Abstract

The IEEE 1687 standard is specifically designed for access and dynamic path management of embedded instruments. The standard uses ICL (Instrument Connectivity Language) to define the hardware architecture and PDL (Procedural Description Language) to describe the access processing. These languages enable more flexible ways of accessing embedded instruments. IEEE 1687 also defines the SIB (Segment Insertion Bit), which is a single bit TDR (Test Data Register). By controlling the opening or closing of SIB, it is possible to insert an additional TDR to or remove a TDR from the active scan network. The SIB can be regarded as a path selection switch in the scan network.

Unfortunately, for unsecured SIB structures, the logical values of SIBs can be easily changed providing access to additional TDRs in the scan network. An attacker can directly change the state of the SIB by inputting a malicious logic value into the Scan chain., shifting the value to the SIB’s shift cell, and the transferring the value to the SIB’s update cell, which allows the SIB to open. The Locking SIB was proposed to solve this problem. This structure pre-defines special key bits in the shift or update cells of the scan chain. The LSIB can only be opened if the values of the key bits are set correctly during the UpdateDR state of the JTAG state machine. To defeat the LSIB security, an attacker can try to modify the logic value inside the LSIB directly with a Hardware Trojan instead of trying to discover and input the correct values into the key bits. A2 is a malicious analog hardware Trojan that uses less overhead than some other traditional digital Trojans. Specifically, it replaces the digital counter in a timebomb Trojan with an analog circuit, making the whole Trojan smaller and more difficult to detect.

In this thesis, potential locations for A2 Trojan to be insertion into the LSIB structure were studied. Then, a circuit intending to detect Trojan behavior was designed. This detection circuit design proposes a signal consistency detection circuit based on XOR gates. This circuit can detect signal changes due to malicious modification or malfunction by comparing the output values of multiple key points in the original LSIB. Once a signal has been maliciously modified, the output of the XOR gate at the output of the detection circuit will produce a non-zero value, indicating possible irregularities. Because there may be temporarily differences in the compared signals due to mismatches in timing delays, the output of the XOR gate is also sampled using the sampling feature of a DFF, to filter out glitches and avoid false positives. This thesis considers several implementations of the detection circuit for a single Trojan insertion and extends it to detect multiple Trojan insertions using the same idea.

Degree Date

Fall 2024

Document Type

Thesis

Degree Name

M.S.

Department

Electrical and Computer Engineering

Advisor

Jennifer Dworak

Acknowledgements

I would like to thank my advisor, Professor Jennifer Dworak, who gave me a chance to complete my research and guided my thesis. I would also like to thank Dr. Manikas and Dr. Nepal and everyone in the DFT group. I would also like to thank Dr. Dinesh Rajan, especially those who gave me advice and helped me during my research. Finally, I would like to thank the Department of Electrical and Computer Engineering and the Department of Computer and Science at Southern Methodist University.

Format

.pdf

Creative Commons License

Creative Commons Attribution-Noncommercial 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License

Download

Share

COinS