CN109581206B - Integrated circuit fault injection attack simulation method based on partial scanning - Google Patents

Integrated circuit fault injection attack simulation method based on partial scanning Download PDF

Info

Publication number
CN109581206B
CN109581206B CN201811557258.6A CN201811557258A CN109581206B CN 109581206 B CN109581206 B CN 109581206B CN 201811557258 A CN201811557258 A CN 201811557258A CN 109581206 B CN109581206 B CN 109581206B
Authority
CN
China
Prior art keywords
circuit
vector
fault
fault injection
simulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811557258.6A
Other languages
Chinese (zh)
Other versions
CN109581206A (en
Inventor
李博超
刘强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN201811557258.6A priority Critical patent/CN109581206B/en
Publication of CN109581206A publication Critical patent/CN109581206A/en
Application granted granted Critical
Publication of CN109581206B publication Critical patent/CN109581206B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/28Testing of electronic circuits, e.g. by signal tracer
    • G01R31/317Testing of digital circuits
    • G01R31/3181Functional testing
    • G01R31/3185Reconfiguring for testing, e.g. LSSD, partitioning
    • G01R31/318533Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
    • G01R31/318536Scan chain arrangements, e.g. connections, test bus, analog signals
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/28Testing of electronic circuits, e.g. by signal tracer
    • G01R31/317Testing of digital circuits
    • G01R31/3181Functional testing
    • G01R31/3185Reconfiguring for testing, e.g. LSSD, partitioning
    • G01R31/318533Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
    • G01R31/318544Scanning methods, algorithms and patterns
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/28Testing of electronic circuits, e.g. by signal tracer
    • G01R31/317Testing of digital circuits
    • G01R31/3181Functional testing
    • G01R31/3185Reconfiguring for testing, e.g. LSSD, partitioning
    • G01R31/318533Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
    • G01R31/318583Design for test
    • G01R31/318586Design for test with partial scan or non-scannable parts
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B17/00Systems involving the use of models or simulators of said systems
    • G05B17/02Systems involving the use of models or simulators of said systems electric

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Tests Of Electronic Circuits (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)

Abstract

The invention discloses a fault injection attack simulation method of an integrated circuit based on partial scanning, which is used for realizing the fault injection attack simulation of a partial scanning circuit using an FPGA. The method mainly comprises the following steps: preprocessing, setting, generating and injecting simulation. The invention realizes the low-overhead fault injection attack simulation based on the partial scanning method; fault injection logic such as a circuit control module is added to simulate fault injection attack by inserting a part of scan chains into the netlist; and transmitting the control signal to the FPGA from the PC through the PCIe port, and realizing fault injection after the control signal is processed by the control module. The method has the advantages of high simulation speed and low logic overhead.

