CN117254929A - Detection device and chip - Google Patents

Detection device and chip Download PDF

Info

Publication number
CN117254929A
CN117254929A CN202310887777.3A CN202310887777A CN117254929A CN 117254929 A CN117254929 A CN 117254929A CN 202310887777 A CN202310887777 A CN 202310887777A CN 117254929 A CN117254929 A CN 117254929A
Authority
CN
China
Prior art keywords
state
circuit
signal
signal state
chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310887777.3A
Other languages
Chinese (zh)
Inventor
范长永
王宗岳
黎福晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Open Security Research Inc
Original Assignee
Open Security Research Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Open Security Research Inc filed Critical Open Security Research Inc
Priority to CN202310887777.3A priority Critical patent/CN117254929A/en
Publication of CN117254929A publication Critical patent/CN117254929A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B21/00Alarms responsive to a single specified undesired or abnormal condition and not otherwise provided for
    • G08B21/18Status alarms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the application discloses detection device and chip, detection device sets up the area of waiting to detect at the chip, and detection device includes: the device comprises a first state conversion circuit, a first input signal state, a first stage signal state and a second stage signal state, wherein the first state conversion circuit is used for converting a clock signal into a first input signal state; wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state, the previous stage signal state is not a preset signal state, and the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition.

Description

Detection device and chip
Technical Field
The present application relates to the field of electronic technologies, and in particular, to a detection device and a chip.
Background
With the rapid development of electronic devices, most devices such as chips use cryptographic protection measures in order to protect the safe and reliable operation of the devices. Fault injection attacks (Fault Injection Attack) are a common option to break cryptographic security measures by forcing some fault behaviour in the attacked device to skip/break security operations, modify registers and perform illegal operations.
The fault injection attack mode does not need to damage the chip, and only needs to change the normal working state of the internal circuit of the chip so as to crack and acquire sensitive information such as a secret key.
In the related art, the detection mode for the fault injection attack is to integrate multiple sensors in a chip to detect various fault injection attacks, but each sensor can only detect one fault injection attack, and if the multiple fault injection attacks need to be prevented, multiple sensors need to be placed in the chip. However, this method has at least a problem of high cost and difficult distribution and deployment.
Content of the application
In order to solve the problems of high cost and difficult distribution and deployment in the detection of fault injection attack in the related art, the embodiment of the application provides a detection device and a chip.
The technical scheme of the application is realized as follows:
in a first aspect, the present application provides a detection device, where the detection device is disposed in a to-be-detected area of a chip, the detection device includes: a variation detection circuit, wherein,
The change detection circuit is connected with the clock port and is used for receiving a clock signal output by the clock port, under the condition that the clock signal is changed, a first input signal state input to the first state conversion circuit and a previous stage signal state of the first input signal state are obtained, and if the first input signal state and the previous stage signal state meet at least one of a plurality of signal conditions, a detection result of the chip being attacked by external injection is obtained;
wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state, the previous stage signal state is not the preset signal state, and the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition.
In the above scheme, the mutation detection circuit is further configured to obtain a detection result that the chip is not attacked by external injection if the first input signal state and the previous stage signal state do not satisfy the plurality of signal conditions.
In the above solution, the first input signal state includes: and taking the first preset signal state as an initial input signal state, and circularly arranging one of a plurality of preset signal states according to a preset state conversion sequence, or after the chip is attacked by external injection, converting the current preset signal state in the first state conversion circuit into an external attack signal state in one clock period.
In the above scheme, the device further includes: the first state transition circuit, a first state register in the first state transition circuit stores the previous stage signal state, wherein,
the mutation detection circuit is further configured to obtain the previous stage signal state from the first state register, and output the detection result to the first state conversion circuit when the detection result is obtained;
the first state transition circuit is configured to perform state transition on the first input signal state according to the detection result.
In the above scheme, the skew detecting circuit is further configured to obtain the first input signal state under the clock signal, and the second input signal state input to the second state converting circuit; the previous stage signal state of the first input signal state includes the second input signal state;
wherein the second input signal state comprises: and taking a second preset signal state as an initial input signal state, and circularly arranging a plurality of preset signal states according to the preset state transition sequence, or after the chip is attacked by external injection, converting the current preset signal state in the second state transition circuit into an external attack signal state in one clock period, wherein the second preset signal state is the previous stage signal state of the first preset signal state in the state transition sequence.
In the above scheme, the device further includes: the second state transition circuit, wherein,
the mutation detection circuit is further used for sending the detection result to the second state conversion circuit;
and the second state conversion circuit is used for carrying out state conversion on the second input signal state according to the detection result.
In the above scheme, the detection device further includes: a first control circuit and/or a second control circuit, wherein,
the first control circuit is connected with the first state conversion circuit and is used for performing input driving control on the input signals of the first state conversion circuit by taking a first preset signal state as an initial input signal after the first state conversion circuit is reset, so that the first state conversion circuit circularly converts the plurality of preset signal states according to the state conversion sequence;
the second control circuit is connected with the second state conversion circuit and is used for performing input driving control on the input signals of the second state conversion circuit by taking a second preset signal state as an initial input signal after the second state conversion circuit is reset, so that the second state conversion circuit performs cyclic conversion on the preset signal states according to the state conversion sequence.
In the above scheme, the detection device further includes: the alarm circuit is used for receiving the detection result and generating an alarm when the detection result represents that the chip is attacked by external injection; the reset circuit is used for carrying out reset operation on the reset objects after receiving the reset request signal, wherein all the reset objects comprise the chip and the state conversion circuit.
In a second aspect, the present application provides a chip comprising one or more of the detection devices described above.
In the above scheme, the chip comprises a security protection circuit, and the security protection circuit is used for executing security protection operation on the chip or a part of modules in the chip under the condition that an alarm signal is received, wherein the security protection operation comprises one of the following steps: a power-on/power-off reset, a non-power-on reset register reset, and a pause current work enters an interrupt state to wait for the central processing unit to process.
The detection device and the chip that this application embodiment provided, detection device set up the area of waiting to detect at the chip, detection device includes: the device comprises a first state conversion circuit, a first input signal state and a first stage signal state, wherein the first state conversion circuit is used for converting a clock signal into a first input signal state; wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state; the signal state of the previous stage is not a preset signal state; the arrangement order between the previous stage signal state and the first input signal state does not satisfy the state transition order condition. Therefore, the detection device determines whether the chip is subjected to external attack or not by judging the first input signal state input to the first state conversion circuit and whether the signal state of the previous stage of the first input signal state meets a plurality of signal conditions, overcomes the defect that the traditional sensor can only detect the limited area of the chip, can be deployed at any position of the chip, and greatly improves the fault attack resistance of the chip; meanwhile, the detection device is realized by a pure digital circuit, is not limited by a chip manufacturing process, does not change a chip design realization flow, and is low in cost and convenient to deploy; furthermore, the detection device can be used together with a traditional sensor, can be independently deployed and used, enhances the safety of the chip, and improves the accuracy of the detection result of the chip injected attack.
Drawings
Fig. 1 is a schematic structural diagram of a detection device according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a detection device according to a second embodiment of the present application;
fig. 3 is a schematic diagram of a state transition process of a first state transition circuit according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating an operation example of a detection device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram III of a detection device according to an embodiment of the present application;
fig. 6 is a schematic diagram of a state transition process of a second state transition circuit according to an embodiment of the present application;
fig. 7 is a schematic diagram two of an operation example of a detection device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a detection device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a chip according to an embodiment of the present application;
fig. 10 is a schematic diagram of a second chip according to an embodiment of the present disclosure;
FIG. 11 is a block diagram of a detection device according to an embodiment of the present disclosure;
fig. 12 is a schematic diagram of an operation example of a detection device according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will clearly and completely describe the technical solution in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In order to better understand the detection apparatus provided in the embodiments of the present application, first, description will be given of the background technology of the fault injection attack, and the detection method for the fault injection attack in the related art,
