US20190179774A1 - Secure memory access using memory read restriction - Google Patents
Secure memory access using memory read restriction Download PDFInfo
- Publication number
- US20190179774A1 US20190179774A1 US15/834,087 US201715834087A US2019179774A1 US 20190179774 A1 US20190179774 A1 US 20190179774A1 US 201715834087 A US201715834087 A US 201715834087A US 2019179774 A1 US2019179774 A1 US 2019179774A1
- Authority
- US
- United States
- Prior art keywords
- data value
- data values
- read
- request
- permitted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1441—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C7/00—Arrangements for writing information into, or reading information out from, a digital store
- G11C7/24—Memory cell safety or protection circuits, e.g. arrangements for preventing inadvertent reading or writing; Status cells; Test cells
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1433—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a module or a part of a module
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C29/00—Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
- G11C29/04—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C29/00—Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
- G11C29/04—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
- G11C29/08—Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C29/00—Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
- G11C29/04—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
- G11C29/08—Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
- G11C29/12—Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
- G11C29/1201—Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details comprising I/O circuitry
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/10—Providing a specific technical effect
- G06F2212/1052—Security improvement
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C29/00—Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
- G11C29/04—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
- G11C2029/0401—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals in embedded memories
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11C—STATIC STORES
- G11C29/00—Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
- G11C29/04—Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
- G11C29/08—Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
- G11C29/12—Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
- G11C29/38—Response verification devices
Definitions
- the present invention relates generally to secure data storage, and particularly to methods and systems for secure memory access using memory read restriction.
- U.S. Patent Application Publication 2007/0237325 describes a device having cryptographic capabilities, including a security system connected to a microcontroller block.
- the security system includes a non-volatile memory and a finite state machine.
- the finite state machine manages the device to maintain the content of an encryption key stored within the non-volatile memory secure, and to prevent access to the encryption key by a computer processing unit within the microcontroller block and/or an end user of the device.
- An embodiment of the present invention that is described herein provides an apparatus including a memory, an interface and read restriction logic.
- the read restriction logic is configured to receive via the interface a request to read a data value from a specified address of the memory, to retrieve the data value from the specified address, to check, upon finding that the specified address falls in an address range that is predefined as restricted, whether the retrieved data value belongs to a predefined set of permitted data values, to respond to the request with the retrieved data value when the retrieved data value belongs to the set of permitted data values, and, otherwise, when the retrieved data value does not belong to the set of permitted data values, to respond to the request with a dummy data value.
- the apparatus further includes a controller configured to run a first software process, to permit the first software process to read any data value from the address range predefined as restricted, and permit a second software process, which runs in the processor after the first software process, to read the data values from the address range predefined as restricted only if the read data values belong to the set of permitted data values.
- the apparatus further includes a controller configured to perform a bootstrapping process, to disable external access to the memory while the bootstrapping process is in progress, and to activate the read restriction logic following the bootstrapping process.
- the read restriction logic is configured to receive the request from one of (i) a Built-In Self-Testing (BIST) module in the apparatus, and (ii) an external tester.
- the permitted data values include test values used for testing the memory.
- the read restriction logic is configured to initiate a responsive action in response to detecting that (i) the specified address falls in the address range predefined as restricted, and that (ii) the retrieved data value does not belong to the set of permitted data values.
- the read restriction logic upon failure of an alternative security mechanism, is configured to permit readout of the data values from the address range predefined as restricted, only if the read data values belong to the set of permitted data values.
- the read restriction logic is configured to respond to multiple reads from a same specified address with different dummy data values.
- the apparatus includes an additional read restriction logic, which is configured to restrict access to an additional address range predefined as restricted, wherein the read restriction logic and the additional read restriction logic are controlled by different software layers.
- a method including, in a device that includes a memory, receiving a request to read a data value from a specified address of the memory.
- the data value is retrieved from the specified address.
- a check is performed whether the retrieved data value belongs to a predefined set of permitted data values.
- the request is responded to with the retrieved data value. Otherwise, when the retrieved data value does not belong to the set of permitted data values, the request is responded to with a dummy data value.
- FIG. 1 is a block diagram that schematically illustrates a secure electronic device, in accordance with an embodiment of the present invention.
- FIG. 2 is a flow chart that schematically illustrates a method for secure memory access using read restriction, in accordance with an embodiment of the present invention.
- Embodiments of the present invention that are described herein provide improved methods and systems for securing secret information stored in a memory.
- the disclosed techniques enable testing of a memory that stores secret information, without compromising testing quality or data security.
- a secure electronic device comprises a memory, in which a certain address range (“restricted address range”) is designated for storage of secret information such as cryptographic keys.
- the device comprises a test interface, via which a tester issues write and read requests for testing the memory. Some of the read requests received via the test interface may specify addresses that fall within the restricted address range. Unless handled properly, serving such requests may lead to leakage of secret information.
- the device comprises read restriction logic, which monitors read requests arriving via the test interface and serves them selectively. Upon receiving a read request whose address falls in the restricted address range, the read restriction logic retrieves the requested data value and checks whether the data values belongs to a predefined set of permitted data values.
- the permitted data values typically comprises a small set of data values (per data unit) that are used for testing and development. For example, for an 8-bit data unit (byte), 0x00, 0xAA and 0xFF hexadecimal values can be considered. The assumption is that legitimate test procedures will use these data values only. If the retrieved data value is one of the permitted values, the read restriction logic responds to the request with this data value. If not, the read restriction logic responds to the request with some dummy value.
- FIG. 1 is a block diagram that schematically illustrates a secure electronic device 20 , in accordance with an embodiment of the present invention.
- Device 20 comprises a memory 24 , e.g., a Non-Volatile Memory (NVM) comprising one or more Flash memory devices.
- Device 20 further comprises a controller 36 , which manages the overall operation of the device, including storage of data in memory 24 .
- Booter software 40 referred to simply as “boater,” carries out a bootstrapping (“boot”) process that boots controller 36 , e.g., upon power-up or reset. At least the first part of the booter code typically resides in ROM or in another form of immutable storage, internal to device 20 .
- Device 20 may comprise any suitable type of electronic device having an internal NVM and a controller.
- a security device One typical example is a security device.