Description

Integrated circuit fault injection attack simulation method based on partial scanning
Technical Field
The invention relates to the field of integrated circuit safety, in particular to an integrated circuit fault injection attack simulation method based on partial scanning.
Background
The fault injection attack has become an effective method for attacking the chip[1]. The existing evaluation method for the fault injection attack resistance of the integrated circuit mainly comprises chip test[2-3]Hardware simulation[4-5]And software emulation[6-7]. The chip test carries out actual fault injection attack on the finished chip, the test efficiency is low, the cost is high, and after a problem is found, the design modification period and the cost are extremely high. In the design stage, it is necessary to evaluate the capability of the integrated circuit to resist fault injection attacks. The software simulation operation speed is slow, the fault model space is large, the fault data volume is large, and the simulation time is too long. The hardware simulation utilizes an FPGA development platform to realize the simulation of fault injection attack in the design stage, and has high simulation speed and accurate fault injection.
The integrated circuit fault injection attack simulation method based on full scanning can bring great logic overhead[4]. The invention uses the circuit to be tested of the partial scanning method to reduce the resource expenditure of the circuit, and is used for reducing the development cost or carrying out fault injection attack on a larger circuit.
Reference documents:
[1]GHALATY N F,YUCE B,TAHA M,et al.Differential Fault Intensity Analysis[C]//The Workshop on Fault Diagnosis&Tolerance in Cryptography.IEEE Computer Society,2014:49-58.
[2]HAYASHI Y,HOMMA N,MIZUKI T,et al.Transient IEMI threats for cryptographic devices[J].IEEE Transactions on Electromagnetic Compatibility,2013,55(1):140.
[3]Sondon S,Mandolesi P,Julián P,et al.Heavy-ion micro-beam use for transient fault injection in VLSI circuits[C]//IEEE,International Conference on Plasma Sciences.IEEE,2014:1.
[4] xusong, Liu Qiang, simulation method of fault injection attack of integrated circuit [ J ]. computer aided design and graphics declaration, 2017,29(8):1563.
[5]EBRAHIMI M,MOHAMMADI A,EJLALI A,et al.A fast,flexible,and easy-to-develop FPGA-based fault injection technique[J].Microelectronics Reliability,2014,54(5):1000.
[6]HE Renya,TANG Longli,WANG Shihai,et al.Software dynamic fault model and injection method[C]//International Conference on Reliability,Maintainability and Safety.2016:1.
[7]LUO Yin,YAO Rihuang,BIN Jianwei,et al.Research on a Software Fault Injection Model Based on Program Mutation[C]//International Conference on Information Science and Control Engineering.IEEE,2015:419.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provide a fault injection attack simulation method for an integrated circuit based on partial scanning. By selecting part of D triggers from the netlist after circuit synthesis and inserting the D triggers into the scan chain, the simulation of the fault injection attack of the integrated circuit is realized, the resource expenditure is reduced, and the automation of the simulation of the hardware fault injection attack is realized.
The purpose of the invention is realized by the following technical scheme: the integrated circuit fault injection attack simulation method based on partial scanning specifically comprises the following steps:
step 1): synthesizing a circuit to be tested to generate a circuit netlist;
step 2): inserting a scan chain into a circuit network table;
step 3): configuring a hardware framework formed by the netlist and the control module to an FPGA after comprehensive layout and wiring;
and 4) according to the netlist information, comprising: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
and 5) performing function simulation on the circuit to be tested due to limited observability of partial scanning, and acquiring the value of the normal operating state of the trigger D of the circuit.
Step 6), specifying the fault type, and modifying the normal state value of the D trigger in the circuit;
step 7) utilizing an SAT tool to generate fault vectors for the state values in the modified circuit;
step 8), using PCIe port to transmit the generated vector data to FPGA through host PC end;
step 9), completely controlling all D triggers in the circuit through the circuit control vector and the fault vector;
step 10) collecting fault data for subsequent evaluation.
In the step 2), the state control of the low-cost circuit based on partial scan chains is realized by using a balance structure and a method for adding the enabling ends in groups of the triggers, namely, the complete controllability of the D triggers in the circuit after the scan chains are inserted is realized.
The PCIe tool wupper is utilized to realize the data transmission in the step 8).
The process of processing the vector by the control module in the step 9) is as follows:
(1) starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers;
(2) injecting scan chain vectors into the scan chains;
(3) the circuit basic input is set as a circuit basic input vector;
(4) and the fault period vector controls the operation period of the circuit to be tested after fault injection.
Compared with the prior art, the invention has the advantages that:
