JTAG | IJTAG Semiconductor and Board Test Security

Recently, I have been researching and publishing papers on semiconductor test security in conjunction with Southern Methodist University (see “Don’t Forget to Lock your SIB: Hiding Instruments using P1687”, ITC 2013; and “Making it Harder to Unlock an LSIB: Honeytraps and Misdirection in a P1687 Network”, DATE 2014).

However, I have also been investigating circuit board test security, because it has gained major attention recently from several very public hacks. I have found that board security goals are similar to those of chip security:

  1.  Prevent disruption of the board’s functional operation (denial-of-service attacks, for example)
  2. Prevent the copying or reverse engineering of boards (counterfeit prevention);
  3. Prevent unauthorized investigation of board settings, firmware, codes and operations.

The problem with board or system security is that circuit boards are inherently less secure than chips because boards and systems have sockets, connectors, backplanes and test points that can be probed. Moreover, remote debug capabilities will allow access to a board over the Internet. Although most boards include some form of data security such as cryptography, one of the biggest security holes or backdoors turns out to be the IEEE 1149.1 boundary-scan (JTAG) standard’s Test Access Port (TAP) and the chip scan paths on the board.

Unfortunately, the boundary-scan/JTAG standard makes no provisions for a formal and standardized method of security at the board level. Any security for the test and debug architecture is derived from the security that comes with the individual chips on the board. That means that board-level security is a custom implementation dependent on the unique design of the board. Security at the board level becomes more complicated when the JTAG scan path is a daisy-chain of many different chips, all with their own security methods.

Maybe you think that board test and debug security is just the application of security during board test or debug. That’s part of it, but not really the most important part. More critical is the consideration of the security of the entire board because of the presence of a test and debug port on the board. The JTAG TAP may be able to access almost everything on the board because that’s the goal of test and debug. Unfortunately, this directly contradicts the security goals identified above.

The JTAG scan path can access embedded instruments such as memory and serdes built-in self-test (BIST) engines that could disrupt functional operation. In addition, the TAP is frequently used to program flash and field programmable gate arrays (FPGA). The firmware stored in these devices is often proprietary and must be protected from the prying eyes of hackers who might modify or steal it. For debug operations, the JTAG TAP also provides visibility to registers and data at the boundaries of chips as well as data deep within chips. This access could provide hackers the board’s codes and secure data that should remain hidden.

JTAG | IJTAG Semiconductor and Board Test Security eBookFor example, a nefarious individual or organization might use commercially available and perfectly legal JTAG hardware and software to deeply investigate, disrupt or modify a board or system. On a positive note, strategies and techniques to protect what should be secure can be implemented and their effectiveness quantified. For example, any proposed security solution can be evaluated against ’goodness metrics’ that involve measuring the relative strength of security methods as well as the cost of adding security in terms of its effects on silicon overhead and test times.

To read more about board test and debug security in general, as well as specific strategies, techniques and goodness metrics, download our free eBook.

Al Crouch