CN109581206B - Integrated circuit fault injection attack simulation method based on partial scanning - Google Patents
Integrated circuit fault injection attack simulation method based on partial scanning Download PDFInfo
- Publication number
- CN109581206B CN109581206B CN201811557258.6A CN201811557258A CN109581206B CN 109581206 B CN109581206 B CN 109581206B CN 201811557258 A CN201811557258 A CN 201811557258A CN 109581206 B CN109581206 B CN 109581206B
- Authority
- CN
- China
- Prior art keywords
- circuit
- vector
- fault
- fault injection
- simulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/3181—Functional testing
- G01R31/3185—Reconfiguring for testing, e.g. LSSD, partitioning
- G01R31/318533—Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
- G01R31/318536—Scan chain arrangements, e.g. connections, test bus, analog signals
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/3181—Functional testing
- G01R31/3185—Reconfiguring for testing, e.g. LSSD, partitioning
- G01R31/318533—Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
- G01R31/318544—Scanning methods, algorithms and patterns
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/3181—Functional testing
- G01R31/3185—Reconfiguring for testing, e.g. LSSD, partitioning
- G01R31/318533—Reconfiguring for testing, e.g. LSSD, partitioning using scanning techniques, e.g. LSSD, Boundary Scan, JTAG
- G01R31/318583—Design for test
- G01R31/318586—Design for test with partial scan or non-scannable parts
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B17/00—Systems involving the use of models or simulators of said systems
- G05B17/02—Systems involving the use of models or simulators of said systems electric
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Tests Of Electronic Circuits (AREA)
- Design And Manufacture Of Integrated Circuits (AREA)
Abstract
The invention discloses a fault injection attack simulation method of an integrated circuit based on partial scanning, which is used for realizing the fault injection attack simulation of a partial scanning circuit using an FPGA. The method mainly comprises the following steps: preprocessing, setting, generating and injecting simulation. The invention realizes the low-overhead fault injection attack simulation based on the partial scanning method; fault injection logic such as a circuit control module is added to simulate fault injection attack by inserting a part of scan chains into the netlist; and transmitting the control signal to the FPGA from the PC through the PCIe port, and realizing fault injection after the control signal is processed by the control module. The method has the advantages of high simulation speed and low logic overhead.
Description
Technical Field
The invention relates to the field of integrated circuit safety, in particular to an integrated circuit fault injection attack simulation method based on partial scanning.
Background
The fault injection attack has become an effective method for attacking the chip[1]. The existing evaluation method for the fault injection attack resistance of the integrated circuit mainly comprises chip test[2-3]Hardware simulation[4-5]And software emulation[6-7]. The chip test carries out actual fault injection attack on the finished chip, the test efficiency is low, the cost is high, and after a problem is found, the design modification period and the cost are extremely high. In the design stage, it is necessary to evaluate the capability of the integrated circuit to resist fault injection attacks. The software simulation operation speed is slow, the fault model space is large, the fault data volume is large, and the simulation time is too long. The hardware simulation utilizes an FPGA development platform to realize the simulation of fault injection attack in the design stage, and has high simulation speed and accurate fault injection.
The integrated circuit fault injection attack simulation method based on full scanning can bring great logic overhead[4]. The invention uses the circuit to be tested of the partial scanning method to reduce the resource expenditure of the circuit, and is used for reducing the development cost or carrying out fault injection attack on a larger circuit.
Reference documents:
[1]GHALATY N F,YUCE B,TAHA M,et al.Differential Fault Intensity Analysis[C]//The Workshop on Fault Diagnosis&Tolerance in Cryptography.IEEE Computer Society,2014:49-58.
[2]HAYASHI Y,HOMMA N,MIZUKI T,et al.Transient IEMI threats for cryptographic devices[J].IEEE Transactions on Electromagnetic Compatibility,2013,55(1):140.
[3]Sondon S,Mandolesi P,Julián P,et al.Heavy-ion micro-beam use for transient fault injection in VLSI circuits[C]//IEEE,International Conference on Plasma Sciences.IEEE,2014:1.
[4] xusong, Liu Qiang, simulation method of fault injection attack of integrated circuit [ J ]. computer aided design and graphics declaration, 2017,29(8):1563.
[5]EBRAHIMI M,MOHAMMADI A,EJLALI A,et al.A fast,flexible,and easy-to-develop FPGA-based fault injection technique[J].Microelectronics Reliability,2014,54(5):1000.
[6]HE Renya,TANG Longli,WANG Shihai,et al.Software dynamic fault model and injection method[C]//International Conference on Reliability,Maintainability and Safety.2016:1.