- security devices include Trusted Platform Modules (TPMs), authentication Integrated Circuits (ICs) such as used to prevent counterfeit in printer cartridges, smart-cards, mobile-device Subscriber Identity Modules (SIMs), point-of-sale controllers, and many others.
- TPMs Trusted Platform Modules
- ICs authentication Integrated Circuits
- SIMs mobile-device Subscriber Identity Modules
- point-of-sale controllers and many others.
- device 20 comprises two interfaces—A host interface 28 and a test interface 32 .
- Host interface 28 is used by controller 36 for communicating with a host (not shown in the figure).
- the host uses interface 28 for communicating with device 20 .
- device 20 can be a Trusted Platform Module (TPM) and the host can communicate with it as defined by the Trusted Computing Group (TCG).
- TPM Trusted Platform Module
- TCG Trusted Computing Group
- device 20 can be a storage device which supports authentication with the host before allowing it to access at least a part of memory 24 . If allowed, the host may use the host interface for sending data for storage in memory 24 , and for retrieving previously-stored data from memory 24 , but it can never have unrestricted read access to the restricted address range 48 .
- Device 20 may use the restricted area, for example, for storing keys for authentication and self-protection.
- Test interface 32 is used for testing device 20 , including memory 24 , and possibly other elements of the device.
- Test interface 32 is shown in the figure as an external interface, e.g., for connecting to an external tester or debug interface like JTAG or UART port.
- test interface 32 may be connected to an internal Built-In Self-Testing (BIST) module within device 20 .
- a multiplexer (MUX) 44 connects interfaces 28 and 32 to memory 24 via read restriction logic 56 .
- a certain address range 48 within the address space of memory 24 , is predefined as restricted. This address range is used for storing secret information such as cryptographic keys.
- the information stored in address range 48 may be accessed by various elements, for example by a hardware module 52 (e.g., a cryptographic engine) or by booter 40 in controller 36 .
- device 20 comprises read restriction logic 56 , which protects the device from unauthorized access to restricted address range 48 .
- read restriction logic 56 is addressed in detail below.
- the configuration of device 20 shown in FIG. 1 is an example configuration that is depicted purely for the sake of conceptual clarity. In alternative embodiments, any other suitable configuration can be used.
- memory 24 may comprise any other suitable type of volatile and/or non-volatile memory.
- the functionality of host interface 28 and test interface 32 may be combined in a single interface.
- device 20 may comprise any other suitable types of hardware units 52 that access the information in restricted address range 48 .
- device 20 does not comprise a directly connected unit 52 at all.
- booter 40 may copy the relevant data from restricted address range 48 to the hardware module during boot time, e.g., into write-only registers.
- hardware module 52 is connected to memory 24 directly (i.e., not via read restriction logic 56 ). This configuration, however, is not mandatory, and hardware modules may alternatively be connected to the memory via the read restriction logic. If a cryptographic engine is connected directly as in FIG. 1 , certain limitations should be enforced:
- the various elements of device 20 are fabricated such that it is all but impossible to separate them from one another and gain access to the interfaces between them.
- the various elements of device 20 may be fabricated in the same Integrated Circuit (IC) package or on the same silicon die. Elements that are not mandatory for understanding of the disclosed techniques have been omitted from the figure for the sake of clarity.
- the different elements of device 20 shown in FIG. 1 may be implemented using any suitable hardware, such as in an Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA).
- ASIC Application-Specific Integrated Circuit
- FPGA Field-Programmable Gate Array
- some of the functions of device 20 e.g., the functions of controller 36 , may be implemented in software, or using a combination of software and hardware elements.
- controller 36 comprises a general-purpose processor, which is programmed in software to carry out the functions described herein.
- the software may be downloaded to the processor in electronic form, over a network or from a host, for example, or it may, alternatively or additionally, be provided and/or stored on non-transitory tangible media, such as magnetic, optical, or electronic memory.
- read restriction logic 56 enables full testing of memory 24 , including restricted address range 48 , without compromising the security of any secret information stored therein at present or in the future.
- memory 24 is tested by writing certain data values to the memory, reading the data values from the memory, and verifying that the read data values match the written values.
- the data values used for testing are chosen so as to toggle all the memory bits. For example, 8-bit data values such as 0x00, 0xFF, 0x55 and 0xAA may be suitable data values for testing.
- the data values used for testing are typically drawn from a predefined, set of data values.
- the set of data values is typically small in the sense that it consists of much fewer data values than all possible data values of a given size.
- 8-bit data values only four data values (0x00, 0xFF, 0x55 and 0xAA) are used for testing, out of the 256 possible data value 0x00-0xFF.
- data units other than 8-bit data units e.g., 16-bit or 32-bit data units
- 16-bit or 32-bit data units can also be used.
- device 20 uses the fact that the data values used for testing are drawn from a predefined (and typically small) set of data values, to secure the secret information stored in memory 24 .
- read restriction logic 56 is pre-configured with a set of data values used for testing. This set is also referred to as a “restricted data range” or “set of permitted data values”—all these terms are used interchangeably herein.
- logic 56 is pre-configured (e.g., by controller 36 ) with (i) a definition of restricted address range 48 and (ii) a definition of the restricted data range, i.e., the set of permitted data values.
- read restriction logic 56 Upon receiving a request, via test interface 32 , to read a data value from a specified address in restricted address range 48 , read restriction logic 56 retrieves the data value in question and checks whether the retrieved data value is one of the permitted values used for testing. If so, logic 56 responds to the request by outputting the data value on test interface 32 as requested. If not, logic 56 responds to the request by outputting some dummy data value.
- normal testing can cover the entire address space of memory 24 , including restricted range 48 , as long as the data values that are written and read-back in the test procedure are all drawn from the set of permitted values.
- This sort of testing may be performed even when the memory contains secret information. If the read requests received over test interface 32 attempt to read any of the secret information, most of the retrieved data values will not belong to the set of permitted values, and will trigger logic 56 to respond with dummy data values. Thus, the risk of outputting secret information in any usable form on the test interface is effectively mitigated.
- the secret information itself is formatted in a manner that does not comprise the “permitted values” used for testing.
