WO2008093257A2 - Method of protecting against attacks and circuit therefor - Google Patents

Method of protecting against attacks and circuit therefor Download PDF

Info

Publication number
WO2008093257A2
WO2008093257A2 PCT/IB2008/050203 IB2008050203W WO2008093257A2 WO 2008093257 A2 WO2008093257 A2 WO 2008093257A2 IB 2008050203 W IB2008050203 W IB 2008050203W WO 2008093257 A2 WO2008093257 A2 WO 2008093257A2
Authority
WO
WIPO (PCT)
Prior art keywords
circuit
address
memory module
validation
memory
Prior art date
Application number
PCT/IB2008/050203
Other languages
French (fr)
Other versions
WO2008093257A3 (en
Inventor
Joachim Garbe
Sönke OSTERTUN
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Publication of WO2008093257A2 publication Critical patent/WO2008093257A2/en
Publication of WO2008093257A3 publication Critical patent/WO2008093257A3/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C8/00Arrangements for selecting an address in a digital store
    • G11C8/20Address safety or protection circuits, i.e. arrangements for preventing unauthorized or accidental access
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/02Detection or location of defective auxiliary circuits, e.g. defective refresh counters
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/02Detection or location of defective auxiliary circuits, e.g. defective refresh counters
    • G11C29/024Detection or location of defective auxiliary circuits, e.g. defective refresh counters in decoders
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/24Memory cell safety or protection circuits, e.g. arrangements for preventing inadvertent reading or writing; Status cells; Test cells
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C2029/0409Online test