The fault injection attack (Fault Injection Attack) is an active attack means aiming at the chip, makes the chip run in error through a specific attack means or equipment, and analyzes the error phenomenon by utilizing a fault analysis technology to obtain key sensitive information in the chip, thereby causing information leakage. In general, a cryptographic operation module in a device may run a cryptographic algorithm to perform various correct cryptographic operations, but when the device is disturbed, the cryptographic operation module may malfunction and operate in error, and a method in which an attacker recovers a device key by using the malfunction and operation error of the cryptographic operation module is called malfunction analysis. Analysis of an attack object using a manufacturing clock fault is one method of fault attack. Taking a cryptographic chip in a security chip as an example, an attacker extracts secret parameters such as a secret key in the cryptographic chip by injecting electromagnetic signals such as external laser pulses or electromagnetic pulses into the cryptographic chip, thereby losing the security function of the cryptographic chip.
In view of the above problems, in the related art, various fault injection attacks are detected by integrating a plurality of sensors in a chip, but each sensor can only detect one fault injection attack, for example, in order to detect a voltage attack, a voltage sensor is usually designed in the chip, and when the voltage is within an allowable range, the sensor does not alarm, and the chip works normally; when an attacker carries out voltage attack on the chip, an external power supply pin inputs voltage exceeding a normal range, the chip is in an attempt to make operation mistakes, sensitive information such as a secret key is obtained by analyzing the error phenomenon, and if the voltage sensor detects that the voltage exceeds the normal range at the moment, an alarm signal is input to enable the chip to be in a safe state such as reset and interruption, so that leakage of the sensitive information is prevented. Similarly, the temperature sensor is used for detecting whether the temperature is abnormal or not, and the light sensor is used for detecting whether the temperature is attacked by laser and visible light or not.
It should be noted that the above sensors have a common feature that only one type of attack can be detected. If multiple fault injection attacks need to be prevented, multiple sensors need to be placed in the chip, and at least two problems exist in this way: firstly, the cost is high. The sensor is realized by an analog circuit, the circuit area is large, and a plurality of different types of sensors are needed to cope with various attack means; secondly, the distribution and deployment are difficult. The analog circuit is provided with a power supply system independent of the digital circuit, so that the chip design is convenient to realize, the chip area is saved, meanwhile, the interference of the digital circuit to the analog circuit is avoided, the sensor is generally concentrated in a certain fixed area on the chip, and under the condition that the implementation position of some fault injection attacks such as light attacks, electromagnetic attacks and the like is far away from the sensor, the sensor cannot effectively detect the fault injection attacks, so that the whole chip area cannot be effectively protected, and the chip safety is further threatened.
Based on this, in various embodiments of the present application, the detection device is implemented by using a digital circuit, and is formed into a module independently, and by detecting the change of the digital signal, it is determined whether the chip is attacked, where the circuit implementation structure of the detection device is simple, the occupied area is small, and the detection device can be flexibly deployed in the area to be detected with high security requirement of the chip, such as a memory for storing sensitive information, so as to reduce the production cost, enhance the protection of the circuit, and improve the security of the chip.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a detection device, where a detection device 100 is installed in a to-be-detected area of a chip (not shown in the drawing), and the detection device 100 is disposed in the to-be-detected area of the chip, and the detection device 100 includes: a variation detecting circuit 11, wherein,
the mutation detection circuit 11 is connected to the clock port and is configured to receive a clock signal output from the clock port, obtain a first input signal state input to the first state conversion circuit and a previous stage signal state of the first input signal state when the clock signal changes, and obtain a detection result of the chip being attacked by external injection if the first input signal state and the previous stage signal state satisfy at least one of a plurality of signal conditions.
Wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state, the previous stage signal state is not a preset signal state, and the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition.
In this embodiment of the present application, the mutation detection circuit is further configured to obtain a detection result that the chip is not attacked by external injection if the first input signal state and the previous stage signal state do not satisfy the plurality of signal conditions.
In this embodiment of the present application, the area to be detected may be a surrounding blank area of a module with security requirements in a chip, where the module with security requirements includes, but is not limited to, a cryptographic operation module, a module storing private data, and the like. When an attacker attacks a module with a security requirement on a chip, the attacker cannot judge the specific position of the module, and cannot accurately control the attack on one or a plurality of transistors, so that the attacker can only continuously try the attack in each area of the chip. Therefore, by disposing the detection means in a blank area around the module, when an external attack signal injected into the chip is injected into the detection means, the detection means can detect the external attack signal.
In the embodiment of the present application, the Clock signal (Clock) is the basis of sequential logic for determining when the state in the logic cell is updated, and is a signal quantity which has a fixed period and is irrelevant to the operation. The clock signal has a fixed clock frequency, which is the inverse of the clock period. In synchronous digital circuits of signals, the clock signal is the high and low states between oscillations of a particular signal of the signal, the use of the signal acts in concert like a metronome, the digital clock signal being essentially a square wave voltage.
In this embodiment of the present application, the first input signal state may be a plurality of preset signal states, where the plurality of preset signal states are legal states of at least two preset bits, and each bit may be represented by binary or octal, and of course, may also be represented by hexadecimal, which is not specifically limited in this application. Here, the at least two bits may be 4-bit (bit) status bits or 8-bit status bits, and of course, the at least two bits may be other multiple-bit status bits, which is not particularly limited in this application. For example, taking a 4-bit binary state bit to represent a preset signal state as an example, the state value of each bit may be represented by 0 and 1, then the 4-bit state bit may include 16 signal states, and the 16 signal states are stored by the 4-bit state register, where the plurality of preset signal states may be S0 (0001), S1 (0011), S2 (0111), and S3 (1111), respectively, and all states except the preset signal state in the 16 signal states are illegal states.
In this embodiment of the present application, a previous stage signal state of the first input signal state may be stored in a state register in the first state conversion circuit, and is used to monitor whether an abnormality occurs in state conversion of the first state conversion circuit.
In this embodiment, the skew detecting circuit 11 obtains the first input signal state input to the first state converting circuit and the previous stage signal state of the first input signal state under the condition that the clock signal output from the clock port changes, and determines whether the first input signal state and the previous stage signal state satisfy a plurality of signal conditions. If the first input signal state and the previous stage signal state meet at least one of a plurality of signal conditions, namely the first input signal state is not a preset signal state, and/or the previous stage signal state is not a preset signal state, and/or the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition, determining the detection result of the chip being attacked by external injection. If the first input signal state and the previous stage signal state do not meet a plurality of signal conditions, namely the first input signal state and the previous stage signal state are both preset signal states, and the arrangement sequence between the previous stage signal state and the first input signal state meets a state transition sequence condition, determining that the chip is not attacked by external injection.
Here, the state sequence transition condition is that in each first input signal state, it is judged whether or not the arrangement sequence between the signal state of the preceding stage of the state and the first input signal state is a preset state transition sequence.
In other embodiments of the present application, the first input signal state includes: and taking the first preset signal state as an initial input signal state, and converting the current preset signal state in the first state conversion circuit into an external attack signal state after one of a plurality of preset signal states which are circularly arranged according to a preset state conversion sequence or the chip is attacked by external injection.
In this embodiment, the first input signal state may be one of a plurality of preset signal states, and the plurality of preset signal states are circularly arranged according to a preset state transition sequence by taking the first preset signal state as an initial input signal state. Of course, the first input signal state may also be that the chip converts the current preset signal state in the first state conversion circuit into other signal states, namely, the external attack signal state, after being attacked by external injection in one clock cycle.
Here, the external attack signal state may be one of a plurality of preset signal states, and the external attack signal state may be other signal states than the plurality of preset signal states, which is not particularly limited in this application.
In one implementation scenario, the first input signal state may be one of a plurality of preset signal states S0 (0001), S1 (0011), S2 (0111), and S3 (1111), and the plurality of preset signal states are circularly arranged according to a preset state transition sequence, such as S0 (0001) - > S1 (0011) - > S2 (0111) - > S3 (1111) - > S0 (0001), with the first preset signal state, such as S0 (0001), as a starting input signal state. Of course, the first input signal state may also be that after the chip is attacked by external injection, the current preset signal state in the first state conversion circuit, such as S1 (0011), is converted into an external attack signal state, and the external attack signal state may be another preset signal state S3 (1111) or another signal state, such as (1011), which is not specifically limited in this application.