- controller 36 or an external tester may store one or more “test keys” in restricted address range 48 .
- the test keys function similarly to normal secret keys, but are made-up of data values that belong to the restricted data range. Such keys can be read freely via test interface 32 .
- logic 56 may be pre-configured with only some of the data values used for testing. For example, if the data values used for testing are 0x00, 0xFF, 0x55 and 0xAA, it is sufficient to pre-configure logic with only three of these data values (e.g., 0x00, 0xFF and 0xAA) and set the dummy data value to be the fourth data value (e.g., 0x55).
- FIG. 2 is a flow chart that schematically illustrates a method for secure memory access using read restriction, in accordance with an embodiment of the present invention.
- the first portion of the flow chart (steps 60 and 64 ) describes the boot process of controller 36 , and of device 20 as a whole.
- the second portion describes the normal mode of operation of device 20 .
- test disable protection is implemented by other means (e.g., by permanently disabling test features at production)
- the disclosed technique can be applied as a “second defense line” in case the device is illegitimately fooled into test enable mode or in case of malicious software penetration into the device.
- the method begins, e.g., on power-up or reset, with booter 40 booting controller 36 by executing certain boot program code, at a boot step 60 .
- booter 40 may access the secret information in restricted range 48 of memory 24 , e.g., for verifying a signature that signs at least part of the boot program code, and/or to load secret keys into cryptography accelerators.
- booter 40 typically blocks access to memory 24 via interfaces 28 and 32 .
- booter 40 activates read restriction logic 56 , at a restriction activation step 64 .
- booter 40 controls logic 56 using two signals denoted “restrict read” and “restrict lock.” Asserting the “restrict read” signal activates logic 56 , and asserting the “restrict lock” signal latches the “restrict read” signal, thereby irreversibly activating the restriction until next boot.
- booter 40 After activating logic 56 , booter 40 enables access to memory 24 via user interface 28 and test interface 32 .
- the functionality of the “restrict read” and “restrict lock” signals can be implemented using a single signal that performs both activation and locking.
- the numerical values of the restricted address range and the restricted data range are configurable and controlled by booter 40 . When the boot process is about to be completed, or when test mode is about to be enabled, booter 40 typically locks these values for subsequent changes.
- controller 36 typically checks whether test mode is enabled or not. If not, test mode access is blocked until the next power cycle (e.g., power-up or reset). If test mode is enabled, the method may proceed.
- the above restriction (checking for test-mode enablement) may also be performed by firmware in device 20 . In this case, restricting the read data to certain values may serve as a “second defense line” in scenarios in which the device is illegitimately caused to enable the test enable.
- device 20 receives a read request, e.g., on test interface 32 , at a read request step 68 .
- the read request specifies an address in memory 24 from which a data value is to be read.
- Logic 56 retrieves the data value from the specified address in memory 24 .
- read restriction logic 56 checks whether the specified address belongs to restricted address range 48 . If the specified address does not belong to restricted address range 48 , logic 56 outputs the retrieved data value, e.g., on test interface 32 , as requested, at a data output step 76 . The method then loops back to step 68 above.
- logic 56 checks whether the retrieved data value is one of the permitted data values (the restricted data range), at a data checking step 80 . If so, logic 56 outputs the retrieved data value as requested, at data output step 76 . The method loops back to step 68 .
- logic 56 finds (at step 80 ) that the retrieved data value is not one of the permitted data values, logic 56 does not output the retrieved data value. Instead, logic 56 outputs a dummy data value, e.g., on test interface 32 , at a dummy output step 84 , and the method loops back to step 68 above. In case of a later power-up or reset event, the method restarts at step 60 .
- the method flow of FIG. 2 is an example flow, which is chosen for the sake of conceptual clarity.
- the disclosed read restriction technique can be implemented using any other suitable flow.
- logic 56 may choose the dummy data value from a set of multiple dummy values. The selection may be, for example, random. In other embodiments, logic 56 may output, for a given address, dummy data values that change from one read to another. In an example embodiment, logic 56 chooses the dummy data values as a deterministic function of the address, blended with a secret obfuscation key (e.g., using a lightweight encryption algorithm).
- logic 56 may initiate a suitable responsive action.
- logic 56 may interpret any non-valid read value as an attack attempt. Examples of responsive actions may comprise issuing an alert, shutting down some or all of device 20 , blocking access to memory 24 or parts thereof, and/or erasing some or all of the secret information from memory 24 .
- controller 36 permits booter 40 to access restricted address range 48 during the boot process.
- the “restrict read” and “restrict lock” mechanism restricts the access to address range 48 to the predefined set of permitted test values.
- restrictive access refers to read access that returns the actual data values stored in the specified addresses only if these data values belong to a predefined subset of permitted data values.
- unrestricted access refers to read access that returns the actual data values stored in the specified addresses regardless of the data values.
- controller 36 runs a first software process, permits the first software process to access the address range predefined as restricted, but allows only restricted access to the address range predefined as restricted to a second software process that runs in the processor after the first software process.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
- The present invention relates generally to secure data storage, and particularly to methods and systems for secure memory access using memory read restriction.
- Various techniques are known in the art for securing access to sensitive information stored in memory. For example, U.S. Patent Application Publication 2007/0237325 describes a device having cryptographic capabilities, including a security system connected to a microcontroller block. The security system includes a non-volatile memory and a finite state machine. The finite state machine manages the device to maintain the content of an encryption key stored within the non-volatile memory secure, and to prevent access to the encryption key by a computer processing unit within the microcontroller block and/or an end user of the device.
- An embodiment of the present invention that is described herein provides an apparatus including a memory, an interface and read restriction logic. The read restriction logic is configured to receive via the interface a request to read a data value from a specified address of the memory, to retrieve the data value from the specified address, to check, upon finding that the specified address falls in an address range that is predefined as restricted, whether the retrieved data value belongs to a predefined set of permitted data values, to respond to the request with the retrieved data value when the retrieved data value belongs to the set of permitted data values, and, otherwise, when the retrieved data value does not belong to the set of permitted data values, to respond to the request with a dummy data value.