the invention is based on partial scanning, and the new netlist is generated by selecting partial registers from the original netlist as scanning registers and performing scan chain insertion, fault injection control module and top data transmission module on the original netlist. The full control of the D trigger in the circuit is realized by controlling part of the scanning register and the basic input of the circuit. The resource consumption is reduced, and the automatic simulation of the fault injection attack of the integrated circuit with low resource consumption and high efficiency is realized; the whole simulation process is transparent to users, and the users only need to provide the design source codes and the input vectors of the circuit to be tested, so that the device of the invention provides the fault injection attack simulation output of the circuit to be tested.
Drawings
FIG. 1 is a block flow diagram of the present invention.
Fig. 2 is an overall architecture of fault injection hardware simulation based on partial scan.
Fig. 3 is a test vector generated for the S1238 circuit in the ISCAS reference circuit.
Detailed Description
The invention is further illustrated by the following specific examples and the accompanying drawings. The examples are intended to better enable those skilled in the art to better understand the present invention and are not intended to limit the present invention in any way.
The technical scheme of the invention is an integrated circuit fault injection attack simulation method based on partial scanning, as shown in figure 1, the specific steps are as follows:
step 1, synthesizing a circuit to be tested to generate a circuit netlist;
step 2, inserting a scan chain into the circuit network table;
step 3, configuring a hardware framework formed by the netlist and the control module to an FPGA after comprehensive layout and wiring;
and 4, according to the netlist information, comprising the following steps: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
and 5, performing function simulation on the circuit to be tested to obtain the value of the normal running state of the trigger D of the circuit.
Step 6, specifying a fault type, and modifying a normal state value of a D trigger in the circuit;
step 7, generating a fault vector for the state value in the modified circuit by using an SAT tool;
step 8, transmitting the generated vector data to the FPGA through the host PC terminal by using the PCIe port, as shown in fig. 2, transmitting the vector data to the FPGA through the PCIe port, and temporarily storing the vector data in the data receiving module;
and 9, extracting vector data by the control module and controlling the fault injection attack simulation process. At S1238 in the ISCAS reference circuit, the scan chain length is 7, and the number of D flip-flop groups is 3. Vector data vector 1 is the fault injection simulation initiation vector, as shown in figure 3, and provides the scan chain length and the number of D flip-flop groups. vector [2] is the scan chain vector of the first D flip-flop group, and vector [3] is the circuit base input vector of the first D flip-flop group. vector [3] -vector [6] is the vector of the last two D flip-flop groups. vector [7] represents the operation cycle after the circuit injects the trouble;
step 10, collecting fault data for subsequent evaluation.
The method mainly comprises the following steps: firstly, preprocessing a circuit to be tested: synthesizing the design source codes of the circuit to be tested into a netlist, processing the circuit into a balanced structure, and selecting part of D triggers to become scanning triggers. And grouping the rest D triggers in the circuit, and adding an enabling terminal to each group. The control of the D flip-flop in the circuit is realized by using the basic input of the circuit and the scan chain.
Secondly, setting a fault model: and performing function simulation on the circuit to be tested, acquiring original simulation data of the circuit, designating a fault injection period and a fault injection position, and setting a designated value of a D trigger.
Then, a test vector is generated: according to the assigned value of the set D trigger, the SAT tool is used to solve the corresponding control vector, including the scan chain vector and the circuit basic input vector. Generating a simulated process control vector comprising: starting a simulation vector (containing the length of a scanning chain and the information of the number of D trigger groups) and a fault period vector (a running period after fault injection).
Finally, fault injection simulation: and comprehensively laying and wiring the circuit to be tested, the control circuit and the top layer interface circuit which are inserted into the scan chain into a bit stream file, and downloading the bit stream file into the FPGA through a JTAG line. And configuring the FPGA on a mainboard of the PC through a PCIe interface. And all the simulation vectors are transmitted to the control module through the PCIe port, and the operation of the simulation process is controlled. Wherein, the PCIe tool wupper is utilized to realize the data transmission. The sequence of the simulation vectors received by the control module is as follows: 1) and starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers. 2) The scan chains sweep into scan chain vectors. 3) The circuit basis inputs are set as circuit basis input vectors. 4) And the fault period vector controls the operation period of the circuit to be tested after fault injection. And after the operation of the specified period, obtaining the result of the circuit to be tested after fault injection.