Definitions

  • the invention relates to a method of protecting against unauthorized attacks on data contained in memories or in memory modules and to a circuit of a memory module.
  • So-termed smart card chips have data stored thereon which are secret in part and which represent important and confidential information serving, for example, for identification and/or for the authorization of processes. Such data may be used, for example, for access to locations or services. Thus, for example, a door opener may be authorized to afford an owner of a smart card containing certain data access to a restricted area through a reading of the access data. Another possibility is, for example, to authorize and carry out money transactions or to control financial assets on the basis of a smart card.
  • the secret data should accordingly not be accessible to outsiders, otherwise these data could be improperly used.
  • key data which serve for coding and decoding information that is transmitted to external destinations, should be safeguarded against unauthorized access.
  • WO 2004/049349 A2 in this connection describes a protection mechanism against light attacks during inactive phases in a reading process.
  • WO 2004/046927 Al discloses a special redundant storage of data.
  • 2004/047172 Al discloses an electronic circuit for fending off attacks by means of light.
  • a memory cell can be selected by means of address decoding by address decoders, whereupon the contents of said cell are read in a memory access operation.
  • An attack on these address decoders which cannot always be effectively prevented or even spotted by the above protection mechanisms, may result in a plurality of memory cells, an incorrect memory cell, or no memory cell at all being selected.
  • object of the present invention to provide a method by which an attack on address decoders can be reliably recognized.
  • Another object of the invention is to provide a circuit capable of recognizing such attacks.
  • the circuit according to the invention presents a memory module that comprises a memory matrix, a column decoder, and a line decoder, the circuit of the memory module in addition comprising a validation circuit, wherein said validation circuit is capable of reconstructing an address from selection signals and comparing this address with the original address or carrying out a plausibility test, whereupon a validation signal can be given if the addresses match or the plausibility thereof is established. It is particularly advantageous if the selection signal is a signal applied to the memory matrix of the memory module.
  • the validation circuit comprises its own read amplifier which renders possible a simultaneous reading.
  • the object as regards the method is achieved by the characteristic features of claim 5.
  • the method is a method of protecting against unauthorized attacks on data contained in memories or in a memory module, with data being stored in a memory module, which memory module comprises a memory matrix for the storage of data, and with a column decoder and a line decoder, wherein the circuit of the memory module in addition comprises a validation circuit, which validation circuit reconstructs an address from selection signals and compares this address with the original address or carries out a plausibility test, whereupon a validation signal is given if the addresses match or the plausibility thereof is established. It is useful in this connection if the selection signal is a signal applied to the memory matrix of the memory module.
  • the present invention thus relates to a method of verifying a decoded address during a memory access operation, preferably in real time, so as to recognize any attacks on the address decoder.
  • the invention also relates to a method of reliably recognizing such attacks.
  • Fig. 1 shows a memory module
  • Fig. 2 shows a circuit arrangement according to the prior art
  • Fig. 3 shows a circuit arrangement according to the invention
  • Fig. 4 is a block diagram of a circuit for clarifying the procedure according to the method.
  • Fig. 1 diagrammatically shows a memory module 1 in the form of a block diagram.
  • the memory module is formed here by a memory matrix A, 2, a column decoder CD, 3, and a line decoder RD, 4.
  • the circuit of the memory module 1 is complemented by a validation circuit V, 5.
  • the validation circuit V, 5 reconstructs through calculation an address from the selection signals supplied to the matrix A, 2 and either compares this address with the original address adr or carries out a plausibility test, issuing a validity signal va in the case of a match or plausibility, as applicable.
  • the reference “data” is used for the data input and/or data output and the reference “adr" for the input for the addresses.
  • Fig. 2 shows an example of a circuit for a decoder test according to the prior art.
  • the circuit 10 essentially consists of a memory cell 11, in which e.g. a word can be stored, a ROM cell 12 for the decoder test, and a read amplifier 13.
  • the memory circuit 10 here is a circuit that can be programmed comparatively slowly only. Such circuits often comprise special circuit arrangements for testing the address decoding function in order to reduce the testing time.
  • a fixedly coded data word R is selected by the line decoder along with the other data in an extra column in each of the n lines of the memory, cf. signal wl, which can be read out in a special testing mode via the original read path, cf. the control signal test.
  • This word may, but need not necessarily, have the same word width w as the data words proper.
  • Fig. 3 shows a circuit according to the invention, wherein an additional circuit is modified according to the invention such that, during normal reading via the read amplifier S, 13 having an output value dout, this fixedly coded word R is read out simultaneously via its own read amplifier T, 14 for the test bus which has an output value tout.
  • a conclusion can be drawn from this word as to the actually selected line.
  • a line can be identified from the output value by the read amplifier in this manner. Said conclusion may be unequivocal or may at least be sufficient for a plausibility test.
  • a comparison with the address applied to the module then renders it possible to generate a validity signal; in the case of an unequivocal result the reconstructed address itself may also be supplied as additional information, if so desired.
  • the reference wl here represents the line selection and bl the bit line, tbl the test bus bit line, tl the test bus, dout the data outputs, and tout the data output for the address validation code.
  • a validation circuit is constructed for the column decoder, which circuit tests the decoded column of the m columns during the read access.
  • the circuit according to the invention serves to protect the memory module provided therewith. Any memory module that contains security-sensitive or secret data may advantageously be protected from attacks in principle.
  • the present invention offers a highly efficient method by which it can be ensured that only those memory cells that are wanted are actually read out in that the decoded address is subjected to a validity test or the original address is reconstructed for the purpose of comparison. It can be applied to all memories organized in matrix form such as, for example, RAM, ROM, EEPROM, and Flash.
  • Fig. 4 shows a block diagram 20 in which block 21 represents the input of selection signals or data.
  • an address is reconstructed from these data or selection signals.
  • this address is compared with the original address and/or a plausibility test is carried out.
  • a validity signal will be given in block 24.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)
  • For Increasing The Reliability Of Semiconductor Memories (AREA)

Abstract

The invention relates to a method and to a circuit having a memory module (1) that comprises a memory matrix (2), a column decoder (3), and a line decoder (4), the circuit of the memory module in addition comprising a validation circuit (5), wherein said validation circuit (5) is capable of reconstructing an address from selection signals and comparing this address with the original address or carrying out a plausibility test, whereupon a validation signal can be given if the addresses match or the plausibility thereof is established.