- In some embodiments, the apparatus further includes a controller configured to run a first software process, to permit the first software process to read any data value from the address range predefined as restricted, and permit a second software process, which runs in the processor after the first software process, to read the data values from the address range predefined as restricted only if the read data values belong to the set of permitted data values.
- In some embodiments, the apparatus further includes a controller configured to perform a bootstrapping process, to disable external access to the memory while the bootstrapping process is in progress, and to activate the read restriction logic following the bootstrapping process.
- In an embodiment, the read restriction logic is configured to receive the request from one of (i) a Built-In Self-Testing (BIST) module in the apparatus, and (ii) an external tester. In an example embodiment, the permitted data values include test values used for testing the memory. In a disclosed embodiment, the read restriction logic is configured to initiate a responsive action in response to detecting that (i) the specified address falls in the address range predefined as restricted, and that (ii) the retrieved data value does not belong to the set of permitted data values.
- In an embodiment, upon failure of an alternative security mechanism, the read restriction logic is configured to permit readout of the data values from the address range predefined as restricted, only if the read data values belong to the set of permitted data values. In another embodiment, the read restriction logic is configured to respond to multiple reads from a same specified address with different dummy data values. In yet another embodiment, the apparatus includes an additional read restriction logic, which is configured to restrict access to an additional address range predefined as restricted, wherein the read restriction logic and the additional read restriction logic are controlled by different software layers.
- There is additionally provided, in accordance with an embodiment of the present invention, a method including, in a device that includes a memory, receiving a request to read a data value from a specified address of the memory. The data value is retrieved from the specified address. Upon finding that the specified address falls in an address range that is predefined as restricted, a check is performed whether the retrieved data value belongs to a predefined set of permitted data values. When the retrieved data value belongs to the set of permitted data values, the request is responded to with the retrieved data value. Otherwise, when the retrieved data value does not belong to the set of permitted data values, the request is responded to with a dummy data value.
- The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which:
-
FIG. 1 is a block diagram that schematically illustrates a secure electronic device, in accordance with an embodiment of the present invention; and -
FIG. 2 is a flow chart that schematically illustrates a method for secure memory access using read restriction, in accordance with an embodiment of the present invention. - Embodiments of the present invention that are described herein provide improved methods and systems for securing secret information stored in a memory. In particular, the disclosed techniques enable testing of a memory that stores secret information, without compromising testing quality or data security.
- In some embodiments, a secure electronic device comprises a memory, in which a certain address range (“restricted address range”) is designated for storage of secret information such as cryptographic keys. The device comprises a test interface, via which a tester issues write and read requests for testing the memory. Some of the read requests received via the test interface may specify addresses that fall within the restricted address range. Unless handled properly, serving such requests may lead to leakage of secret information.
- In order to mitigate this security hazard, in some embodiments the device comprises read restriction logic, which monitors read requests arriving via the test interface and serves them selectively. Upon receiving a read request whose address falls in the restricted address range, the read restriction logic retrieves the requested data value and checks whether the data values belongs to a predefined set of permitted data values.
- The permitted data values typically comprises a small set of data values (per data unit) that are used for testing and development. For example, for an 8-bit data unit (byte), 0x00, 0xAA and 0xFF hexadecimal values can be considered. The assumption is that legitimate test procedures will use these data values only. If the retrieved data value is one of the permitted values, the read restriction logic responds to the request with this data value. If not, the read restriction logic responds to the request with some dummy value.
- When using this technique, if a series of read requests attempts to retrieve secret information, most of the retrieved data values will likely not belong to the set of permitted data values. As such, the read restriction logic will block these read requests and return dummy values instead. At the same time, legitimate read requests that are part of a genuine test procedure will not be blocked, since the data values they request will belong to the set of permitted data values. Typically, read requests that specify addresses outside the restricted address range are not blocked, regardless of the retrieved data values. Example configurations of secure electronic devices that utilize the above-described read restriction technique are described herein. Some disclosed configurations use a secure boot process that initializes the read restriction logic.
-
FIG. 1 is a block diagram that schematically illustrates a secureelectronic device 20, in accordance with an embodiment of the present invention.Device 20 comprises amemory 24, e.g., a Non-Volatile Memory (NVM) comprising one or more Flash memory devices.Device 20 further comprises acontroller 36, which manages the overall operation of the device, including storage of data inmemory 24. Bootersoftware 40, referred to simply as “boater,” carries out a bootstrapping (“boot”) process that bootscontroller 36, e.g., upon power-up or reset. At least the first part of the booter code typically resides in ROM or in another form of immutable storage, internal todevice 20. -
Device 20 may comprise any suitable type of electronic device having an internal NVM and a controller. One typical example is a security device. Several non-limiting examples of security devices include Trusted Platform Modules (TPMs), authentication Integrated Circuits (ICs) such as used to prevent counterfeit in printer cartridges, smart-cards, mobile-device Subscriber Identity Modules (SIMs), point-of-sale controllers, and many others. - In the present example,
device 20 comprises two interfaces—A host interface 28 and atest interface 32.Host interface 28 is used bycontroller 36 for communicating with a host (not shown in the figure). The host usesinterface 28 for communicating withdevice 20. For example,device 20 can be a Trusted Platform Module (TPM) and the host can communicate with it as defined by the Trusted Computing Group (TCG). In another example,device 20 can be a storage device which supports authentication with the host before allowing it to access at least a part ofmemory 24. If allowed, the host may use the host interface for sending data for storage inmemory 24, and for retrieving previously-stored data frommemory 24, but it can never have unrestricted read access to the restrictedaddress range 48.Device 20 may use the restricted area, for example, for storing keys for authentication and self-protection. -
Test interface 32 is used fortesting device 20, includingmemory 24, and possibly other elements of the device.Test interface 32 is shown in the figure as an external interface, e.g., for connecting to an external tester or debug interface like JTAG or UART port. - Additionally or alternatively, however,
test interface 32 may be connected to an internal Built-In Self-Testing (BIST) module withindevice 20. A multiplexer (MUX) 44 connectsinterfaces memory 24 viaread restriction logic 56. - In some embodiments, a
certain address range 48, within the address space ofmemory 24, is predefined as restricted. This address range is used for storing secret information such as cryptographic keys. The information stored inaddress range 48 may be accessed by various elements, for example by a hardware module 52 (e.g., a cryptographic engine) or bybooter 40 incontroller 36. - In order to test
memory 24 properly, it is typically desirable to allow access to the memory viatest interface 32. In particular, it is desirable to allow access to restrictedaddress range 48. Unless managed correctly, this sort of external access presents a severe security hazard. In some embodiments of the present invention,device 20 comprises readrestriction logic 56, which protects the device from unauthorized access to restrictedaddress range 48. The operation ofread restriction logic 56 is addressed in detail below. - The configuration of
device 20 shown inFIG. 1 is an example configuration that is depicted purely for the sake of conceptual clarity. In alternative embodiments, any other suitable configuration can be used. For example,memory 24 may comprise any other suitable type of volatile and/or non-volatile memory. As another example, the functionality ofhost interface 28 andtest interface 32 may be combined in a single interface. - As yet another example,
device 20 may comprise any other suitable types ofhardware units 52 that access the information in restrictedaddress range 48. In some embodiments,device 20 does not comprise a directly connectedunit 52 at all. In some embodiments, in which there is no direct connection betweenmemory 24 andhardware module 52,booter 40 may copy the relevant data from restrictedaddress range 48 to the hardware module during boot time, e.g., into write-only registers. - In the example configuration of
FIG. 1 ,hardware module 52 is connected tomemory 24 directly (i.e., not via read restriction logic 56). This configuration, however, is not mandatory, and hardware modules may alternatively be connected to the memory via the read restriction logic. If a cryptographic engine is connected directly as inFIG. 1 , certain limitations should be enforced: -
- Unrestricted data should not be exposed to the software of
controller 36, to firmware or to any test or debug feature via the cryptographic engine. - The cryptographic engine can use the unrestricted data, but it should be guaranteed that the unrestricted data cannot be deduced from the outputs of the cryptographic engine.