The detection device that this application embodiment provided, detection device set up the area of waiting to detect at the chip, detection device includes: the device comprises a first state conversion circuit, a first input signal state and a first stage signal state, wherein the first state conversion circuit is used for converting a clock signal into a first input signal state; wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state; the signal state of the previous stage is not a preset signal state; the arrangement order between the previous stage signal state and the first input signal state does not satisfy the state transition order condition. Therefore, the detection device determines whether the chip is subjected to external attack or not by judging the first input signal state input to the first state conversion circuit and whether the signal state of the previous stage of the first input signal state meets a plurality of signal conditions, overcomes the defect that the traditional sensor can only detect the limited area of the chip, can be deployed at any position of the chip, and greatly improves the fault attack resistance of the chip; meanwhile, the detection device is realized by a pure digital circuit, is not limited by a chip manufacturing process, does not change a chip design realization flow, and is low in cost and convenient to deploy; furthermore, the detection device can be used together with a traditional sensor, can be independently deployed and used, enhances the safety of the chip, and improves the accuracy of the detection result of the chip injected attack.
In some embodiments, referring to fig. 2, fig. 2 shows a schematic structural diagram of another detection device, where the detection device 100 further includes: a first state transition circuit 12, a first state register in the first state transition circuit 12 storing a previous stage signal state, wherein,
the mutation detection circuit 11 is further configured to obtain a previous stage signal state from the first state register, and output a detection result to the first state conversion circuit 12 when the detection result is obtained;
the first state transition circuit 12 is configured to perform state transition on the first input signal state according to the detection result.
In the embodiment of the application, when an attacker attacks a chip, the state conversion circuit in the detection device installed on the chip can detect an external attack signal, and the state conversion circuit immediately converts the current preset signal state of the state conversion circuit into an external attack signal state corresponding to the external attack signal according to the external attack signal. Further, the first state register of the first state transition circuit stores therein the previous stage signal state of the first input signal state, the mutation detection circuit 11 obtains the first input signal state input to the first state transition circuit 12, and obtains the previous stage signal state of the first input signal from the first state register; then, judging whether the first input signal state and the previous stage signal state meet a plurality of signal conditions; if the first input signal state and the previous stage signal state do not meet all signal conditions, the first state conversion circuit is characterized by carrying out normal conversion according to a preset state conversion sequence, and the first state conversion circuit does not detect an external attack signal, so that a detection result that the chip is not attacked by external injection is obtained; if the first input signal state and the previous stage signal state meet at least one of a plurality of signal conditions, the first state conversion circuit is characterized as not normally converting according to a preset state conversion sequence, and the first state conversion circuit detects an external attack signal, so that a detection result of the chip being attacked by injection is obtained. Finally, the strain detection circuit 11 outputs the detection result to the first state transition circuit 12.
In the embodiment of the present application, if the detection result indicates that the chip is not attacked by external injection, the first state conversion circuit 12 performs state conversion on the first input signal state according to the detection result and a preset state conversion sequence, so as to obtain a next signal state; further, storing the first input signal state into a first state register as a previous stage signal state of a next signal state; the next signal state is updated to the first input signal state. If the detection result indicates that the chip is attacked by external injection, the first state conversion circuit 12 performs state conversion on the first input signal state according to the detection result, so as to obtain and output a first Error state, i.e. the first state conversion circuit enters the Error state. After that, even when the clock signal changes, the skew detecting circuit 11 outputs the detection result to the first state transition circuit 12, and the first state transition circuit 12 is still in the Error state, that is, the first state transition circuit performs dead cycles in the Error state and cannot perform transition operation.
It should be noted that, in the case that the chip is not attacked by the external, the transition sequence between the preset signal states in the first state transition circuit is fixed for the detection device disposed on the chip, and the state change is determined by the clock signal, the detection result and the input preset signal state. Here, since the state transition is only changed at the edge of the input clock signal, and the state transition circuit internally uses the input signal state, the transition is performed in accordance with the input signal state.
In one possible scenario, referring to fig. 3 and fig. 4, the first input signal state is taken as a current signal state current_state, a previous stage signal state pre_state of the current signal state current_state is stored in a first state register in the first state conversion circuit, the current signal state is one of a plurality of preset signal states S0 (0001), S1 (0011), S2 (0111), S3 (1111), and the plurality of preset signal states are circularly arranged according to a preset state conversion sequence such as S0- > S1- > S2- > S3- > S0 by taking the first preset signal state such as S0 as a starting input signal state. Here, upon arrival of the rising edge of the clock signal, the transition detection circuit 11 obtains the current signal state current_state from the first state transition circuit 12, and obtains the previous-stage signal state pre_state of the current signal state current_state from the first state register. Under the current signal state current_state, judging whether the current signal state current_state and the previous signal state pre_state are preset signal states or not, and judging whether the arrangement sequence between the previous signal state pre_state and the current signal state current_state is a preset state transition sequence or not, so that a detection result of whether the chip is attacked by external injection or not is obtained.
Here, if the current signal state current_state and the previous signal state pre_state are both preset signal states, and the arrangement sequence between the previous signal state pre_state and the current signal state current_state is the preset state transition sequence, a detection result that the chip is not attacked by external injection is obtained; if the current signal state is not the preset signal state, and/or the previous signal state pre_state is not the preset signal state, and/or the arrangement sequence between the previous signal state pre_state and the current signal state is not the preset state transition sequence, the detection result of the chip being attacked by external injection is obtained.
If the mutation detection circuit 11 determines that the chip is not attacked by external injection, the detection result is sent to the first state conversion circuit 12, and the first state conversion circuit 12 performs normal state conversion on the first input signal state according to a preset state conversion sequence according to the detection result, so as to obtain a next signal state, and maintains the next signal state in the current clock cycle. Further, when the rising edge of the next clock signal arrives, the state register in the first state conversion circuit stores the next signal state, determines that the next signal state is the current state of the current signal state, and further the detection device repeats the steps to obtain a detection result, and continuously converts the current state of the current signal state again according to a preset state conversion sequence according to the detection result. Illustratively, referring to fig. 4, when the Reset circuit changes from low level to high level after receiving the Reset signal Reset, and when the rising edge of the clock signal of 3 to 6 clock cycles arrives, the skew detection circuit 11 determines a detection result that the chip is not attacked by external injection, and the first state transition circuit 12 performs normal state transition according to the detection result in a preset state transition order S0- > S1- > S2- > S3- > S0.
If the mutation detection circuit 11 determines the detection result of the chip being attacked by external injection, that is, the first state conversion circuit does not perform state conversion on the first input signal state according to the preset state conversion sequence S0- > S1- > S2- > S3- > S0 or enters other states except S0-S3, the mutation detection circuit 11 determines the detection result of the chip being attacked by external injection and sends the detection result to the first state conversion circuit 12, and the first state conversion circuit 12 converts the first input signal state according to the detection result and outputs a first Error state such as an Error state, that is, the first state conversion circuit enters the Error state.
For example, referring to fig. 3, when the current signal state current_state is S0, the previous stage signal state pre_state stored in the state register is not S3, or when the current signal state current_state is S1, the previous stage signal state pre_state is not S0, or when the current signal state current_state is S2, the previous stage signal state pre_state is not S1, or when the current signal state current_state is S3, the previous stage signal state pre_state is not S2, and the abnormality detection circuit outputs a detection result of the chip being attacked by external injection, at this time, the first state transition circuit enters an Error state according to the detection result.
As another example, referring to fig. 4, in the 7 th clock cycle, the first state transition circuit is attacked by external injection, the first input signal state current_state in the first state transition circuit is changed from S1 to S3, and the first state register stores the previous stage signal state pre_state, in which the first input signal state current_state is S1, as pre_s0. When the rising edge of the clock signal of the 8 th clock cycle arrives, the first input signal state current_state obtained by the mutation detection circuit 11 is S3, and the previous stage signal state pre_state of the first input signal state current_state stored in the state register is pre_s0; since the previous stage signal state corresponding to the first input signal state S3 should be pre_s2 and the previous stage signal state actually stored in the first state register is pre_s0 in the 8 th clock period according to the preset state transition sequence, the detection result of the chip being attacked by external injection can be determined at this time, and the detection result is sent to the first state transition circuit 12, so as to trigger the first state transition circuit 12 to enter the Error state. Thereafter, even if the rising edge of the clock signal arrives, the first state transition circuit is still in the Error state, i.e., the first state transition circuit performs a dead cycle in the Error state.
