1. Field of the Invention
The present invention relates to securing integrated circuit ("IC") devices from unauthorized access.
2. Description of Related Art
Certain integrated circuit (IC) devices are used in situations in which they are programmed to contain "sensitive" data, which may include proprietary or confidential information including, but not limited to, proprietary system or application software. These IC devices are typically placed in systems in which the sensitive data is to be utilized, but is not meant to be electronically accessible to users. To facilitate development and debugging, these IC devices often incorporate test functions which allow a developer to interrogate the IC device and obtain information regarding the state of various internal registers or memory cells. These test functions provide an important capability for developing and debugging an IC device or a system incorporating the IC device since they allow electronic access to sensitive code or data stored in the internal memory of the IC device. These test functions, however, also introduce a degree of insecurity since they may be utilized by an unauthorized user to gain access to sensitive data stored in the IC device or to firmware performing operations on sensitive data.
To prevent the unauthorized use of the test functions to gain access to device-internal information, some IC devices incorporate one or more special memory cells or internal circuits, normally referred to as "security cells", which can be programmed to disable such test functions. When such a security cell is in one particular state (e.g., a default state), the corresponding test function is available to the developer. Conversely, when the security cell is programmed to the opposite state, the test function is disabled and unavailable.
Such security cells can also be used to disable other functions that would potentially be a security risk when the device is placed in the field. For example, in the case of a "single chip" microcontroller executing a program from internal memory on the single chip, it may be desirable to permanently prevent the microcontroller from obtaining or executing instructions from its external bus.
An example of an integrated circuit using security cells can be found in an IC device such as a microcontroller (Part No. Intel.RTM. 87C196KR.TM.). Security cells in this device are implemented in the form of an Unerasable Programmable Read Only Memory (UPROM) circuit. This allows the manufacturer of the IC device incorporating the UPROM security cell to disable various functions of the device through simple programming. In essence, the UPROM security cell acts as a binary on/off switch for the associated function. Conventionally, the UPROM security cell is a floating-gate device which is programmed by altering the amount of charge on the floating gate. In the security cell implementation, the UPROM security cell operates functionally like a fuse. Once it is programmed (active) to disable an associated function, it cannot be returned to the inactive state which would enable the test function or any other related function. For this reason, the cell is called "unerasable".
One drawback associated with conventional UPROM security cells is that they are sensitive to variances in supply voltage. If the supply voltage for the circuit containing a programmed (active) UPROM security cell is raised above a certain voltage level, the UPROM security cell may appear unprogrammed (inactive) to the surrounding circuitry. As the supply voltage is increased above the normal operating level, the existing charge on the UPROM floating gate becomes insufficient to cause the overall UPROM circuit output to be active. The increased supply voltage does not alter the actual amount of charge on the floating gate. Instead, the higher voltage conditions create a situation in which the UPROM's output appears to be inactive. When the supply voltage is lowered to its normal level, the relative gate voltage is restored and the UPROM output is once again active.
Despite the "failure" of the UPROM security cell at a higher than normal supply level, the rest of the IC device may continue to be operational at the increased voltage level. In this case, a security vulnerability exists because the UPROM security cell is rendered inactive, causing the associated function to become enabled. Consequently, access may become available to the operational circuits within the IC device.
It will be noted by those skilled in the art, that one way to access integrated circuits and non-volatile memory devices which contain sensitive information or supply high-integrity services is to vary the external voltage in such a way as to disturb the normal operation of the device, and thereby, gain access to such information. In the case of the UPROM security cell, it is possible to utilize the various normally-disabled functions of the IC device to gain access to internal registers and memory cells by raising the supply voltage to the point at which the UPROM security cell appears inactive, yet the IC device is still at least partially active. Although the UPROM security cell is vulnerable only to increases rather than decreases in supply voltage, other embodiments of security cells may be vulnerable to either increased or decreased supply voltage levels.
It is, therefore, desirable to eliminate the vulnerability of security circuits which protect sensitive data in integrated circuit devices to variations in the supply voltage level.