-
Booter 40, anddevice 20 in general, should ensure that no unrestricted data is present in the cryptographic engine before entering a test mode that exposes the internals of the module (e.g., scan or observability tests). This condition can be satisfied, for example, by deleting the data prior to test mode enable, or by disabling test mode before the data enters the cryptography module.
- Unrestricted data should not be exposed to the software of
- Typically, the various elements of device 20 (e.g.,
memory 24, readrestriction logic 56,hardware module 52,MUX 44 and/or controller 36), are fabricated such that it is all but impossible to separate them from one another and gain access to the interfaces between them. In an embodiment, the various elements ofdevice 20 may be fabricated in the same Integrated Circuit (IC) package or on the same silicon die. Elements that are not mandatory for understanding of the disclosed techniques have been omitted from the figure for the sake of clarity. - In various embodiments, the different elements of
device 20 shown inFIG. 1 may be implemented using any suitable hardware, such as in an Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA). Alternatively, some of the functions ofdevice 20, e.g., the functions ofcontroller 36, may be implemented in software, or using a combination of software and hardware elements. - In some embodiments,
controller 36 comprises a general-purpose processor, which is programmed in software to carry out the functions described herein. The software may be downloaded to the processor in electronic form, over a network or from a host, for example, or it may, alternatively or additionally, be provided and/or stored on non-transitory tangible media, such as magnetic, optical, or electronic memory. - In some embodiments, read
restriction logic 56 enables full testing ofmemory 24, including restrictedaddress range 48, without compromising the security of any secret information stored therein at present or in the future. - In an embodiment,
memory 24 is tested by writing certain data values to the memory, reading the data values from the memory, and verifying that the read data values match the written values. Typically, although not necessarily, the data values used for testing are chosen so as to toggle all the memory bits. For example, 8-bit data values such as 0x00, 0xFF, 0x55 and 0xAA may be suitable data values for testing. - In other words, the data values used for testing are typically drawn from a predefined, set of data values. The set of data values is typically small in the sense that it consists of much fewer data values than all possible data values of a given size. In the example above, which refers to 8-bit data values, only four data values (0x00, 0xFF, 0x55 and 0xAA) are used for testing, out of the 256 possible data value 0x00-0xFF. Note that data units other than 8-bit data units (e.g., 16-bit or 32-bit data units) can also be used.
- In some embodiments,
device 20 uses the fact that the data values used for testing are drawn from a predefined (and typically small) set of data values, to secure the secret information stored inmemory 24. - In an embodiment, read
restriction logic 56 is pre-configured with a set of data values used for testing. This set is also referred to as a “restricted data range” or “set of permitted data values”—all these terms are used interchangeably herein. - As can be seen
FIG. 1 ,logic 56 is pre-configured (e.g., by controller 36) with (i) a definition of restrictedaddress range 48 and (ii) a definition of the restricted data range, i.e., the set of permitted data values. - Upon receiving a request, via
test interface 32, to read a data value from a specified address in restrictedaddress range 48, readrestriction logic 56 retrieves the data value in question and checks whether the retrieved data value is one of the permitted values used for testing. If so,logic 56 responds to the request by outputting the data value ontest interface 32 as requested. If not,logic 56 responds to the request by outputting some dummy data value. - In this manner, normal testing can cover the entire address space of
memory 24, including restrictedrange 48, as long as the data values that are written and read-back in the test procedure are all drawn from the set of permitted values. This sort of testing may be performed even when the memory contains secret information. If the read requests received overtest interface 32 attempt to read any of the secret information, most of the retrieved data values will not belong to the set of permitted values, and will triggerlogic 56 to respond with dummy data values. Thus, the risk of outputting secret information in any usable form on the test interface is effectively mitigated. In a possible embodiment, the secret information itself is formatted in a manner that does not comprise the “permitted values” used for testing. - The disclosed technique also enables full testing of the security functions of
device 20, e.g., of a cryptographic engine or other hardware modules that access secret information inmemory 24. In an example embodiment,controller 36 or an external tester may store one or more “test keys” in restrictedaddress range 48. The test keys function similarly to normal secret keys, but are made-up of data values that belong to the restricted data range. Such keys can be read freely viatest interface 32. - Note that, in an embodiment,
logic 56 may be pre-configured with only some of the data values used for testing. For example, if the data values used for testing are 0x00, 0xFF, 0x55 and 0xAA, it is sufficient to pre-configure logic with only three of these data values (e.g., 0x00, 0xFF and 0xAA) and set the dummy data value to be the fourth data value (e.g., 0x55). -
FIG. 2 is a flow chart that schematically illustrates a method for secure memory access using read restriction, in accordance with an embodiment of the present invention. The first portion of the flow chart (steps 60 and 64) describes the boot process ofcontroller 36, and ofdevice 20 as a whole. The second portion (steps 68-84) describes the normal mode of operation ofdevice 20. - Note that the normal mode of operation supports both testing and normal read and write operations, without a need for switching into a dedicated test mode. Alternatively, if test disable protection is implemented by other means (e.g., by permanently disabling test features at production), the disclosed technique can be applied as a “second defense line” in case the device is illegitimately fooled into test enable mode or in case of malicious software penetration into the device.