As can be seen from the above, the detecting device obtains the first input signal state input to the first state conversion circuit, and obtains the previous stage signal state of the first input signal state from the state register of the first state conversion circuit, and determines whether the first input signal state and the previous stage signal state satisfy a plurality of signal conditions, thereby determining whether the chip is subject to an external attack; therefore, the defect that the traditional sensor can only detect the limited area of the chip is overcome, the sensor can be deployed at any position of the chip, and the fault attack resistance of the chip is greatly improved; meanwhile, the detection device is realized by a pure digital circuit, is not limited by a chip manufacturing process, does not change a chip design realization flow, and is low in cost and convenient to deploy; furthermore, the detection device can be used together with a traditional sensor, can be independently deployed and used, enhances the safety of the chip, and improves the accuracy of the detection result of the chip injected attack.
In some embodiments, with continued reference to fig. 1 or 2, the skew detection circuit is further configured to obtain a first input signal state under the clock signal and a second input signal state input to the second state transition circuit; the previous stage signal state of the first input signal state includes the second input signal state.
Wherein the second input signal state comprises: and taking the second preset signal state as an initial input signal state, and circularly arranging a plurality of preset signal states according to a preset state conversion sequence, or after the chip is attacked by external injection, converting the current preset signal state in the second state conversion circuit into an external attack signal state in one clock period, wherein the second preset signal state is the previous stage signal state of the first preset signal state in the state conversion sequence.
In this embodiment of the present application, the second input signal state is similar to the first input signal state, and the second input signal state may be a plurality of preset signal states, where the plurality of preset signal states are legal states of at least two preset bits, and each bit may be represented by binary or octal, and of course, may also be represented by hexadecimal, which is not specifically limited in this application. Here, the at least two bits may be 4-bit (bit) status bits or 8-bit status bits, and of course, the at least two bits may be other multiple-bit status bits, which is not particularly limited in this application. For example, taking a 4-bit binary state bit to represent a preset signal state as an example, the state value of each bit may be represented by 0 and 1, then the 4-bit state bit may include 16 signal states, and the 16 signal states are stored by the 4-bit state register, where the plurality of preset signal states may be S0 (0001), S1 (0011), S2 (0111), and S3 (1111), respectively, and all states except the preset signal state in the 16 signal states are illegal states.
In this embodiment, the second input signal state may be one of a plurality of preset signal states, and the plurality of preset signal states are circularly arranged according to a preset state transition sequence by taking the second preset signal state as an initial input signal state. Of course, the second input signal state may also be that the chip converts the current preset signal state in the second state conversion circuit into other signal states, namely, the external attack signal state, after being attacked by external injection in one clock cycle.
It should be noted that, the state transition of the first state transition circuit to the first input signal state and the state transition of the second state transition circuit to the second input signal state are independent from each other, and do not interfere with each other, i.e. if the first state transition circuit is attacked by external injection to change the current preset signal state, the normal transition of the second state transition circuit to the second input signal state is not affected. Similarly, if the second state transition circuit is attacked by external injection, the current preset signal state is changed, and normal transition of the first state transition circuit to the first input signal state is not affected.
In one implementation scenario, with the first preset signal state being S0 (0001), the preset state transition sequence between the plurality of preset signal states is a cyclic permutation of S0 (0001) - > S1 (0011) - > S2 (0111) - > S3 (1111) - > S0 (0001). The second preset signal state is the previous stage signal state in the preset state transition sequence S3 (1111) - > S0 (0001) - > S1 (0011) - > S2 (0111) - > S3 (1111) of the first preset signal state S0 (0001), then the second preset signal state is S3 (1111), and the preset state transition sequence among the preset signal states in the second state transition circuit is S3 (1111) - > S0 (0001) - > S1 (0011) - > S2 (0111) - > S3 (1111) and is circularly arranged. Of course, the second input signal state may also be that after the chip is attacked by external injection, the current preset signal state in the second state conversion circuit is converted into an external attack signal state, for example, S2 (0111), and the external attack signal state may be another preset signal state S3 (1111) or another signal state, for example (1011), which is not particularly limited in this application.
In this embodiment, since the second input signal state is the previous stage signal state of the first input signal state, the skew detecting circuit 11 obtains the first input signal state input to the first state converting circuit and the second input signal state input to the second state converting circuit when the clock signal output from the clock port changes, and determines whether the first input signal state and the second input signal state satisfy a plurality of signal conditions. If the first input signal state and the second input signal state meet at least one of a plurality of signal conditions, namely the first input signal state is not a preset signal state, and/or the second input signal state is not a preset signal state, and/or the arrangement sequence between the second input signal state and the first input signal state does not meet the state transition sequence condition, determining the detection result of the chip attacked by external injection. If the first input signal state and the second input signal state do not meet all signal conditions, namely the first input signal state and the second input signal state are both preset signal states, and the arrangement sequence between the second input signal state and the first input signal state meets the state transition sequence condition, determining a detection result that the chip is not attacked by external injection.
As can be seen from the above, the detecting device obtains a first input signal state input to the first state conversion circuit, and obtains a second input signal state input to the second state conversion circuit, wherein the second input signal state is a previous stage signal state of the first input signal state, and determines whether the chip is subject to an external attack by determining whether the first input signal state and the previous stage signal state satisfy a plurality of signal conditions; therefore, the defect that the traditional sensor can only detect the limited area of the chip is overcome, the sensor can be deployed at any position of the chip, and the fault attack resistance of the chip is greatly improved; meanwhile, the detection device is realized by a pure digital circuit, is not limited by a chip manufacturing process, does not change a chip design realization flow, and is low in cost and convenient to deploy; furthermore, the detection device can be used together with a traditional sensor, can be independently deployed and used, enhances the safety of the chip, and improves the accuracy of the detection result of the chip injected attack.
In some embodiments, referring to fig. 5, fig. 5 shows a schematic structural diagram of another detection device, where the detection device 100 further includes: a first state transition circuit 12 and a second state transition circuit 13, wherein,
The mutation detection circuit 11 is further configured to send detection results to the first state conversion circuit 12 and the second state conversion circuit 13, respectively;
a first state transition circuit 12 for performing state transition on the first input signal state according to the detection result;
and a second state transition circuit 13 for performing state transition on the second input signal state according to the detection result.
In the embodiment of the present application, since the second input signal state is the previous stage signal state of the first input signal state, after the mutation detecting circuit 11 obtains the first input signal state from the first state converting circuit 12 and the second input signal state from the second state converting circuit, it is determined whether the first input signal state and the second input signal state satisfy the signal condition.
If the first input signal state and the second input signal state do not meet all the signal conditions, it is determined that neither the first state conversion circuit 12 nor the second state conversion circuit 13 is attacked by external injection, and then a detection result that the chip is not attacked by external injection is obtained. Further, the asynchronous detection circuit 11 sends the detection results to the first state conversion circuit 12 and the second state conversion circuit 13, respectively, and the first state conversion circuit 12 converts the state of the first input signal according to the detection results and the preset state conversion sequence; the second state transition circuit 13 transitions the second input signal state in accordance with a preset state transition sequence based on the detection result.
And if the first input signal state and/or the second input signal state meet at least one of a plurality of signal conditions, determining a detection result of the chip being attacked by external injection. It should be noted that the detection results include the following three modes: first, the first state switching circuit 12 is attacked by external injection, and the second state switching circuit 13 is not attacked by external injection, so as to obtain a detection result of the chip attacked by external injection; second, the first state switching circuit 12 is not attacked by external injection, and the second state switching circuit 13 is attacked by external injection, so as to obtain a detection result of the chip attacked by external injection; third, the first state transition circuit 12 and the second state transition circuit 13 are attacked by external injection, so as to obtain the detection result of the chip attacked by external injection.
Further, the asynchronous detection circuit 11 may also obtain a previous stage signal state of the current input signal state stored in the state register in each state transition circuit, determine a state transition circuit attacked by external injection based on the current input signal state and the previous stage signal state, and a state transition circuit not attacked by external injection. And then the detection result of the state switching circuit attacked by external injection and/or the state switching circuit not attacked by external injection is obtained.