Claims (1)

1. The integrated circuit fault injection attack simulation method based on partial scanning is characterized by comprising the following steps:
step 1): synthesizing a circuit to be tested to generate a circuit netlist;
step 2): inserting a scan chain into a circuit network table;
step 3): configuring a hardware framework formed by the netlist and the control module to an FPGA after comprehensive layout and wiring;
and 4) according to the netlist information, comprising: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
step 5) because the observability of partial scanning is limited, the circuit to be tested is subjected to function simulation to obtain the value of the normal running state of the trigger D of the circuit;
step 6), specifying the fault type, and modifying the normal state value of the D trigger in the circuit;
step 7) utilizing an SAT tool to generate fault vectors for the state values in the modified circuit;
step 8), using PCIe port to transmit the generated vector data to FPGA through host PC end;
step 9), completely controlling all D triggers in the circuit through the circuit control vector and the fault vector;
step 10) collecting fault data for subsequent evaluation;
in the step 2), the state control of the low-cost circuit based on partial scan chains is realized by using a balance structure and a method for adding the enabling ends in groups of the triggers, namely the complete controllability of the D triggers in the circuit after the scan chains are inserted;
in the step 8), the PCIe tool wupper is used for realizing the data transmission;
the process of processing the vector by the control module in the step 9) is as follows:
(1) starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers;
(2) injecting scan chain vectors into the scan chains;
(3) the circuit basic input is set as a circuit basic input vector;
(4) and the fault period vector controls the operation period of the circuit to be tested after fault injection.
CN201811557258.6A 2018-12-19 2018-12-19 Integrated circuit fault injection attack simulation method based on partial scanning Active CN109581206B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811557258.6A CN109581206B (en) 2018-12-19 2018-12-19 Integrated circuit fault injection attack simulation method based on partial scanning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811557258.6A CN109581206B (en) 2018-12-19 2018-12-19 Integrated circuit fault injection attack simulation method based on partial scanning

Publications (2)

Publication Number Publication Date
CN109581206A CN109581206A (en) 2019-04-05
CN109581206B true CN109581206B (en) 2020-12-11

Family

ID=65930088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811557258.6A Active CN109581206B (en) 2018-12-19 2018-12-19 Integrated circuit fault injection attack simulation method based on partial scanning

Country Status (1)

Country Link
CN (1) CN109581206B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112858889B (en) * 2021-01-20 2022-03-25 南京航空航天大学 Fault injection circuit for super large scale integrated circuit
CN113254288B (en) * 2021-06-02 2021-09-21 中国人民解放军国防科技大学 FPGA single event upset fault injection method in satellite-borne equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11125662A (en) * 1997-10-23 1999-05-11 Oki Electric Ind Co Ltd Semiconductor integrated circuit and method for execution full scan
CN1228539A (en) * 1998-03-10 1999-09-15 日本电气株式会社 Method of generating test pattern for integrated circuit
US6732310B1 (en) * 1997-12-19 2004-05-04 Nec Corporation Peripheral partitioning and tree decomposition for partial scan
CN1512560A (en) * 2002-12-30 2004-07-14 清华大学 Scanning design with nano-scanning design test cost and test vector input method
CN101216532A (en) * 2008-01-16 2008-07-09 闫永志 Method for reducing scanning power consumption in sequence circuit
CN102305912A (en) * 2011-07-29 2012-01-04 清华大学 Low power consumption integrated circuit testing device with compressible data and method using same
CN102323538A (en) * 2011-07-08 2012-01-18 哈尔滨工业大学 Design method of scanning unit based on partial scanning of improved test vector set
CN104660466A (en) * 2015-02-06 2015-05-27 深圳先进技术研究院 Security testing method and system
CN106771962A (en) * 2016-11-29 2017-05-31 天津大学 A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11125662A (en) * 1997-10-23 1999-05-11 Oki Electric Ind Co Ltd Semiconductor integrated circuit and method for execution full scan
US6732310B1 (en) * 1997-12-19 2004-05-04 Nec Corporation Peripheral partitioning and tree decomposition for partial scan
CN1228539A (en) * 1998-03-10 1999-09-15 日本电气株式会社 Method of generating test pattern for integrated circuit
CN1512560A (en) * 2002-12-30 2004-07-14 清华大学 Scanning design with nano-scanning design test cost and test vector input method
CN101216532A (en) * 2008-01-16 2008-07-09 闫永志 Method for reducing scanning power consumption in sequence circuit
CN102323538A (en) * 2011-07-08 2012-01-18 哈尔滨工业大学 Design method of scanning unit based on partial scanning of improved test vector set
CN102305912A (en) * 2011-07-29 2012-01-04 清华大学 Low power consumption integrated circuit testing device with compressible data and method using same
CN104660466A (en) * 2015-02-06 2015-05-27 深圳先进技术研究院 Security testing method and system
CN106771962A (en) * 2016-11-29 2017-05-31 天津大学 A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
故障攻击硬件仿真中低成本电路状态控制方法;刘强 等;《河海大学学报( 自然科学版)》;20191130;第47卷(第6期);第555-559页 *
集成电路故障注入攻击仿真方法;徐松 等;《计算机辅助设计与图形学学报》;20170831;第29卷(第8期);第1563-1569页 *

