These can be overproduction or counterfeiting of ICs, piracy of intellectual property (IP), or insertion of hardware Trojans. To prevent these threats, researchers have proposed solutions that include hardware metering, logic locking, IP watermarking, and split manufacturing to address threats.

Logic locking is a widely studied design-for-security (DFS) measure. It protects the IP by inserting logic gates in the design to allow it to become completely functional only when a secret key is programmed in. The inserted logic commonly consists of XOR/XNOR gates, multiplexers (MUXs) or look-up tables (LUTs). The existing logic locking can be disabled using the existing state-of-art methods that include Boolean satisfiability (SAT) based attacks, probing, and tampering attacks. One can obtain the secret key from a functional chip and then unlock any number of locked ones as the secret key is same for every chip.

In this dissertation, we are the first to propose a new secure logic locking method by implementing a design-for-security (DFS) architecture. We modify the scan cell such that it can be set to hold its previous state. To accomplish this the output of the flip-flop (FF) is fed back to its input through a multiplexer (MUX). The proposed infrastructure can prevent the adversary from obtaining the key by accessing the scan chains. Our modification does not affect the testability of the chip during the normal manufacturing flow, which may include the test before activation, post-silicon validation, and debug. Moreover, the proposed secure cell can disable scan dump after functional activation. The proposed design is resistant to various known attacks at a cost lower than 1% area overhead.

Besides the design-for-security (DFS) architecture, we also propose a novel attack that can break any logic locking techniques that rely on stored secret key. This proposed Tampering Attack on Any Key-based Logic Locked Circuit TAAL inserts a malicious hardware Trojan in the netlist, which, when activated, leaks the secret key to an adversary. The attack approach is to tamper with the locked netlist in order to extract the secret key information. The untrusted foundry can extract the netlist of a design from the layout/mask information, which makes it feasible to implement such a hardware Trojan with the adversary’s knowledge. Three types of TAAL attacks are proposed for extracting the secret key through hardware Trojans placed at various locations in the netlist. Models for both combinational and sequential hardware Trojans are introduced such that they would evade manufacturing tests. An adversary only needs to choose one hardware Trojan out of a large set of possible Trojans to launch the proposed attack.

Given the above-mentioned Trojan attacks, a method to detect this tampering is necessary. In this dissertation, we devise tests that would detect a Trojan in a manufactured chip. Based on the two parts of a Trojan, namely, a trigger derived as a Boolean function of any set of signals and a payload (typically, an XOR gate) inserted on a signal line, we develop a test generation model. A single-line trigger combined with a single payload line gives a set of 2K × (K–1) Trojans in this model for a circuit with K signal lines. Tests for these are shown to be the vectors that detect “conditional stuck-at” faults, for which we give a test generation algorithm using standard Automatic Test Pattern Generation (ATPG) tools. This procedure allows us to define and measure a Trojan coverage metric for tests. Results show scalability of these tests, besides being more effective in detecting real Trojans than N-detect stuck-at test vectors or random vectors.

Considering the previous hardware Trojan detection methods, we realize that the fault modeling can both benefit manufacturing tests and hardware Trojan detection. We develop a fault modeling methodology to generate test patterns to detect defects in Skyrmion circuit, which is an emerging technology. We examine breaks, extra material, etching blemishes, bridges in nanotrack interconnects, etc., forming a set of 19 technology-specific defects in the skyrmion gate structures. We believe we are the first to characterize such defects using magnetic simulation. Simulator MuMax3 is used to exhaustively simulate all gates, and each defect is mapped onto an analyzable fault model using the principle of fault equivalence. Experiments on benchmark circuits demonstrate that tests for all nanotrack breaks can be found using the available ATPG and simulation tools. Some defects are classified as technology-specific defects. For example, a bridge between two nanotracks results in simultaneous AND and OR functions on respective nanotracks. This dissertation presents the test generation results for the Skyrmion versions of benchmark circuits for defects that can be expressed as a single stuck-at fault.

This dissertation provides a comprehensive overview of attackers and their attack choices. The proposed DFS structure can provide sufficient security to resist SAT-based attacks, and the proposed hardware Trojan detection method can effectively detect potential risks in the circuit. For emerging technologies, a technology-specific defect to logic-fault modeling approach of testing is proposed. The proposed future work provides definitive paths into new directions for the research community.