[7]LUO Yin,YAO Rihuang,BIN Jianwei,et al.Research on a Software Fault Injection Model Based on Program Mutation[C]//International Conference on Information Science and Control Engineering.IEEE,2015:419.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provide a fault injection attack simulation method for an integrated circuit based on partial scanning. By selecting part of D triggers from the netlist after circuit synthesis and inserting the D triggers into the scan chain, the simulation of the fault injection attack of the integrated circuit is realized, the resource expenditure is reduced, and the automation of the simulation of the hardware fault injection attack is realized.
The purpose of the invention is realized by the following technical scheme: the integrated circuit fault injection attack simulation method based on partial scanning specifically comprises the following steps:
step 1): synthesizing a circuit to be tested to generate a circuit netlist;
step 2): inserting a scan chain into a circuit network table;
step 3): configuring a hardware framework formed by the netlist and the control module to an FPGA after comprehensive layout and wiring;
and 4) according to the netlist information, comprising: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
and 5) performing function simulation on the circuit to be tested due to limited observability of partial scanning, and acquiring the value of the normal operating state of the trigger D of the circuit.
Step 6), specifying the fault type, and modifying the normal state value of the D trigger in the circuit;
step 7) utilizing an SAT tool to generate fault vectors for the state values in the modified circuit;
step 8), using PCIe port to transmit the generated vector data to FPGA through host PC end;
step 9), completely controlling all D triggers in the circuit through the circuit control vector and the fault vector;
step 10) collecting fault data for subsequent evaluation.
In the step 2), the state control of the low-cost circuit based on partial scan chains is realized by using a balance structure and a method for adding the enabling ends in groups of the triggers, namely, the complete controllability of the D triggers in the circuit after the scan chains are inserted is realized.
The PCIe tool wupper is utilized to realize the data transmission in the step 8).
The process of processing the vector by the control module in the step 9) is as follows:
(1) starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers;
(2) injecting scan chain vectors into the scan chains;
(3) the circuit basic input is set as a circuit basic input vector;
(4) and the fault period vector controls the operation period of the circuit to be tested after fault injection.
Compared with the prior art, the invention has the advantages that:
the invention is based on partial scanning, and the new netlist is generated by selecting partial registers from the original netlist as scanning registers and performing scan chain insertion, fault injection control module and top data transmission module on the original netlist. The full control of the D trigger in the circuit is realized by controlling part of the scanning register and the basic input of the circuit. The resource consumption is reduced, and the automatic simulation of the fault injection attack of the integrated circuit with low resource consumption and high efficiency is realized; the whole simulation process is transparent to users, and the users only need to provide the design source codes and the input vectors of the circuit to be tested, so that the device of the invention provides the fault injection attack simulation output of the circuit to be tested.
Drawings
FIG. 1 is a block flow diagram of the present invention.
Fig. 2 is an overall architecture of fault injection hardware simulation based on partial scan.
Fig. 3 is a test vector generated for the S1238 circuit in the ISCAS reference circuit.
Detailed Description
The invention is further illustrated by the following specific examples and the accompanying drawings. The examples are intended to better enable those skilled in the art to better understand the present invention and are not intended to limit the present invention in any way.
The technical scheme of the invention is an integrated circuit fault injection attack simulation method based on partial scanning, as shown in figure 1, the specific steps are as follows:
and 4, according to the netlist information, comprising the following steps: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
and 5, performing function simulation on the circuit to be tested to obtain the value of the normal running state of the trigger D of the circuit.
step 8, transmitting the generated vector data to the FPGA through the host PC terminal by using the PCIe port, as shown in fig. 2, transmitting the vector data to the FPGA through the PCIe port, and temporarily storing the vector data in the data receiving module;
and 9, extracting vector data by the control module and controlling the fault injection attack simulation process. At S1238 in the ISCAS reference circuit, the scan chain length is 7, and the number of D flip-flop groups is 3. Vector data vector 1 is the fault injection simulation initiation vector, as shown in figure 3, and provides the scan chain length and the number of D flip-flop groups. vector [2] is the scan chain vector of the first D flip-flop group, and vector [3] is the circuit base input vector of the first D flip-flop group. vector [3] -vector [6] is the vector of the last two D flip-flop groups. vector [7] represents the operation cycle after the circuit injects the trouble;
step 10, collecting fault data for subsequent evaluation.
The method mainly comprises the following steps: firstly, preprocessing a circuit to be tested: synthesizing the design source codes of the circuit to be tested into a netlist, processing the circuit into a balanced structure, and selecting part of D triggers to become scanning triggers. And grouping the rest D triggers in the circuit, and adding an enabling terminal to each group. The control of the D flip-flop in the circuit is realized by using the basic input of the circuit and the scan chain.
Secondly, setting a fault model: and performing function simulation on the circuit to be tested, acquiring original simulation data of the circuit, designating a fault injection period and a fault injection position, and setting a designated value of a D trigger.