Description

Method of protecting against attacks and circuit therefor
Field for the invention
The invention relates to a method of protecting against unauthorized attacks on data contained in memories or in memory modules and to a circuit of a memory module.
State of the art
So-termed smart card chips have data stored thereon which are secret in part and which represent important and confidential information serving, for example, for identification and/or for the authorization of processes. Such data may be used, for example, for access to locations or services. Thus, for example, a door opener may be authorized to afford an owner of a smart card containing certain data access to a restricted area through a reading of the access data. Another possibility is, for example, to authorize and carry out money transactions or to control financial assets on the basis of a smart card.
The secret data should accordingly not be accessible to outsiders, otherwise these data could be improperly used. In particular key data, which serve for coding and decoding information that is transmitted to external destinations, should be safeguarded against unauthorized access.
Various possibilities are known for obtaining access to such data that are to be protected, for example through malfunctions in the access from the outside to the memory or through direct manipulations of the electronic circuit, whereby memory access can be purposely changed so as to obtain access to the data that are to be protected. In such a case it is also possible that other physical addresses are affected, which will lead to a compromising malfunctioning program stream.
Access to memories of security-sensitive circuits can be protected against purposeful attacks by means of protection mechanisms. WO 2004/049349 A2 in this connection describes a protection mechanism against light attacks during inactive phases in a reading process. WO 2004/046927 Al discloses a special redundant storage of data. WO
2004/047172 Al discloses an electronic circuit for fending off attacks by means of light.
A memory cell can be selected by means of address decoding by address decoders, whereupon the contents of said cell are read in a memory access operation. An attack on these address decoders, which cannot always be effectively prevented or even spotted by the above protection mechanisms, may result in a plurality of memory cells, an incorrect memory cell, or no memory cell at all being selected.
Short description of the invention, object, solution, advantages It is an object of the present invention to provide a method by which an attack on address decoders can be reliably recognized. Another object of the invention is to provide a circuit capable of recognizing such attacks.
According to the invention, the object as regards the circuit is achieved by the characteristic features of claim 1. The circuit according to the invention presents a memory module that comprises a memory matrix, a column decoder, and a line decoder, the circuit of the memory module in addition comprising a validation circuit, wherein said validation circuit is capable of reconstructing an address from selection signals and comparing this address with the original address or carrying out a plausibility test, whereupon a validation signal can be given if the addresses match or the plausibility thereof is established. It is particularly advantageous if the selection signal is a signal applied to the memory matrix of the memory module.
It is also useful if an attack can be identified on the basis of a deviation between the reconstructed address and the original address.
It is highly advantageous, moreover, if the validation circuit comprises its own read amplifier which renders possible a simultaneous reading.
According to the invention, the object as regards the method is achieved by the characteristic features of claim 5. According to this claim, the method is a method of protecting against unauthorized attacks on data contained in memories or in a memory module, with data being stored in a memory module, which memory module comprises a memory matrix for the storage of data, and with a column decoder and a line decoder, wherein the circuit of the memory module in addition comprises a validation circuit, which validation circuit reconstructs an address from selection signals and compares this address with the original address or carries out a plausibility test, whereupon a validation signal is given if the addresses match or the plausibility thereof is established. It is useful in this connection if the selection signal is a signal applied to the memory matrix of the memory module. It is also useful if an attack can be identified on the basis of a deviation between the reconstructed address and the original address. The present invention thus relates to a method of verifying a decoded address during a memory access operation, preferably in real time, so as to recognize any attacks on the address decoder. The invention also relates to a method of reliably recognizing such attacks.
Advantageous further embodiments are described in the dependent claims.
Short description of the drawings
The invention will be described in more detail below with reference to an embodiment and the accompanying drawings, in which:
Fig. 1 shows a memory module;
Fig. 2 shows a circuit arrangement according to the prior art; Fig. 3 shows a circuit arrangement according to the invention; and Fig. 4 is a block diagram of a circuit for clarifying the procedure according to the method.
Preferred embodiment of the invention
Fig. 1 diagrammatically shows a memory module 1 in the form of a block diagram. The memory module is formed here by a memory matrix A, 2, a column decoder CD, 3, and a line decoder RD, 4. According to the invention, the circuit of the memory module 1 is complemented by a validation circuit V, 5. The validation circuit V, 5 reconstructs through calculation an address from the selection signals supplied to the matrix A, 2 and either compares this address with the original address adr or carries out a plausibility test, issuing a validity signal va in the case of a match or plausibility, as applicable. The reference "data" is used for the data input and/or data output and the reference "adr" for the input for the addresses.
Fig. 2 shows an example of a circuit for a decoder test according to the prior art. The circuit 10 essentially consists of a memory cell 11, in which e.g. a word can be stored, a ROM cell 12 for the decoder test, and a read amplifier 13. The memory circuit 10 here is a circuit that can be programmed comparatively slowly only. Such circuits often comprise special circuit arrangements for testing the address decoding function in order to reduce the testing time. For this purpose, a fixedly coded data word R is selected by the line decoder along with the other data in an extra column in each of the n lines of the memory, cf. signal wl, which can be read out in a special testing mode via the original read path, cf. the control signal test. This word may, but need not necessarily, have the same word width w as the data words proper.
Fig. 3 shows a circuit according to the invention, wherein an additional circuit is modified according to the invention such that, during normal reading via the read amplifier S, 13 having an output value dout, this fixedly coded word R is read out simultaneously via its own read amplifier T, 14 for the test bus which has an output value tout. Thus a conclusion can be drawn from this word as to the actually selected line. A line can be identified from the output value by the read amplifier in this manner. Said conclusion may be unequivocal or may at least be sufficient for a plausibility test. A comparison with the address applied to the module then renders it possible to generate a validity signal; in the case of an unequivocal result the reconstructed address itself may also be supplied as additional information, if so desired. The reference wl here represents the line selection and bl the bit line, tbl the test bus bit line, tl the test bus, dout the data outputs, and tout the data output for the address validation code.
In an equivalent manner, a validation circuit is constructed for the column decoder, which circuit tests the decoded column of the m columns during the read access. The circuit according to the invention serves to protect the memory module provided therewith. Any memory module that contains security-sensitive or secret data may advantageously be protected from attacks in principle. The present invention offers a highly efficient method by which it can be ensured that only those memory cells that are wanted are actually read out in that the decoded address is subjected to a validity test or the original address is reconstructed for the purpose of comparison. It can be applied to all memories organized in matrix form such as, for example, RAM, ROM, EEPROM, and Flash. Fig. 4 shows a block diagram 20 in which block 21 represents the input of selection signals or data. In block 22, an address is reconstructed from these data or selection signals. In block 23, this address is compared with the original address and/or a plausibility test is carried out. In the case in which the addresses match and/or a plausibility of the address is established a validity signal will be given in block 24.