- The method begins, e.g., on power-up or reset, with
booter 40 bootingcontroller 36 by executing certain boot program code, at aboot step 60. As part of the boot process,booter 40 may access the secret information in restrictedrange 48 ofmemory 24, e.g., for verifying a signature that signs at least part of the boot program code, and/or to load secret keys into cryptography accelerators. As long as the boot process is in progress,booter 40 typically blocks access tomemory 24 viainterfaces - Once the boot process is completed,
booter 40 activates readrestriction logic 56, at arestriction activation step 64. In the example ofFIG. 1 ,booter 40controls logic 56 using two signals denoted “restrict read” and “restrict lock.” Asserting the “restrict read” signal activateslogic 56, and asserting the “restrict lock” signal latches the “restrict read” signal, thereby irreversibly activating the restriction until next boot. After activatinglogic 56,booter 40 enables access tomemory 24 viauser interface 28 andtest interface 32. - In an alternative embodiment, the functionality of the “restrict read” and “restrict lock” signals can be implemented using a single signal that performs both activation and locking. Typically, the numerical values of the restricted address range and the restricted data range are configurable and controlled by
booter 40. When the boot process is about to be completed, or when test mode is about to be enabled,booter 40 typically locks these values for subsequent changes. - At this stage, before allowing processing of actual tests,
controller 36 typically checks whether test mode is enabled or not. If not, test mode access is blocked until the next power cycle (e.g., power-up or reset). If test mode is enabled, the method may proceed. The above restriction (checking for test-mode enablement) may also be performed by firmware indevice 20. In this case, restricting the read data to certain values may serve as a “second defense line” in scenarios in which the device is illegitimately caused to enable the test enable. - At some later point in time, during normal operation,
device 20 receives a read request, e.g., ontest interface 32, at aread request step 68. The read request specifies an address inmemory 24 from which a data value is to be read.Logic 56 retrieves the data value from the specified address inmemory 24. - At an
address checking step 72, readrestriction logic 56 checks whether the specified address belongs to restrictedaddress range 48. If the specified address does not belong to restrictedaddress range 48,logic 56 outputs the retrieved data value, e.g., ontest interface 32, as requested, at adata output step 76. The method then loops back to step 68 above. - If the specified address belongs to restricted
address range 48,logic 56 checks whether the retrieved data value is one of the permitted data values (the restricted data range), at adata checking step 80. If so,logic 56 outputs the retrieved data value as requested, atdata output step 76. The method loops back to step 68. - If, however,
logic 56 finds (at step 80) that the retrieved data value is not one of the permitted data values,logic 56 does not output the retrieved data value. Instead,logic 56 outputs a dummy data value, e.g., ontest interface 32, at adummy output step 84, and the method loops back to step 68 above. In case of a later power-up or reset event, the method restarts atstep 60. - The method flow of
FIG. 2 is an example flow, which is chosen for the sake of conceptual clarity. In alternative embodiments, the disclosed read restriction technique can be implemented using any other suitable flow. - In some embodiments, at
step 84,logic 56 may choose the dummy data value from a set of multiple dummy values. The selection may be, for example, random. In other embodiments,logic 56 may output, for a given address, dummy data values that change from one read to another. In an example embodiment,logic 56 chooses the dummy data values as a deterministic function of the address, blended with a secret obfuscation key (e.g., using a lightweight encryption algorithm). - In some embodiments, at
step 80, upon detecting an unauthorized attempt to read secret information from restrictedrange 48 viatest interface 32,logic 56 may initiate a suitable responsive action. For example,logic 56 may interpret any non-valid read value as an attack attempt. Examples of responsive actions may comprise issuing an alert, shutting down some or all ofdevice 20, blocking access tomemory 24 or parts thereof, and/or erasing some or all of the secret information frommemory 24. - In the embodiments described above, using the “restrict read” and “restrict lock” mechanism,
controller 36 permits booter 40 to access restrictedaddress range 48 during the boot process. For software processes that run later, the “restrict read” and “restrict lock” mechanism restricts the access to addressrange 48 to the predefined set of permitted test values. - Thus, in the present context, the term “restricted access” refers to read access that returns the actual data values stored in the specified addresses only if these data values belong to a predefined subset of permitted data values. Correspondingly, “unrestricted access” refers to read access that returns the actual data values stored in the specified addresses regardless of the data values.
- Put more generally, in some
embodiments controller 36 runs a first software process, permits the first software process to access the address range predefined as restricted, but allows only restricted access to the address range predefined as restricted to a second software process that runs in the processor after the first software process. - In some embodiments,
memory 24 comprises multiple restricted address ranges 48, each associated with a respectiveread restriction logic 56. In this configuration, for example, each readrestriction logic 56 can be controlled by a different software layer. In an example embodiment, the different software layers (each controlling a differentread restriction logic 56 that is associated with a different restricted address range 48) are invoked sequentially in a layered boot process. One example of such software layers is described by England et al., in “RIoT—A Foundation for Trust in the Internet of Things,” Microsoft Research Technical Report MSR-TR-2016-18, April, 2016. The cited paper describes a layered boot process having software layers denoted L0, L1, L2 and OS. - It will be appreciated that the embodiments described above are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and sub-combinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art. Documents incorporated by reference in the present patent application are to be considered an integral part of the application except that to the extent any terms are defined in these incorporated documents in a manner that conflicts with the definitions made explicitly or implicitly in the present specification, only the definitions in the present specification should be considered.