Then, a test vector is generated: according to the assigned value of the set D trigger, the SAT tool is used to solve the corresponding control vector, including the scan chain vector and the circuit basic input vector. Generating a simulated process control vector comprising: starting a simulation vector (containing the length of a scanning chain and the information of the number of D trigger groups) and a fault period vector (a running period after fault injection).
Finally, fault injection simulation: and comprehensively laying and wiring the circuit to be tested, the control circuit and the top layer interface circuit which are inserted into the scan chain into a bit stream file, and downloading the bit stream file into the FPGA through a JTAG line. And configuring the FPGA on a mainboard of the PC through a PCIe interface. And all the simulation vectors are transmitted to the control module through the PCIe port, and the operation of the simulation process is controlled. Wherein, the PCIe tool wupper is utilized to realize the data transmission. The sequence of the simulation vectors received by the control module is as follows: 1) and starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers. 2) The scan chains sweep into scan chain vectors. 3) The circuit basis inputs are set as circuit basis input vectors. 4) And the fault period vector controls the operation period of the circuit to be tested after fault injection. And after the operation of the specified period, obtaining the result of the circuit to be tested after fault injection.
Claims (1)
1. The integrated circuit fault injection attack simulation method based on partial scanning is characterized by comprising the following steps:
step 1): synthesizing a circuit to be tested to generate a circuit netlist;
step 2): inserting a scan chain into a circuit network table;
step 3): configuring a hardware framework formed by the netlist and the control module to an FPGA after comprehensive layout and wiring;
and 4) according to the netlist information, comprising: scanning the length of a chain, grouping the D triggers and generating a circuit control vector according to the basic input length of the circuit;
step 5) because the observability of partial scanning is limited, the circuit to be tested is subjected to function simulation to obtain the value of the normal running state of the trigger D of the circuit;
step 6), specifying the fault type, and modifying the normal state value of the D trigger in the circuit;
step 7) utilizing an SAT tool to generate fault vectors for the state values in the modified circuit;
step 8), using PCIe port to transmit the generated vector data to FPGA through host PC end;
step 9), completely controlling all D triggers in the circuit through the circuit control vector and the fault vector;
step 10) collecting fault data for subsequent evaluation;
in the step 2), the state control of the low-cost circuit based on partial scan chains is realized by using a balance structure and a method for adding the enabling ends in groups of the triggers, namely the complete controllability of the D triggers in the circuit after the scan chains are inserted;
in the step 8), the PCIe tool wupper is used for realizing the data transmission;
the process of processing the vector by the control module in the step 9) is as follows:
(1) starting a simulation vector, and storing the length of the scanning amount and the grouping number information of the D triggers;
(2) injecting scan chain vectors into the scan chains;
(3) the circuit basic input is set as a circuit basic input vector;
(4) and the fault period vector controls the operation period of the circuit to be tested after fault injection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811557258.6A CN109581206B (en) | 2018-12-19 | 2018-12-19 | Integrated circuit fault injection attack simulation method based on partial scanning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811557258.6A CN109581206B (en) | 2018-12-19 | 2018-12-19 | Integrated circuit fault injection attack simulation method based on partial scanning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109581206A CN109581206A (en) | 2019-04-05 |
CN109581206B true CN109581206B (en) | 2020-12-11 |
Family
ID=65930088
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811557258.6A Active CN109581206B (en) | 2018-12-19 | 2018-12-19 | Integrated circuit fault injection attack simulation method based on partial scanning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109581206B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112858889B (en) * | 2021-01-20 | 2022-03-25 | 南京航空航天大学 | Fault injection circuit for super large scale integrated circuit |
CN113254288B (en) * | 2021-06-02 | 2021-09-21 | 中国人民解放军国防科技大学 | FPGA single event upset fault injection method in satellite-borne equipment |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH11125662A (en) * | 1997-10-23 | 1999-05-11 | Oki Electric Ind Co Ltd | Semiconductor integrated circuit and method for execution full scan |
CN1228539A (en) * | 1998-03-10 | 1999-09-15 | 日本电气株式会社 | Method of generating test pattern for integrated circuit |
US6732310B1 (en) * | 1997-12-19 | 2004-05-04 | Nec Corporation | Peripheral partitioning and tree decomposition for partial scan |