Then, the asynchronous detection circuit 11 transmits the detection result to the first state transition circuit 12 and the second state transition circuit 13.
Finally, the first state conversion circuit 12 converts the state of the first input signal according to the detection result; the second state transition circuit 13 transitions the second input signal state according to the detection result.
In one possible scenario, referring to fig. 3, 6 and 7, the first input signal state is taken as the current signal state current_state, the second input signal state is taken as the previous signal state pre_state of the current signal state current_state, the first input signal state is one of a plurality of preset signal states S0 (0001), S1 (0011), S2 (0111) and S3 (1111), and the plurality of preset signal states are circularly arranged according to a preset state transition sequence such as S0- > S1- > S2- > S3- > S0 by taking the first preset signal state such as S0 as the initial input signal state. The second input signal state is one of a plurality of preset signal states S0 (0001), S1 (0011), S2 (0111), S3 (1111), and the plurality of preset signal states are circularly arranged according to a preset state transition sequence S3- > S0- > S1- > S2- > S3 with the second preset signal state, e.g., S3, as a starting input signal state.
Here, when the rising edge of the clock signal arrives, the skew detection circuit 11 obtains a first input signal state current_state from the first state transition circuit 12, obtains a second input signal state pre_state from the second state transition circuit 13, determines whether the first input signal state current_state is a preset signal state, whether the second input signal state is a preset signal state, and determines whether a state transition sequence between the first input signal state current_state and the second input signal state pre_state is a preset state transition sequence, thereby obtaining a detection result of whether the first state transition circuit and/or the second state transition circuit (or chip) is attacked by external injection.
Here, if the current signal state current_state and the previous signal state pre_state are both preset signal states, and the arrangement sequence between the previous signal state pre_state and the current signal state current_state is the preset state transition sequence, a detection result that the chip is not attacked by external injection is obtained; if the current signal state is not the preset signal state, and/or the previous signal state pre_state is not the preset signal state, and/or the arrangement sequence between the previous signal state pre_state and the current signal state is not the preset state transition sequence, the detection result of the chip being attacked by external injection is obtained.
If the mutation detection circuit 11 determines that the chip is not attacked by external injection, sending the detection result to the first state conversion circuit 12 and the second state conversion circuit, and the first state conversion circuit 12 performs normal state conversion on the first input signal state according to a preset state conversion sequence according to the detection result to obtain a next signal state and maintains the next signal state in the current clock period; further, when the rising edge of the next clock signal arrives, the first state register in the first state conversion circuit stores the next signal state, determines the next signal state as the first input signal state, and further the detection device repeats the steps to obtain a detection result, and continuously converts the first input signal state again according to the state conversion sequence according to the detection result. Similarly, the second state transition circuit 13 performs normal state transition on the second input signal state according to the state transition sequence according to the detection result, to obtain the next signal state, and maintains the next signal state in the current clock cycle. Further, when the rising edge of the next clock signal arrives, the second state register in the second state conversion circuit stores the next signal state, determines that the next signal state is the second input signal state, and further the detection device repeats the steps to obtain a detection result, and continuously converts the second input signal state again according to the state conversion sequence according to the detection result.
Illustratively, referring to fig. 7, when the Reset signal Reset changes from low level to high level after release, and the rising edge of the clock signal of 3 to 6 clock cycles arrives, the alien detection circuit 11 determines the detection result that the chip is not attacked by external injection, and the first state transition circuit 12 performs normal state transition according to the preset state transition sequence S0- > S1- > S2- > S3- > S0 according to the detection result; the second state transition circuit 13 performs normal state transition according to the detection result and in accordance with a preset state transition sequence S3- > S0- > S1- > S2- > S3.
If the mutation detection circuit 11 determines the detection result of the chip being attacked by external injection, the second state conversion circuit 13 is not attacked by external injection if the detection result is that the first state conversion circuit 12 is attacked by external injection; if the first state transition circuit 12 does not perform state transition on the previous stage signal state according to the preset state transition sequence S0- > S1- > S2- > S3- > S0 to obtain a first input signal state or the first input signal state is other than S0-S3, the second state transition circuit 13 performs state transition on the previous stage signal state according to the preset state transition sequence S3- > S0- > S1- > S2- > S3 to obtain a second input signal state and the second input signal state is one of S0-S3, the mutation detection circuit 11 determines that the first state transition circuit 12 is attacked by external injection, the second state transition circuit 13 is not attacked by the detection result, and sends the detection result to the first state transition circuit 12 and the second state transition circuit 13 respectively. The first state conversion circuit 12 converts the first input signal state according to the detection result to obtain and output a first Error state, i.e. the first state conversion circuit enters the Error state; the second state transition circuit 13 performs normal state transition on the second input signal state according to the state transition sequence S3- > S0- > S1- > S2- > S3 according to the detection result, and obtains the next signal state.
If the detection result is that the first state transition circuit 12 is not attacked by external injection, the second state transition circuit 13 is attacked by external injection, that is, the second state transition circuit 13 does not perform state transition on the second input signal state or the second input signal state is other than S0 to S3 according to the preset state transition sequence S3- > S0> S1- > S2- > S3, the mutation detection circuit 11 determines that the second state transition circuit 13 is attacked by external injection, the detection result that the first state transition circuit 12 is not attacked by injection, and sends the detection result to the first state transition circuit 12 and the second state transition circuit 13, respectively. Further, the first state conversion circuit 12 performs normal state conversion on the first input signal state according to the detection result and in accordance with a preset state conversion sequence S0- > S1- > S2- > S3- > S0, to obtain a next signal state; the second state conversion circuit 13 converts the second input signal state according to the detection result, and obtains and outputs a second error state, such as Trap state, that is, the second state conversion circuit enters the Trap state.
As shown in fig. 7, for example, in the 7 th clock cycle, the first state conversion circuit is attacked by external injection, the first input signal state current_state in the first state conversion circuit is changed from S1 to S3, when the rising edge of the clock signal in the 8 th clock cycle arrives, the transition detection circuit 11 obtains the first input signal state S3 in the first state conversion circuit 12 and the second input signal state pre_s0 in the second state conversion circuit, and determines that the first input signal state S3 and the second input signal state pre_s0 are both preset signal states, but in the state conversion sequence, the second input signal state pre_s2 corresponding to the first input signal state S3 and the second input signal state pre_s0 actually corresponding to the first input signal state are both preset signal states, at this time, the first state conversion circuit on the chip is determined to be attacked by external injection, the second state conversion circuit is not attacked by external injection, and the first state conversion circuit is triggered to enter the ror state, and the second state conversion circuit is switched to the second state pre_s0 in the state conversion sequence. Further, even if the rising edge of the subsequent clock signal arrives, the first state transition circuit is still in the Error state, and the first state transition circuit performs a dead cycle in the Error state.
As can be seen from the above, the first state transition circuit of the detection device is independent of the second state transition circuit for the transition of the current signal state, and does not interfere with each other, i.e. if the current signal state in the first state transition circuit is changed by attack, the normal transition of the second state transition circuit for the previous signal state is not affected. When the clock signal changes, the abnormality detection circuit compares the input signal states of the two-way state transition circuit, and judges whether the two input signal states are arranged according to a preset state transition sequence, so that the detection result of whether the chip is attacked by external injection is determined according to the judgment result. Therefore, the method and the device are realized by adopting the digital circuit, the device is independent, the device can be deployed at any plurality of positions of the chip, and the detection range is large; the chip design flow is not changed, and the integration is easy; small area and low cost. In the area with higher safety requirement, such as a memory for storing sensitive information, a plurality of detection devices can be arranged, or the detection devices are scattered and then mixed with a safety module such as a password operation module in the chip, so that the protection of a circuit is enhanced, and the accuracy of the detection result of the chip injected attack is improved.
In some embodiments, referring to fig. 8, fig. 8 shows a schematic structural diagram of another detection device, where the detection device 100 further includes: a first control circuit 14 and/or a second control circuit 15, wherein,
the first control circuit 14 is connected to the first state conversion circuit 12, and is configured to perform input driving control on an input signal of the first state conversion circuit 12 by using a first preset signal state as an initial input signal after the first state conversion circuit 12 is reset, so that the first state conversion circuit 12 performs cyclic conversion on a plurality of preset signal states according to a state conversion sequence;
