IEEE 1149.1標準，也稱為聯合測試工作組 (JTAG)，是一個晶片測試標準，它提供晶片良好的控制性和觀察性，因此被廣泛應用於晶片測試、晶片除錯和故障分析。然而，由於這些特姓，聯合測試工作組也成為攻擊者操縱晶片系統或獲取受害用戶機密資料的後門。為了解決這些問題，一種方法是在製造測試後禁用聯合測試工作組之引腳，但同時現場測試和現場除錯功能也會因此無法使用。此外，研究者也提出了一些對策，例如驗證使用者之合法性或對通過聯合測試工作組之資料進行加密/解密，然而，這些方法可能會遭受暴力破解攻擊和記憶體攻擊。在本文中，我們提出了一種基於身份驗證的安全JTAG測試封套來防禦上述攻擊：我們為每個測試資輛產生不同的密鑰，只有合法的測試資料才能輸入到測試資料暫存器中。使用此安全JTAG測試封套時，如果輸入了非法的測試資料，使用者將得到偽響應，這使得破解我們提出的方法變得更加困難，此外，我們還可以利用物理不可複製函數來區分不同晶片的合法測試資料。實驗結果顯示，我們提出的方法具有很小的面積開銷，實作在SCR1處理器上僅增加百分之0.62之面積。

IEEE 1149.1, also known as Joint Test Access Group (JTAG), is a standard for IC testing. It provides great controllability and observability for ICs so that it is widely used in IC testing, on-chip debugging, and failure analysis. Unfortunately, it has also become a backdoor for the attacker to manipulate the ICs or grab confidential information of the victim user. For addressing the problems, one way is to disable JTAG pins after manufacturing testing. However this countermeasure prohibits in-filed testing and in-field debugging meanwhile. In addition, some countermeasures have been proposed, such as authentication-based methods and encryption-based methods. Nevertheless, the kinds of approaches may suffer from the brute-force attack and the memory attack. In this thesis, we propose an authentication-based secure JTAG wrapper to defend against the attacks mentioned above. We generate different keys for each test data, which is shifted into the test data registers (TDRs). Only legal test data be updated to the TDRs. Furthermore, if the illegal test data is entered, the attacker will get a fake response. Thus, it makes it harder to break our proposed method. We can also leverage the physical unclonable function (PUF) to distinct the legal test data for different chips. Experimental results show that our proposed method has a small area overhead which only increases 0.62% area with the SCR1 processor core.

[1] L.-T. Wang, C.-W. Wu, and X. Wen, VLSI test principles and architectures: design for testability, Elsevier, 2006.
[2] IEEE Standard for Test Access Port and Boundary-Scan Architecture - Redline, IEEE Std 1149.1-2013 (Revision of IEEE Std 1149.1-2001) - Redline, 2013.
[3] J. Da Rolt, A. Das, G. Di Natale, M. Flottes, B. Rouzeyre and I. Verbauwhede, "Test Versus Security: Past and Present," IEEE Transactions on Emerging Topics in Computing, vol. 2, no. 1, pp. 50-62, Mar. 2014.
[4] E. Valea, M. Da Silva, G. Di Natale, M. Flottes and B. Rouzeyre, "A Survey on Security Threats and Countermeasures in IEEE Test Standards," IEEE Design & Test, vol. 36, no. 3, pp. 95-116, Jun. 2019.
[5] S. S. Ali, S. M. Saeed, O. Sinanoglu and R. Karri, "Novel Test-Mode-Only Scan Attack and Countermeasure for Compression-Based Scan Architectures," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 34, no. 5, pp. 808-821, May 2015.
[6] R. Nara, N. Togawa, M. Yanagisawa and T. Ohtsuki, "A scan-based attack based on discriminators for AES cryptosystems," IEICE transactions on fundamentals of electronics, communications and computer sciences, vol. 92, no. 12, pp. 3229-3237, Dec. 2009.
[7] B. Yang, K. Wu and R. Karri, "Secure Scan: A Design-for-Test Architecture for Crypto Chips," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 25, no. 10, pp. 2287-2293, Oct. 2006.
[8] S. Skorobogatov and C. Woods, "Breakthrough Silicon Scanning Discovers Backdoor in Military Chip", in Cryptographic Hardware and Embedded Systems — CHES 2012, Lecture Notes in Computer Science, Berlin, Heidelberg: Springer, 2012, vol. 7428.
