Security Analysis of Scan Obfuscation Techniques

Abstract

Scan is the de-facto standard for testing, which provides high observability and test coverage by enabling direct access to chip memory elements. The scan-based Design-for-Testability (DfT) technique has also become the prime target of attackers whose aim is to extract the secret information embedded inside a chip by misusing its scan infrastructure. Several countermeasures have been proposed to protect the chip against scan-based attacks. Recently, obfuscation-based defense mechanisms have gained significant popularity, which protect scan data by corrupting some of the scan cell’s content. In this paper, we perform a detailed security analysis of three best-known obfuscation techniques, namely, static, dynamic, and advanced dynamic obfuscation techniques, designed to protect the AES crypto-chip. We exploit their vulnerabilities and propose a generic scan-based signature attack, leading to the leakage of the secret cipher key that too, using only one observable scan cell. We also propose upgrades to the two dynamic scan obfuscation techniques to patch the discovered vulnerabilities with negligible changes to the original design. In order to show the generality of the attack, we also applied our attack to the similar cipher PRESENT and seven other scan obfuscation techniques. The result shows that in addition to the above three best-known obfuscation techniques, five out of the seven other scan obfuscation techniques were also successfully broken by our generic attack.