the second control circuit 15 is connected to the second state conversion circuit 13, and is configured to perform input driving control on the input signal of the second state conversion circuit 13 by using the second preset signal state as an initial input signal after the second state conversion circuit 13 is reset, so that the second state conversion circuit 13 performs cyclic conversion on the plurality of preset signal states according to the state conversion sequence. In this way, the first control circuit performs input driving control on the input signal of the first state conversion circuit by taking the first preset signal state as an initial input signal, and the second control circuit performs input driving control on the input signal of the second state conversion circuit by taking the second preset signal state, namely, the signal state of the previous stage of the first preset signal state, as an initial input signal.
In other embodiments of the present application, with continued reference to fig. 8, the detection apparatus 100 further includes: an alarm circuit 16 and a reset circuit 17.
The alarm circuit 16 is configured to receive a detection result, and generate an alarm when the detection result represents that the chip is attacked by external injection;
and the reset circuit is used for carrying out reset operation on the reset objects after receiving the reset request signal, wherein all the reset objects comprise chips and a state conversion circuit.
In some embodiments, alarm circuit 16 is also used to generate an alarm and stop the alarm upon receipt of a reset request signal.
In this embodiment, the alarm circuit 16 is connected to the anomaly detection circuit 11, the anomaly detection circuit 11 sends a detection result to the alarm circuit 16, and when the detection result characterizes that the chip is attacked by external injection, the alarm circuit 16 generates an alarm and stops the alarm after receiving a reset request signal. Therefore, when the chip is attacked by external injection, the alarm circuit sends out a safety alarm signal to prompt the chip system to be attacked, so that the chip enters a safety state according to the alarm signal, such as reset and interruption, and further the safety of the chip is protected, sensitive information is prevented from being leaked, and the external attack is failed.
In the embodiment of the present application, the reset object may be a state transition circuit, that is, if the first state transition circuit 12 and/or the second state transition circuit 13 enter an error state, it is indicated that the first state transition circuit 12 and/or the second state transition circuit 13 performs a dead cycle in the error state. If the first state transition circuit 12 and the second state transition circuit 13 are required to reenter the normal operation state, the reset circuit 17 is required to perform a reset operation on the first state transition circuit 12 and the second state transition circuit 13. That is, after the reset circuit 17 receives the reset request signal, the first state transition circuit 12 and the second state transition circuit 13 are reset, so that the first state transition circuit 12 and/or the second state transition circuit 13 enter the normal operation state again, and the reusability of the state transition circuits is improved.
Of course, the reset object may also be a chip, that is, the chip and the detection device share a reset circuit, when an alarm signal occurs, the reset circuit resets the chip, so that the chip enters a safe state, and thus, the chip is safe to itself and sensitive information is prevented from being leaked, and the chip and the detection device share a reset circuit under the condition that external attack fails, so that hardware cost is reduced.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a chip, where the chip 200 includes one or more detection devices 100, the detection devices 100 are disposed in a to-be-detected area of the chip 200, and the detection devices 100 include: a variation detection circuit, wherein,
the different change detection circuit is connected with the clock port and is used for receiving a clock signal output by the clock port, acquiring a first input signal state input to the first state conversion circuit and a previous stage signal state of the first input signal state under the condition that the clock signal is changed, and acquiring a detection result of the chip being attacked by external injection if the first input signal state and the previous stage signal state meet at least one of a plurality of signal conditions; wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state, the previous stage signal state is not a preset signal state, and the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition.
In the embodiment of the application, the detection device can be deployed at any position of the chip, and fault injection detection can be carried out on any region of the chip. Each detection device operates independently, and any detection device goes wrong, namely a state transition circuit in the detection device does not perform state transition according to a preset state transition sequence, so that an alarm can be generated. The number of deployments of the detection device depends on the chip area and the object to be protected, and in principle there is no number limitation, only by comprehensively considering the cost and the protection intensity.
In other embodiments of the present application, referring to fig. 10, the chip may further include a security protection circuit 300, where the security protection circuit 300 is configured to perform a security protection operation on the chip or a part of a model in the chip when receiving an alarm signal output by any detection device 100, where the security protection operation includes: a power-on/power-off reset, a non-power-on reset register reset, and a pause current work enters an interrupt state to wait for the central processing unit to process.
In this embodiment, when the alarm signal output by any detection device triggers the security protection circuit of the chip, the security protection operation is performed on the whole chip, that is, at least one of power-on/power-off reset, non-power-on reset register reset, and suspension of the current operation into an interrupt state and waiting for the processing of the central processing unit (Central Processing Unit, CPU) is performed, so that the chip enters a security state, such as reset, interrupt, etc., to prevent sensitive information leakage and failure attack.
In this embodiment of the present application, when an alarm signal output by any one of the detecting devices triggers the security protection circuit of the chip, a security protection operation is performed on a part of modules monitored by the detecting device that generates the alarm signal. Here, the alarm signal may carry an identifier of the detection device, when the detection device outputs the alarm signal to the chip, the chip may further determine, according to the identifier of the detection device carried in the alarm signal, a target detection device outputting the alarm signal, that is, determine a target detection device to which an external attack is injected to generate the alarm signal, further, the chip triggers the security protection circuit to perform security protection operations on a module having a security requirement monitored by the target detection device, or all modules around the target detection device, that is, at least one of power-on/power-off reset, non-power-on reset register reset, and suspend the current operation to enter an interrupt state and wait for the central processing unit (Central Processing Unit, CPU) to process, so that all modules having a security requirement monitored by the target detection device, or all modules around the target detection device enter a security state, such as reset, interrupt, prevent sensitive information leakage, fail a fault attack, and other modules in the chip continue to operate.
Next, a detection device provided in the embodiment of the present application will be further described.
Common fault injection attack methods for chips include electromagnetic attack, optical attack, voltage burr attack and the like, and the aim is to crack and acquire sensitive information such as keys by changing the normal working state of a circuit.
The embodiment of the application provides a detection device, which is arranged in each area of a chip, namely the chip comprises one or more detection devices, and the one or more detection devices are mutually independent. Under the condition that any detection device outputs an alarm signal, the chip is triggered to stop the current operation and enter a safety state, such as reset, interruption and the like, so that sensitive information is prevented from being leaked, and fault attack is failed.
The detection device takes a fault detection state machine (corresponding to the state conversion circuit) as a core, and is mixed with other circuits to provide protection for chip safety. When an attacker attacks a chip, the attacker cannot judge the specific position of the target circuit, and cannot accurately control the attack to one or a plurality of transistors, the attacker can only continuously try the attack in each area of the chip, the detection devices are distributed in each area of the chip, once the attacker attacks the area of the fault detection state machine in the detection device to make the state machine error, the chip can be detected to be attacked at present, and an alarm is triggered. The normal operation of the fault detection state machine needs to meet two conditions, one is that the fault detection state machine must perform state transition in a legal state (corresponding to the preset signal state); the other is that the fault detection state machine must make state transitions in the order of state transitions. Unlike conventional state machines, the normal state transitions of the fault detection state machine in the present application are unconditional transitions, without external control, and each legal state has and only has a legal previous and next stage state.
Here, a state machine with 4bit state bits is taken as an example, as shown in fig. 3. The 4bit state bit totally represents 16 states named current_state and is stored by a 4bit state machine register; taking binary as an example, the 4 legal states defining the fault detection state machine a are respectively: s0 (0001), S1 (0011), S2 (0111), S3 (1111), and other states are illegal states, and are defined as Error states. After the fault detection state machine A is reset, the fault detection state machine A starts to execute from the S0 state, and in normal operation, state transition is circularly carried out according to the preset sequence of S0- > S1- > S2- > S3- > S0 (corresponding to the preset state transition sequence), and in each state, the state before the state is judged, namely whether the state machine is in transition according to the preset sequence is judged. Once the fault detection state machine a does not perform state transition in the sequence of fig. 3 or enters other states except S0 to S3, the fault detection state machine a is triggered to enter an Error state, and unless the fault detection state machine a is reset, the fault detection state machine a performs dead-loop in the Error state. Entering into Error state and sending out safety alarm signal, the chip responds according to the alarm signal, such as forcing the chip to reset or suspending the current work to enter into interrupt state to wait for CPU processing.