Claims

1. A circuit having a memory module (1) that comprises a memory matrix (2), a column decoder (3), and a line decoder (4), the circuit of the memory module in addition comprising a validation circuit (5), wherein said validation circuit (5) is capable of reconstructing an address from selection signals and comparing this address with the original address or carrying out a plausibility test, whereupon a validation signal can be given if the addresses match or the plausibility thereof is established.
2. A circuit as claimed in claim 1, characterized in that the selection signal is a signal applied to the memory matrix of the memory module.
3. A circuit as claimed in claim 1 or 2, characterized in that an attack can be identified on the basis of a deviation between the reconstructed address and the original address.
4. A circuit as claimed in any one of the preceding claims, characterized in that the validation circuit comprises a read amplifier.
5. A method of protecting against unauthorized attacks on data contained in memories or in a memory module, with data being stored in a memory module (1), which memory module comprises a memory matrix (2) for the storage of data, and with a column decoder (3) and a line decoder (4), wherein the circuit of the memory module in addition comprises a validation circuit (5), which validation circuit (5) reconstructs an address from selection signals and compares this address with the original address or carries out a plausibility test, whereupon a validation signal is given if the addresses match or the plausibility thereof is established.
6. A method as claimed in claim 5, characterized in that the selection signal is a signal applied to the memory matrix of the memory module.
7. A method as claimed in claim 5 or 6, characterized in that an attack can be identified on the basis of a deviation between the reconstructed address and the original address.
PCT/IB2008/050203 2007-01-30 2008-01-21 Method of protecting against attacks and circuit therefor WO2008093257A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07001951.8 2007-01-30
EP07001951 2007-01-30