[9] E. DeBusschere and M. McCambridge, "Modern Game Console Exploitation", Technical Report Department of Computer Science University of Arizona, 2012.
[10] Senrio. (2016). JTAG explained (finally!): Why “IoT”, software security engineers, and manufacturers should care [Online]. Available: https://blog.senr.io/blog/jtag-explained
[11] Oracle. OpenSPARC T2. [Online]. Available: http://www.oracle.com
[12] A. Gupta, The IoT Hacker's Handbook, Berkeley, CA: Apress, 2019, pp. 109-138.
[13] F. Domke, Blackbox JTAG Reverse Engineering, 2009
[14] X. Ren, F. P. Torres, R. D. Blanton and V. G. Tavares, "IC Protection Against JTAG-Based Attacks," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 1, pp. 149-162, Jan. 2019.
[15] M. Abramovici, P. Bradley, K. Dwarakanath, P. Levin, G. Memmi and D. Miller, "A reconfigurable design-for-debug infrastructure for SoCs," in Proc. IEEE/ACM Des. Autom. Conf., 2006, pp. 7-12.
[16] F. Novak and A. Biasizzo, "Security extension for IEEE Std 1149.1," J. Electron. Test. Theory Appl., vol. 22, no. 3, pp. 301–303, 2006
[17] G. M. Chiu and J. C. M. Li, "A secure test wrapper design against internal and boundary scan attacks for embedded cores," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 20, no. 1, pp. 126-134, Jan. 2012
[18] C. Clark, "Anti-tamper JTAG TAP design enables DRM to JTAG registers and P1687 on-chip instruments," in Proc. 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), Anheim, CA, 2010, pp. 19-24.
[19] A. Das, Ü. Kocabaş, A. Sadeghi and I. Verbauwhede, "PUF-based secure test wrapper design for cryptographic SoC testing," in Proc. 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden, 2012, pp. 866-869.
[20] K. Park et al., "JTAG security system based on credentials," Journal of Electronic Testing, vol. 26, no. 5, pp. 549–557, 2010.
[21] A. Das et al., "Secure JTAG implementation using Schnorr protocol," Journal of Electronic Testing, vol. 29, no. 2, pp. 193–209, 2013.
[22] W. Kai, L. Wei, C. Tao and N. Longmei, "Research on Secure JTAG Debugging Model Based on Schnorr Identity Authentication Protocol," in Proc. 2020 IEEE 15th International Conference on Solid-State & Integrated Circuit Technology (ICSICT), 2020, pp. 1-3.
[23] E. Valea, M. D. Silva, M. Flottes, G. D. Natale and B. Rouzeyre, "Encryption-Based Secure JTAG," in Proc. 2019 IEEE 22nd International Symposium on Design and Diagnostics of Electronic Circuits & Systems (DDECS), 2019, pp. 1-6.
[24] C. Herder et al., "Physical unclonable function and applications: A tutorial," Proceedings of IEEE, 2014, pp. 1126-1141.
[25] M. M. Bidmeshki, Y. Zhang, M. Zaman, L. Zhou and Y. Makris, "Hunting Security Bugs in SoC Designs: Lessons Learned," in IEEE Design & Test, vol. 38, no. 1, pp. 22-29, Feb. 2021.
[26] J. G. Ooi and K. H. Kam, "A proof of concept on defending cold boot attack", in Proc. Asia Symposium on Quality Electronic Design. ASQED, 2009, pp. 330-335.
[27] J. Bauer, M. Gruhn, and F. C. Freiling, "Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory," Digital Investigation, 2016, pp.65-74.
[28] S. F. Yitbarek, M. T. Aga, R. Das, and T. Austin, "Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors," in Proc. IEEE International Symposium on High Performance Computer Architecture (HPCA), 2017, pp. 313-324.
[29] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J.Appelbaum, and E. Felten, "Lest We Remember:Cold Boot Attacks on Encryption Keys," Communications of the ACM, 2009, pp.91-98.
[30] M. Gruhn and T. Muller, "On the Practicability of Cold Boot Attacks," in Proc. International Conference on Availibility, Reliability and Security. Sep. 2013, pp. 390-397.
[31] M. Tehranipoor and C. Wang, Introduction to Hardware Security and Trust, Springer, 2011, ch.7.
[32] Syntacore. SCR1. [Online]. Available: https://github.com/syntacore/scr1