Of course, the detecting device is further provided with a fault detection state machine B, and the fault detection state machine B simultaneously stores a previous stage signal state named as pre_state and performs state transformation on the previous stage signal state, where the previous stage signal state is defined as pre_s0 (0001), pre_s1 (0011), pre_s2 (0111), and pre_s3 (1111). To improve the success rate of fault detection, the fault detection state machine B performs state transition of the previous stage signal state pre_sx in synchronization with the state transition of the current signal state Sx by the fault detection state machine a, but is independent from each other. That is, the Sx state register of the fault detection state machine a is attacked to cause a change in the Sx state, and thus the value of the previous stage signal state pre_sx stored in the pre_sx state register of the fault detection state machine B is not affected unless the Sx state register and the pre_sx state register are attacked at the same time. As shown in fig. 6, the transition of the fault detection state machine B to the previous stage signal state is shown in the legal state, and the other states are illegal states, which are defined as Trap states. Once the fault detection state machine B is attacked into the Trap state and performs a dead-loop, the fault detection state machine B will perform a dead-loop within the Trap state unless the fault detection state machine B is reset. Similar to the Error state, the security alarm signal is sent out simultaneously when the chip system enters the Trap state, so that the chip system is attacked.
A system block diagram of the detection device is shown in fig. 11. The current_state state transition circuit 1101 performs state transition as shown in fig. 3 under the control of the current_state control circuit 1102, and once the state is illegal, the current_state transition circuit sends out an active high-level alarm signal 1, and simultaneously enters an Error dead cycle state; the pre_state state transition circuit 1103 performs state transition as shown in fig. 6 under the control of the pre_state control circuit 1104, and once the illegal state is entered, it issues an active high "alarm signal 2" and enters the Trap dead-loop state. The state comparing circuit 1105 compares current_state with pre_state when the same clock signal changes, and also enters Error state if the condition shown in fig. 3 is satisfied, and issues an active high alarm signal 3. The alarm signals 1, 2 and 3 are logically or operated to generate a system alarm signal, namely, the system alarm signal is generated as long as one alarm signal is valid. The control circuit and the state comparison circuit are combined logic circuits, the state conversion circuit and the time sequence circuit share the same clock circuit and the reset circuit, and the clock signal is generated by the clock circuit. The clock circuit and the reset circuit of the detection device may be separate from the chip or may share one clock circuit and one reset circuit with the chip as part of the chip.
Referring to fig. 12, fig. 12 is an example of the operation of the detecting device. When the Reset signal Reset is released, the detection device starts to operate, current_state and pre_state are normally converted according to the respective state conversion sequence, and all alarm signals maintain low level to indicate that the attack is not performed; when the 7 th clock period is changed from S1 to S3 and the clock rising edge at the beginning of the 8 th period is compared with the pre_state, the state corresponding to the S3 is pre_S2, and the state is pre_S0 at the moment, so that the alarm signal 3 and the system alarm signal are pulled high, and the alarm chip is attacked.
From the above, the present application provides a method for monitoring whether the state of the circuit is illegally changed, so as to determine whether the chip is attacked. The detection device for fault detection has the following improvement points: 1) The detection device does not directly detect attack sources such as voltage, temperature, light and the like, but detects whether the state of the digital circuit is disturbed and has errors, so as to judge whether the chip is attacked. 2) The normal state transition of the state machine in the detection device is fixed and is not controlled by external conditions; 3) The state machine needs to store the previous state of the current state and is used for monitoring whether the state transition of the state machine is abnormal or not; 4) The transition of the current state and the transition of the previous state of the state machine are independent and do not interfere with each other, i.e. if the current state is changed by attack, the normal transition of the previous state is not affected. Therefore, the digital circuit is adopted to realize, the digital circuit is independent to form a module, the digital circuit can be deployed at any plurality of positions of a chip, and the detection range is large; the chip design flow is not changed, and the integration is easy; small area and low cost. In the area with higher safety requirement, such as a memory for storing sensitive information, etc., a plurality of state machine detection circuits can be arranged, or the modules are scattered and mixed with a password operation module, so that the protection of the circuits is enhanced.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment of the present application" or "the foregoing embodiments" or "some implementations" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "an embodiment of the present application" or "the foregoing embodiment" or "some embodiments" or "some implementations" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of units is only one logical function division, and there may be other divisions in actual implementation, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
The features disclosed in the several method or apparatus embodiments provided in the present application may be arbitrarily combined without conflict to obtain new method embodiments or apparatus embodiments.
The foregoing is merely an embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A detection device, wherein the detection device is disposed in a region to be detected of a chip, the detection device comprising: a variation detection circuit, wherein,
the change detection circuit is connected with the clock port and is used for receiving a clock signal output by the clock port, under the condition that the clock signal is changed, a first input signal state input to the first state conversion circuit and a previous stage signal state of the first input signal state are obtained, and if the first input signal state and the previous stage signal state meet at least one of a plurality of signal conditions, a detection result of the chip being attacked by external injection is obtained;
wherein the plurality of signal conditions comprises: the first input signal state is not a preset signal state, the previous stage signal state is not the preset signal state, and the arrangement sequence between the previous stage signal state and the first input signal state does not meet the state transition sequence condition.
2. The apparatus of claim 1, wherein the mutation detection circuit is further configured to obtain a detection result that the chip is not attacked by external injection if the first input signal state and the previous stage signal state do not satisfy the plurality of signal conditions.
3. The apparatus of claim 1, wherein the first input signal state comprises: and taking the first preset signal state as an initial input signal state, and circularly arranging one of a plurality of preset signal states according to a preset state conversion sequence, or after the chip is attacked by external injection, converting the current preset signal state in the first state conversion circuit into an external attack signal state in one clock period.
4. A device according to any one of claims 1 to 3, further comprising: the first state transition circuit, a first state register in the first state transition circuit stores the previous stage signal state, wherein,
the mutation detection circuit is further configured to obtain the previous stage signal state from the first state register, and output the detection result to the first state conversion circuit when the detection result is obtained;
the first state transition circuit is configured to perform state transition on the first input signal state according to the detection result.
5. The apparatus of claim 4, wherein the device comprises a plurality of sensors,
the change detection circuit is further configured to obtain the first input signal state under the clock signal and a second input signal state input to the second state conversion circuit; the previous stage signal state of the first input signal state includes the second input signal state;
Wherein the second input signal state comprises: and taking a second preset signal state as an initial input signal state, and circularly arranging a plurality of preset signal states according to the preset state transition sequence, or after the chip is attacked by external injection, converting the current preset signal state in the second state transition circuit into an external attack signal state in one clock period, wherein the second preset signal state is the previous stage signal state of the first preset signal state in the state transition sequence.
6. The apparatus of claim 5, wherein the apparatus further comprises: the second state transition circuit, wherein,
the mutation detection circuit is further used for sending the detection result to the second state conversion circuit;
and the second state conversion circuit is used for carrying out state conversion on the second input signal state according to the detection result.
7. The apparatus of claim 6, wherein the detection means further comprises: a first control circuit and/or a second control circuit, wherein,
the first control circuit is connected with the first state conversion circuit and is used for performing input driving control on the input signals of the first state conversion circuit by taking a first preset signal state as an initial input signal after the first state conversion circuit is reset, so that the first state conversion circuit circularly converts the plurality of preset signal states according to the state conversion sequence;
The second control circuit is connected with the second state conversion circuit and is used for performing input driving control on the input signals of the second state conversion circuit by taking a second preset signal state as an initial input signal after the second state conversion circuit is reset, so that the second state conversion circuit performs cyclic conversion on the preset signal states according to the state conversion sequence.
8. A device according to any one of claims 1 to 3, wherein the detection device further comprises: an alarm circuit and a reset circuit, wherein,
the alarm circuit is used for receiving the detection result and generating an alarm when the detection result represents that the chip is attacked by external injection;
the reset circuit is used for carrying out reset operation on the reset objects after receiving the reset request signal, wherein all the reset objects comprise the chip and the state conversion circuit.
9. A chip comprising one or more detection devices according to any one of claims 1 to 8.
10. The chip of claim 9, wherein the chip comprises a security protection circuit for performing a security protection operation on the chip or a portion of the modules in the chip upon receipt of an alarm signal, wherein the security protection operation comprises one of: a power-on/power-off reset, a non-power-on reset register reset, and a pause current work enters an interrupt state to wait for the central processing unit to process.
CN202310887777.3A 2023-07-18 2023-07-18 Detection device and chip Pending CN117254929A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310887777.3A CN117254929A (en) 2023-07-18 2023-07-18 Detection device and chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310887777.3A CN117254929A (en) 2023-07-18 2023-07-18 Detection device and chip