CN1512560A (en) * | 2002-12-30 | 2004-07-14 | 清华大学 | Scanning design with nano-scanning design test cost and test vector input method |
CN101216532A (en) * | 2008-01-16 | 2008-07-09 | 闫永志 | Method for reducing scanning power consumption in sequence circuit |
CN102305912A (en) * | 2011-07-29 | 2012-01-04 | 清华大学 | Low power consumption integrated circuit testing device with compressible data and method using same |
CN102323538A (en) * | 2011-07-08 | 2012-01-18 | 哈尔滨工业大学 | Design method of scanning unit based on partial scanning of improved test vector set |
CN104660466A (en) * | 2015-02-06 | 2015-05-27 | 深圳先进技术研究院 | Security testing method and system |
CN106771962A (en) * | 2016-11-29 | 2017-05-31 | 天津大学 | A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan |
-
2018
- 2018-12-19 CN CN201811557258.6A patent/CN109581206B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH11125662A (en) * | 1997-10-23 | 1999-05-11 | Oki Electric Ind Co Ltd | Semiconductor integrated circuit and method for execution full scan |
US6732310B1 (en) * | 1997-12-19 | 2004-05-04 | Nec Corporation | Peripheral partitioning and tree decomposition for partial scan |
CN1228539A (en) * | 1998-03-10 | 1999-09-15 | 日本电气株式会社 | Method of generating test pattern for integrated circuit |
CN1512560A (en) * | 2002-12-30 | 2004-07-14 | 清华大学 | Scanning design with nano-scanning design test cost and test vector input method |
CN101216532A (en) * | 2008-01-16 | 2008-07-09 | 闫永志 | Method for reducing scanning power consumption in sequence circuit |
CN102323538A (en) * | 2011-07-08 | 2012-01-18 | 哈尔滨工业大学 | Design method of scanning unit based on partial scanning of improved test vector set |
CN102305912A (en) * | 2011-07-29 | 2012-01-04 | 清华大学 | Low power consumption integrated circuit testing device with compressible data and method using same |
CN104660466A (en) * | 2015-02-06 | 2015-05-27 | 深圳先进技术研究院 | Security testing method and system |
CN106771962A (en) * | 2016-11-29 | 2017-05-31 | 天津大学 | A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan |
Non-Patent Citations (2)
Title |
---|
故障攻击硬件仿真中低成本电路状态控制方法;刘强 等;《河海大学学报( 自然科学版)》;20191130;第47卷(第6期);第555-559页 * |
集成电路故障注入攻击仿真方法;徐松 等;《计算机辅助设计与图形学学报》;20170831;第29卷(第8期);第1563-1569页 * |
Also Published As
Publication number | Publication date |
---|---|
CN109581206A (en) | 2019-04-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110618929B (en) | Verification platform and verification method of symmetric encryption algorithm based on UVM | |
US9064068B1 (en) | Debuggable opaque IP | |
CN102466776B (en) | Batch testing method for complex programmable logic device | |
US6061283A (en) | Semiconductor integrated circuit evaluation system | |
CN104865518B (en) | A kind of CLB dynamic collocation methods of SRAM type FPGA | |
US7120571B2 (en) | Resource board for emulation system | |
US7003746B2 (en) | Method and apparatus for accelerating the verification of application specific integrated circuit designs | |
CN101499937A (en) | Software and hardware collaborative simulation verification system and method based on FPGA | |
CN109581206B (en) | Integrated circuit fault injection attack simulation method based on partial scanning | |
CN104461812A (en) | Method for constructing UVM verification component by utilizing existing Verilog BFM | |
US9183329B2 (en) | Debugging simulation with partial design replay | |
CN106771962A (en) | A kind of Fault of Integrated Circuits injection attacks analogy method based on partial scan | |
CN106294144A (en) | Generation method, system and the server of the test vector of serial communication protocol | |
CN110263459B (en) | UVM verification acceleration method based on test sequence analysis | |
CN110765715A (en) | GPU chip-oriented rendering output unit performance simulation method and platform | |
CN111062173A (en) | GPU chip-oriented rendering output unit function simulation method and platform | |
KR20020069468A (en) | Debugging Apparatus Using Both Very Large Scaled Digital System Realized in Hardware and Simulation, and Debugging Method For Verifying Ultra Large Design | |
AbdElSalam et al. | SoC verification platforms using HW emulation and co-modeling Testbench technologies | |
CN102662812B (en) | Performance testing system for PCI (peripheral Component Interconnect) bus-based single-way reception demodulator | |
CN107526585B (en) | Scala-based FPGA development platform and debugging and testing method thereof | |
Liao et al. | A HW/SW co-verification technique for field programmable gate array (FPGA) test | |
CN113032203B (en) | Programmable logic device accelerated testing device and method | |
Siripokarpirom et al. | Hardware-assisted simulation and evaluation of IP cores using FPGA-based rapid prototyping boards | |
CA1212770A (en) | Method for propagating unknown digital values in a hardware based complex circuit simulation system | |
SAHU et al. | BOOSTING CHIP VERIFICATION EFFICIENCY: UVM-BASED ADDER VERIFICATION WITH QUESTASIM. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: 300452 Binhai Industrial Research Institute Campus of Tianjin University, No. 48 Jialingjiang Road, Binhai New Area, Tianjin Patentee after: Tianjin University Address before: 300072 Tianjin City, Nankai District Wei Jin Road No. 92 Patentee before: Tianjin University |
|
CP02 | Change in the address of a patent holder |