Publications (2)

Publication Number Publication Date
WO2008093257A2 true WO2008093257A2 (en) 2008-08-07
WO2008093257A3 WO2008093257A3 (en) 2008-10-30

Family

ID=39523547

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/050203 WO2008093257A2 (en) 2007-01-30 2008-01-21 Method of protecting against attacks and circuit therefor

Country Status (1)

Country Link
WO (1) WO2008093257A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3010822A1 (en) * 2013-09-17 2015-03-20 Inside Secure MEMORY CIRCUIT COMPRISING MEANS FOR DETECTING AN ERROR INJECTION

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4912710A (en) * 1988-02-29 1990-03-27 Harris Corporation Self-checking random access memory
US20060156193A1 (en) * 2004-11-30 2006-07-13 Nicolas Demange Error test for an address decoder of a non-volatile memory
US20070002616A1 (en) * 2005-06-15 2007-01-04 Stmicroelectronics S.A. Memory protected against attacks by error injection in memory cells selection signals

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4912710A (en) * 1988-02-29 1990-03-27 Harris Corporation Self-checking random access memory
US20060156193A1 (en) * 2004-11-30 2006-07-13 Nicolas Demange Error test for an address decoder of a non-volatile memory
US20070002616A1 (en) * 2005-06-15 2007-01-04 Stmicroelectronics S.A. Memory protected against attacks by error injection in memory cells selection signals

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3010822A1 (en) * 2013-09-17 2015-03-20 Inside Secure MEMORY CIRCUIT COMPRISING MEANS FOR DETECTING AN ERROR INJECTION
WO2015040304A1 (en) * 2013-09-17 2015-03-26 Inside Secure Memory circuit comprising means for detecting an error injection

Also Published As

Publication number Publication date
WO2008093257A3 (en) 2008-10-30

Similar Documents

Publication Publication Date Title
US4408119A (en) Individualized portable object such as a credit card
JP2009505266A (en) Circuit device having non-volatile memory module and method for recording attacks on non-volatile memory module
KR20090046910A (en) Verifying data integrity in a data storage device
KR20010029573A (en) Nonvolatile semiconductor memory device
CN112446054A (en) Memory authentication
US5793683A (en) Wordline and bitline redundancy with no performance penalty
US5740403A (en) Process circuit & system for protecting an integrated circuit against fraudulent use
US5841786A (en) Testing of memory content
JP2008152549A (en) Memory device, and password storage method for memory device
WO2005052946A1 (en) Embedded memory with security row lock protection
CN109686389B (en) Memory device and method for verifying memory access
US4712177A (en) Circuit for a cord carrier having a memory and an access control unit for secure data access
US6735697B1 (en) Circuit arrangement for electronic data processing
US20080028128A1 (en) Memory access controller and method for memory access control
JP4920680B2 (en) A device that protects memory against attacks caused by error injection
WO2008093257A2 (en) Method of protecting against attacks and circuit therefor
USRE42144E1 (en) Non-volatile memory comprising means for distorting the output of memory cells
US6249456B1 (en) Secured EEPROM memory comprising means for the detection of erasure by ultraviolet radiation
US9111649B2 (en) Tamper resistant semiconductor device with access control
JP2006507592A (en) Circuit arrangement with non-volatile memory module and method of recording light attack on non-volatile memory module
US7806319B2 (en) System and method for protection of data contained in an integrated circuit
US20130291130A1 (en) Protection of Memory Field Using Illegal Values
TWI750073B (en) Semiconductor device with security function and security method thereof
US20060282683A1 (en) Flash array read, erase, and program security
RU2216046C2 (en) Circuit layout and method for authenticating memory area content

Legal Events

Date Code Title Description
NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08702474

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 08702474

Country of ref document: EP

Kind code of ref document: A2