Also Published As

Publication number Publication date
CN109581206A (en) 2019-04-05

Similar Documents

Publication Publication Date Title
CN110618929B (en) Verification platform and verification method of symmetric encryption algorithm based on UVM
US9064068B1 (en) Debuggable opaque IP
CN102466776B (en) Batch testing method for complex programmable logic device
US6061283A (en) Semiconductor integrated circuit evaluation system
CN104865518B (en) A kind of CLB dynamic collocation methods of SRAM type FPGA
US7120571B2 (en) Resource board for emulation system
US7003746B2 (en) Method and apparatus for accelerating the verification of application specific integrated circuit designs
CN101499937A (en) Software and hardware collaborative simulation verification system and method based on FPGA
CN109581206B (en) Integrated circuit fault injection attack simulation method based on partial scanning
CN104461812A (en) Method for constructing UVM verification component by utilizing existing Verilog BFM
US9183329B2 (en) Debugging simulation with partial design replay
CN106771962A (en) A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan
CN106294144A (en) Generation method, system and the server of the test vector of serial communication protocol
CN110263459B (en) UVM verification acceleration method based on test sequence analysis
CN110765715A (en) GPU chip-oriented rendering output unit performance simulation method and platform
CN111062173A (en) GPU chip-oriented rendering output unit function simulation method and platform
KR20020069468A (en) Debugging Apparatus Using Both Very Large Scaled Digital System Realized in Hardware and Simulation, and Debugging Method For Verifying Ultra Large Design
AbdElSalam et al. SoC verification platforms using HW emulation and co-modeling Testbench technologies
CN102662812B (en) Performance testing system for PCI (peripheral Component Interconnect) bus-based single-way reception demodulator
CN107526585B (en) Scala-based FPGA development platform and debugging and testing method thereof
Liao et al. A HW/SW co-verification technique for field programmable gate array (FPGA) test
CN113032203B (en) Programmable logic device accelerated testing device and method
Siripokarpirom et al. Hardware-assisted simulation and evaluation of IP cores using FPGA-based rapid prototyping boards
CA1212770A (en) Method for propagating unknown digital values in a hardware based complex circuit simulation system
SAHU et al. BOOSTING CHIP VERIFICATION EFFICIENCY: UVM-BASED ADDER VERIFICATION WITH QUESTASIM.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: 300452 Binhai Industrial Research Institute Campus of Tianjin University, No. 48 Jialingjiang Road, Binhai New Area, Tianjin

Patentee after: Tianjin University

Address before: 300072 Tianjin City, Nankai District Wei Jin Road No. 92

Patentee before: Tianjin University

CP02 Change in the address of a patent holder