Integrated circuit architectures, configurations and methods have been standardized for in-circuit testing and debugging. Joint Test Access Group (JTAG) standards define standard testing and debugging architectures and methods that are widely used in the semiconductor chip industries. In-circuit test and debug architectures use the JTAG IEEE Std. 1149.1 (Standard Test Access Port and Boundary Scan Architecture) accessibility of on-chip embedded infrastructure for field initialization, debug, test, reconfiguration, monitoring, error management and repair. While JTAG capability is essential for development and maintenance of many semiconductor components and systems, it may conflict with requirements for security and safeguarding of protected data.
The JTAG security landscape involves numerous potential attackers, so securing JTAG compliant architectures has become increasingly problematic. For example, attackers may exploit the JTAG scan chain infrastructure to gain access to protected data, alter the system state to perform illegal operations, perform side-channel attacks, or enable unintended activation of the test or debug infrastructure. This may also lead to the violation of safety properties.
JTAG attackers may include manufactures of integrated circuit components and hostile end users or hackers. Attackers have exploited the JTAG-based capabilities on unprotected products by sniffing of the TDI (test data in)/TDO (test data out) bit streams, modifying the TDI/TDO bit streams, controlling the TMS (test mode select) and TCK (test clock) signals, and accessing protected data, for example. This could allow an attacker to collect protected data in transit, read-out protected data, obtain test vectors and responses, modify state of authentic part, and/or return false responses to a test.
As attackers who could potentially exploit JTAG enabled systems and components have become more of a risk, efforts to safeguard protected data, such as emerging anti-tamper requirements to protect military and consumer products, have increased.
Because JTAG is widely used and deeply engrained standard for in-circuit test, configuration, and debugging, which is embedded on most integrated circuit components, it would be impractical to simply exclude JTAG capabilities from trusted hardware. Thus, reliable techniques are needed to secure JTAG enabled systems and components against potential attackers.
Prior attempts to secure JTAG enabled systems and components have involved embedded die modifications to the JTAG enabled integrated circuit components. Examples of such die modifications include adding TAP (test access port) lock and adding key registers, and adding circuitry for authentication, encryption and decryption of the TDI/TDO bit streams. Different approaches in this area have included challenge/response techniques, public/private key authentication techniques, and authorized permission techniques, for example.
An alternative approach to securing JTAG enabled systems and components has been to remove access to the JTAG circuitry by open-circuiting security fuses built into the integrated circuit components before the hardware leaves the factory. Other proposed security techniques involve disabling buffers in JTAG scan chains or configuring JTAG systems (TMS and TCK connections) in a star pattern instead of a daisy chain configuration, for example.
Although these techniques may provide some better protection against potential JTAG attackers, they have only been implemented in a few components because they increase the cost of the integrated circuit components and consume substantial die space for each component.
Emerging approaches to securing JTAG scan chains based on embedded IC component encryption, authentication and authorization provide protected bit stream encryption at the integrated circuit component, but cannot prohibit or detect attacker physical access to the JTAG scan chain infrastructure.