Claims (19)
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/834,087 US10318438B1 (en) | 2017-12-07 | 2017-12-07 | Secure memory access using memory read restriction |
TW107121601A TWI691842B (en) | 2017-12-07 | 2018-06-22 | Secure memory access using memory read restriction |
CN201810972166.8A CN109901793B (en) | 2017-12-07 | 2018-08-24 | Memory security device and method thereof |
JP2018191982A JP6771523B2 (en) | 2017-12-07 | 2018-10-10 | Memory protection device and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/834,087 US10318438B1 (en) | 2017-12-07 | 2017-12-07 | Secure memory access using memory read restriction |
Publications (2)
Publication Number | Publication Date |
---|---|
US10318438B1 US10318438B1 (en) | 2019-06-11 |
US20190179774A1 true US20190179774A1 (en) | 2019-06-13 |
Family
ID=66696911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/834,087 Active US10318438B1 (en) | 2017-12-07 | 2017-12-07 | Secure memory access using memory read restriction |
Country Status (4)
Country | Link |
---|---|
US (1) | US10318438B1 (en) |
JP (1) | JP6771523B2 (en) |
CN (1) | CN109901793B (en) |
TW (1) | TWI691842B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220197828A1 (en) * | 2020-12-17 | 2022-06-23 | STMicroelectronics (Grand Ouest) SAS | Method of protecting a system such as a microcontroller, and corresponding system |
US20230063057A1 (en) * | 2021-08-27 | 2023-03-02 | Micron Technology, Inc. | Memory access managment |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11210238B2 (en) * | 2018-10-30 | 2021-12-28 | Cypress Semiconductor Corporation | Securing data logs in memory devices |
US10979054B1 (en) * | 2020-01-14 | 2021-04-13 | Nuvotonn Technology Corporation | Coupling of combinational logic circuits for protection against side-channel attacks |
Family Cites Families (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5434562A (en) | 1991-09-06 | 1995-07-18 | Reardon; David C. | Method for limiting computer access to peripheral devices |
EP0760978B1 (en) | 1994-05-26 | 2004-09-29 | The Commonwealth Of Australia | Secure computer architecture |
KR0174978B1 (en) | 1995-12-30 | 1999-04-01 | 김광호 | Hardware-implemented digital computer system security device |
US20010011318A1 (en) * | 1997-02-27 | 2001-08-02 | Vishram P. Dalvi | Status indicators for flash memory |
US6643783B2 (en) * | 1999-10-27 | 2003-11-04 | Terence T. Flyntz | Multi-level secure computer with token-based access control |
JP3829041B2 (en) * | 2000-03-08 | 2006-10-04 | 株式会社東芝 | Ferroelectric memory |
US6986052B1 (en) * | 2000-06-30 | 2006-01-10 | Intel Corporation | Method and apparatus for secure execution using a secure memory partition |
US7131000B2 (en) * | 2001-01-18 | 2006-10-31 | Bradee Robert L | Computer security system |
US7003676B1 (en) | 2001-05-10 | 2006-02-21 | Advanced Micro Devices, Inc. | Locking mechanism override and disable for personal computer ROM access protection |
EP1329787B1 (en) * | 2002-01-16 | 2019-08-28 | Texas Instruments Incorporated | Secure mode indicator for smart phone or PDA |
CA2496849A1 (en) | 2004-02-12 | 2005-08-12 | Divinity Data Security Inc. | Method and apparatus for preventing un-authorized computer data access |
US7325176B2 (en) * | 2004-02-25 | 2008-01-29 | Dell Products L.P. | System and method for accelerated information handling system memory testing |
US7457893B2 (en) * | 2004-03-11 | 2008-11-25 | International Business Machines Corporation | Method for dynamically selecting software buffers for aggregation according to current system characteristics |
US20070266444A1 (en) * | 2004-12-03 | 2007-11-15 | Moshe Segal | Method and System for Securing Data Stored in a Storage Device |
US7712131B1 (en) * | 2005-02-09 | 2010-05-04 | David Lethe | Method and apparatus for storage and use of diagnostic software using removeable secure solid-state memory |
DE102005011893B3 (en) * | 2005-03-15 | 2006-09-21 | Infineon Technologies Ag | Semiconductor memory component e.g. partial good memory, for use as audio dynamic RAM, has test logic to test component by writing result based on comparison of test-data words along with error free signal and by simulating all-good-memory |
US20070005918A1 (en) * | 2005-06-29 | 2007-01-04 | Rothman Michael A | Methods and apparatus to provide interface access control |
US8322608B2 (en) * | 2005-08-15 | 2012-12-04 | Assa Abloy Ab | Using promiscuous and non-promiscuous data to verify card and reader identity |
JP2009505303A (en) * | 2005-08-22 | 2009-02-05 | エヌエックスピー ビー ヴィ | Embedded memory protection |
US20070237325A1 (en) | 2006-02-01 | 2007-10-11 | Gershowitz Michael N | Method and apparatus to improve security of cryptographic systems |
US7395394B2 (en) * | 2006-02-03 | 2008-07-01 | Hewlett-Packard Development Company, L.P. | Computer operating system with selective restriction of memory write operations |
JP2008009696A (en) * | 2006-06-29 | 2008-01-17 | Fuji Xerox Co Ltd | Image processor and program |
US7580302B2 (en) * | 2006-10-23 | 2009-08-25 | Macronix International Co., Ltd. | Parallel threshold voltage margin search for MLC memory application |
JP4921953B2 (en) * | 2006-12-25 | 2012-04-25 | 株式会社東芝 | Semiconductor integrated circuit device and semiconductor memory device test method |
US7895426B2 (en) * | 2007-08-24 | 2011-02-22 | International Business Machines Corporation | Secure power-on reset engine |
US8095851B2 (en) * | 2007-09-06 | 2012-01-10 | Siliconsystems, Inc. | Storage subsystem capable of adjusting ECC settings based on monitored conditions |
US20090113155A1 (en) * | 2007-10-31 | 2009-04-30 | Echostar Technologies Corporation | Hardware anti-piracy via nonvolatile memory devices |
US8688940B2 (en) * | 2008-12-18 | 2014-04-01 | Sandisk Technologies Inc. | Method for using a CAPTCHA challenge to protect a removable mobile flash memory storage device |