Publications (1)

Publication Number Publication Date
CN117254929A true CN117254929A (en) 2023-12-19

Family

ID=89132024

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310887777.3A Pending CN117254929A (en) 2023-07-18 2023-07-18 Detection device and chip

Country Status (1)

Country Link
CN (1) CN117254929A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230061037A1 (en) * 2021-09-01 2023-03-02 Micron Technology, Inc. Apparatus with power-based data protection mechanism and methods for operating the same
CN117560232A (en) * 2024-01-12 2024-02-13 深圳市纽创信安科技开发有限公司 Detection device and chip

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230061037A1 (en) * 2021-09-01 2023-03-02 Micron Technology, Inc. Apparatus with power-based data protection mechanism and methods for operating the same
CN117560232A (en) * 2024-01-12 2024-02-13 深圳市纽创信安科技开发有限公司 Detection device and chip
CN117560232B (en) * 2024-01-12 2024-04-02 深圳市纽创信安科技开发有限公司 Detection device and chip

Similar Documents

Publication Publication Date Title
CN117254929A (en) Detection device and chip
EP1066555B1 (en) Integration of security modules in an integrated circuit
US20150369865A1 (en) Detection of fault injection attacks using high-fanout networks
US8051345B2 (en) Method and apparatus for securing digital information on an integrated circuit during test operating modes
US8689357B2 (en) Tamper detector for secure module
US11941133B2 (en) FPGA chip with protected JTAG interface
US8466727B2 (en) Protection against fault injections of an electronic circuit with flip-flops
CN108073831B (en) Method for detecting working state of safety chip and detection circuit
CN107533607B (en) Attack detection by signal delay monitoring
TW202026929A (en) Protected system and protecting method thereof
CN117216812B (en) Attack detection circuit, chip and electronic equipment
Nisarga et al. System-level tamper protection using MSP MCUs
US12066501B2 (en) Power supply peak current measurement
US20090307502A1 (en) Method and apparatus for securing digital information on an integrated circuit read only memory during test operating modes
CN105074833B (en) The device that unauthorized for identifying the system mode to control and adjustment unit manipulates and the nuclear facilities with the device
KR102190469B1 (en) Security circuit and security system including the same
CN104598785A (en) Method and device for entering different modes based on unlocking password
CN108629185B (en) Server trusted platform measurement control system and operation method thereof
EP2983102A1 (en) Integrated circuit with distributed clock tampering detectors
CN117560232B (en) Detection device and chip
CN102194065B (en) Basic input output system (BIOS) lock and BIOS set permission control method
CN206711097U (en) The protection circuit and code keypad of a kind of sensitive data
KR20190083996A (en) Apparatus and method for protecting data in test mode
CN215867857U (en) Monitoring protection circuit of control signal
US9003520B2 (en) Securing a storage element for a binary datum, control register and chip card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination