For many non-volatile memory applications, data integrity and confidentiality is critical. Typically, data is stored in non-volatile memory, and then all or part of the memory, or all or part of the system including the memory, is locked.
In the Intel 82802Ax firmware hub, blocks of the non-volatile flash memory can be locked until a next reset, after which blocks can be unlocked if desired. This block locking and unlocking is controlled by read-lock bits, write-lock bits, and lock-down bits. For each block of memory, a read lock bit in the clear (or default) state allows normal operation for reads in the corresponding block and in the set state prevents read operation for the corresponding block. For each block of memory a write lock bit in the set (default) state prevents program or erase operations in the corresponding block and in the clear state allows normal operation for programming and erase in the corresponding block. For each block of memory a lock down bit in the clear (default) state allows normal operation for write-lock and read-lock bit altering in the corresponding block and in the set state prevents further set or clear operations to the write-lock and read-lock bits. Therefore if a lock-down bit is set, the corresponding block will remain locked down until reset or until the device is power-cycled.
National Semiconductor PC87591x includes in a flash memory a flash protection word. The protection word is read by hardware during the internal reset process and stored in a register. If the word equals ‘111’, for example, flash access is enabled for both read and write. If the word equals any other value, flash access is protected. When flash access is protected, neither reads nor writes are allowed using the external interfaces (e.g., JTAG, parallel, etc.). However, special erase operations that erase the entire flash memory (including the flash protection word) other than factory parameters are allowed using the external interfaces.
U.S. Pat. No. 6,035,401 to Dalvi et al. describes a flash memory device including a first memory array, a control circuit coupled to the first memory array, and a second independent memory array coupled to the control circuit. The first memory array includes a plurality of memory blocks each having a memory cell. The second memory array includes a plurality of block lock bits each corresponding to one of the plurality of memory blocks. The state of each block lock bit indicates whether the memory cell in the corresponding memory block is locked. The second memory array may also include a master lock bit that indicates whether the block lock bits are locked. In one embodiment, once the master lock-bit has been set, it may not be erased or cleared.
U.S. Pat. No. 6,073,243 to Dalvi et al. describes a flash memory device including a first memory array, block locking circuitry and control circuitry. The memory array includes a plurality of memory blocks each having a memory cell. The block locking circuitry includes a plurality of block lock bits and a master lock bit. The control circuitry is configured to receive a passcode that causes the control circuitry to override the master lock bit. The control circuitry may also be configured to receive a passcode that causes the control circuitry to override one of the block lock bits.
Glitch attacks are attacks through any interface where a hacker (i.e., malicious attacker) uses abnormal environmental conditions to try to generate malfunctions of a temporary nature that can expose the secrets of a system or remove the protection of a system. The attack may be aimed at causing one or more flip-flops to adopt the wrong state or to corrupt data values as they are transferred between registers and memory. Often, the glitch attacker attempts to create a malfunction using techniques such as clock signal transients, power supply transients, external electric field transients, and heat application to impact the clock, voltage, temperature, etc.
As an example of a feasible glitch attack, assume that upon reset a protection word is read from one memory location and the value of the protection word is written to (stored in) another memory location so as to control subsequent access to a system or parts of the system. In such a case, a hacker could repetitively reset the system, each time trying to create a malfunction so as to disturb the read or write operations, until access is enabled.
Assuming a flash protection word of at least two bits, if only one unlocked value for the flash protection word is allocated, there is some protection against a glitch attack because of the increased difficulty of causing a malfunction that will bring about the exact unlocked value. However such a flash memory is more likely to wake up in the locked state (i.e., to be in the locked state after wafer manufacturing) due to the plurality of possible locked values. The capability to erase the protection word along with any corresponding protected block may consequently be provided in order to allow recovery of memory that wakes up in the locked state. However, this erase capability can then be exploited by a malicious attacker to erase the protection word along with any corresponding protected block and inject a virus while writing new data to the flash memory.
Atmel AT 88SC1616C including EEPROM memory, uses three fuses that must be blown during the device personalization process. Each fuse locks certain portions of the configuration zone as One Time Programmable (OTP) memory. Fuses are designed for the module manufacturer, card manufacturer and card issuer and should be blown in sequence, allowing each to store new information while protecting the information programmed in previous steps. Alternatively, all programming of the device and blowing of the fuses may be performed at one final step.
Fuse technology has however some inherent limitations. For example, fuse technology may require special process techniques difficult to implement and/or may end up adding significant costs to the implementation. In addition, a mechanism is often required to continuously read the fuses and convert the read states of the fuses to operations to protect the device. Assuming the state of the fuses is read continuously, glitch attacks may temporarily disturb the reading but will not enable access. Finally, although access may be prevented, fuse technology by itself may not necessarily identify a glitch attack per se and therefore may not cause all appropriate reactions to the glitch attack to be performed.
What is needed in the art are systems and methods to protect locked features of a system including a non-volatile memory from hack attacks such as glitch attacks, without using fuse technology. What is needed in the art are systems and methods to identify the occurrence of certain types of hack attacks on the system including the non-volatile memory. What also is needed in the art are systems and methods to predispose a system including a non-volatile memory having an unknown initial value after manufacturing to wake up unlocked.