US9092597B2 (en) * | 2009-12-09 | 2015-07-28 | Sandisk Technologies Inc. | Storage device and method for using a virtual file in a public memory area to access a plurality of protected files in a private memory area |
US8301694B2 (en) * | 2010-05-20 | 2012-10-30 | Sandisk Il Ltd. | Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device |
FR2976096B1 (en) * | 2011-06-06 | 2013-06-21 | Qualtera | SEMICONDUCTOR TESTING DATA ANALYSIS SYSTEM |
US9612977B2 (en) * | 2011-07-15 | 2017-04-04 | Standard Microsystems Corporation | Method and system for controlling access to embedded nonvolatile memories |
US20140149729A1 (en) * | 2011-07-18 | 2014-05-29 | Ted A. Hadley | Reset vectors for boot instructions |
JP5464226B2 (en) * | 2012-03-30 | 2014-04-09 | 富士通株式会社 | Information processing apparatus, information processing apparatus control method, and information processing apparatus control program |
US8943251B2 (en) * | 2012-05-14 | 2015-01-27 | Infineon Technologies Austria Ag | System and method for processing device with differentiated execution mode |
GB2513727B (en) * | 2012-06-27 | 2015-06-24 | Nordic Semiconductor Asa | Memory protection |
US8925098B2 (en) * | 2012-11-15 | 2014-12-30 | Elwha Llc | Data security and access tracking in memory |
US8773905B1 (en) * | 2013-03-06 | 2014-07-08 | Apple Inc. | Identifying and mitigating restricted sampling voltage ranges in analog memory cells |
US9245129B2 (en) * | 2013-03-15 | 2016-01-26 | Nvidia Corporation | System and method for protecting data by returning a protect signal with the data |
JP2014209312A (en) * | 2013-03-25 | 2014-11-06 | 株式会社東芝 | Integrated circuit |
US9343162B2 (en) * | 2013-10-11 | 2016-05-17 | Winbond Electronics Corporation | Protection against side-channel attacks on non-volatile memory |
US20150301956A1 (en) * | 2014-04-22 | 2015-10-22 | Lsi Corporation | Data storage system with caching using application field to carry data block protection information |
US9959421B2 (en) * | 2014-06-23 | 2018-05-01 | Oracle International Corporation | System and method for monitoring and diagnostics in a multitenant application server environment |
JP2016031656A (en) * | 2014-07-29 | 2016-03-07 | 株式会社リコー | Information processing device, self-checking method and self-checking program |
US9710651B2 (en) * | 2015-04-10 | 2017-07-18 | Vixs Systems Inc. | Secure processor for SoC initialization |
US9619647B2 (en) | 2015-05-07 | 2017-04-11 | Nxp Usa, Inc. | Integrated circuit access |
US9965402B2 (en) * | 2015-09-28 | 2018-05-08 | Oracle International Business Machines Corporation | Memory initialization detection system |
US10199084B2 (en) * | 2016-03-28 | 2019-02-05 | Intel Corporation | Techniques to use chip select signals for a dual in-line memory module |
-
2017
- 2017-12-07 US US15/834,087 patent/US10318438B1/en active Active
-
2018
- 2018-06-22 TW TW107121601A patent/TWI691842B/en active
- 2018-08-24 CN CN201810972166.8A patent/CN109901793B/en active Active
- 2018-10-10 JP JP2018191982A patent/JP6771523B2/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220197828A1 (en) * | 2020-12-17 | 2022-06-23 | STMicroelectronics (Grand Ouest) SAS | Method of protecting a system such as a microcontroller, and corresponding system |
US20230063057A1 (en) * | 2021-08-27 | 2023-03-02 | Micron Technology, Inc. | Memory access managment |
Also Published As
Publication number | Publication date |
---|---|
TW201926047A (en) | 2019-07-01 |
JP2019145070A (en) | 2019-08-29 |
TWI691842B (en) | 2020-04-21 |
JP6771523B2 (en) | 2020-10-21 |
US10318438B1 (en) | 2019-06-11 |
CN109901793B (en) | 2022-06-10 |
CN109901793A (en) | 2019-06-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108269605B (en) | Security device state apparatus and method | |
US10318438B1 (en) | Secure memory access using memory read restriction | |
US11089016B2 (en) | Secure system on chip | |
US7363564B2 (en) | Method and apparatus for securing communications ports in an electronic device | |
US20080034350A1 (en) | System and Method for Checking the Integrity of Computer Program Code | |
US20190236281A1 (en) | Secure system boot monitor | |
US8489888B2 (en) | Processor apparatus having a security function | |
KR20110034631A (en) | Method and apparatus for securing digital information on an integrated circuit during test operating modes | |
US7809934B2 (en) | Security measures for preventing attacks that use test mechanisms | |
US11816202B2 (en) | Run-time code execution validation | |
EP3948551A1 (en) | Data attestation in memory | |
US10296738B2 (en) | Secure integrated-circuit state management | |
Sami et al. | End-to-end secure soc lifecycle management | |
EP3987423B1 (en) | Undefined lifecycle state identifier for managing security of an integrated circuit device | |
US7254716B1 (en) | Security supervisor governing allowed transactions on a system bus | |
US20190080111A1 (en) | Method for protecting unauthorized data access from a memory | |
US7254720B1 (en) | Precise exit logic for removal of security overlay of instruction space | |
US10691586B2 (en) | Apparatus and method for software self-test | |
US20090077417A1 (en) | Method, data processing apparatus and wireless device | |
US7688637B2 (en) | Memory self-test circuit, semiconductor device and IC card including the same, and memory self-test method | |
Srivastava et al. | A novel approach of data content zeroization under memory attacks | |
US11928210B2 (en) | Module and method for monitoring systems of a host device for security exploitations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NUVOTON TECHNOLOGY CORPORATION, TAIWAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HERSHMAN, ZIV;MORAV, DAN;REEL/FRAME:044743/0134 Effective date: 20171121 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |