[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117560232B - Detection device and chip - Google Patents

Detection device and chip Download PDF

Info

Publication number
CN117560232B
CN117560232B CN202410045093.3A CN202410045093A CN117560232B CN 117560232 B CN117560232 B CN 117560232B CN 202410045093 A CN202410045093 A CN 202410045093A CN 117560232 B CN117560232 B CN 117560232B
Authority
CN
China
Prior art keywords
sequence
chip
transformation rule
circuit
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410045093.3A
Other languages
Chinese (zh)
Other versions
CN117560232A (en
Inventor
邹双潞
首南青
陈强
马博
朱凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Open Security Research Inc
Original Assignee
Open Security Research Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Open Security Research Inc filed Critical Open Security Research Inc
Priority to CN202410045093.3A priority Critical patent/CN117560232B/en
Publication of CN117560232A publication Critical patent/CN117560232A/en
Application granted granted Critical
Publication of CN117560232B publication Critical patent/CN117560232B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B21/00Alarms responsive to a single specified undesired or abnormal condition and not otherwise provided for
    • G08B21/18Status alarms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses detection device and chip, detection device sets up the area of waiting to detect at the chip, waits to detect the area and is provided with and uses first sequence as initial sequence, carries out the module of transform according to first sequence transformation rule, and detection device includes: the change detection circuit is connected with the clock port and is used for receiving the clock signal output by the clock port, converting the clock signal according to a second sequence conversion rule by taking the second sequence as an initial sequence under the condition that the clock signal is changed, and outputting an actual output sequence at least one observation point; if the actual output sequence and the reference output sequence corresponding to the observation point do not meet the preset association relation, obtaining a detection result of abnormality of the chip; the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule.

Description

Detection device and chip
Technical Field
The present application relates to the field of electronic technologies, and in particular, to a detection device and a chip.
Background
With the rapid development of electronic devices, the number of chips involved in the electronic devices is increasing, and in order to improve the utilization rate of the chips, detection of the chips is also increasing, especially detection of problems such as fault injection attack (Fault Injection Attack) of the chips, random failure detection and diagnosis, human errors, equipment faults and the like.
In the related art, a detection mode for a chip is a detection method based on side channel analysis, and the state inside the chip is deduced by monitoring a power line, a clock and power consumption on the chip in real time. When an attacker or detector tries to change the behavior of the chip by injecting faults, variations in the chip voltage, clock and power consumption are caused, so that by monitoring these variations it is determined whether the chip is abnormal or not, such as if it is under fault injection attack, and fault location information can be provided.
However, the above method needs to make physical contact with the chip and adopts a higher-precision test device, and the method has at least the problems of high cost and difficult distribution and deployment.
Disclosure of Invention
In order to solve the problems of high cost and difficult distribution and deployment in the detection of fault injection attack in the related technology, the application provides a detection device and a chip.
The technical scheme of the application is realized as follows:
in a first aspect, the present application provides a detection apparatus, where the detection apparatus is disposed in a to-be-detected area of a chip, the to-be-detected area is provided with a module that uses a first sequence as an initial sequence and performs transformation according to a first sequence transformation rule, and the detection apparatus includes: the system comprises a clock port, a first sequence, a second sequence, a first sequence conversion rule, a second sequence conversion rule, a first observation point, a second observation point, a first sequence conversion rule, a second sequence conversion rule and a second sequence conversion rule, a second sequence conversion rule and a third sequence conversion rule, wherein the first sequence is the second sequence, the second sequence is the first sequence, the second sequence is the second sequence, and the third sequence is the second sequence conversion rule and the third sequence, and the fourth sequence is the third sequence conversion rule and the fourth sequence, and the fourth sequence is the third; if the actual output sequence and the reference output sequence corresponding to the observation point do not meet the preset association relation, obtaining a detection result of abnormality of the chip; the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule.
In the above scheme, the second sequence transformation rule includes one of a linear feedback shift register LFSR sequence transformation rule, a galois LFSR sequence transformation rule, a gray code sequence transformation rule, a one-hot code sequence transformation rule, a ring count sequence transformation rule, and a johnson count sequence transformation rule.
In the above solution, the at least one observation point includes: taking the moment of inputting each data to the module as the starting moment, and determining the corresponding moment after the module finishes processing the data; or taking the clock signals corresponding to the initial sequence as starting moments, and taking the moments corresponding to the first number of clock signals at intervals; wherein the starting time is the same as the time corresponding to the initial sequence.
In the above scheme, the mutation detection circuit is further configured to convert the current sequence transformation rule into a third sequence transformation rule when the detection result corresponding to each observation point indicates that the chip is normal; performing transformation processing according to the third sequence transformation rule, and outputting a next actual output sequence at a next observation point;
wherein the third sequence transformation rule is different from the current sequence transformation rule, the current sequence transformation rule including the second sequence transformation rule;
Wherein the third sequence transformation rule comprises one of a Linear Feedback Shift Register (LFSR) sequence transformation rule, a Galois LFSR sequence transformation rule, a Gray code sequence transformation rule, a one-hot code sequence transformation rule, a ring count sequence transformation rule and a Johnson count sequence transformation rule.
In the above scheme, the mutation detection circuit is further configured to receive a first control signal and convert the current sequence transformation rule into a third sequence transformation rule corresponding to the first control signal when the detection result corresponding to each observation point indicates that the chip is normal; performing transformation processing according to the third sequence transformation rule, and outputting a next actual output sequence at a next observation point; the first control signal is a periodic signal or a signal generated based on random number driving.
In the above scheme, the sequence includes a plurality of bits, and the mutation detection circuit is further configured to, if the clock signal changes under the condition of receiving the second control signal, inversely transform the target bit in the third sequence to obtain a fourth sequence, transform the fourth sequence according to the second sequence transformation rule, and output the actual output sequence at the at least one observation point;
And the third sequence is a pre-conversion sequence obtained by conversion according to the second sequence conversion rule when the second control signal is not received by the mutation detection circuit, and the target bit is a bit converted in the sequence when the second control signal is received by the module.
In the above scheme, the detection device further includes: and the alarm circuit is connected with the mutation detection circuit and is used for receiving the detection result and generating an alarm when the detection result represents that the chip is abnormal.
In a second aspect, the present application provides a chip comprising one or more of the detection devices described above.
In the above scheme, the number and the deployment form of the detection devices are determined based on the protection strength of the chip and the resource consumption of the detection devices.
In the above solution, the chip includes a security protection circuit configured to receive one or more detection results, and perform a security protection operation on the chip or a target circuit in the chip when at least one detection result characterizes that the chip has an abnormality, where the security protection operation includes: an alarm is generated to prompt the user to pause the current work to enter an interrupt state to wait for the CPU to process.
In the above scheme, the safety protection circuit is further configured to generate a third control signal and random data, and input the third control signal and the random data to all modules or part of modules of the chip;
the module is used for deleting the effective data based on the third control signal and flushing the current data by utilizing the random data.
The application provides a detection device and chip, detection device sets up the regional waiting of detecting at the chip, waits to detect regional being provided with and uses first sequence as initial sequence, carries out the module of transform according to first sequence transformation rule, detection device includes: the change detection circuit is connected with the clock port and is used for receiving the clock signal output by the clock port, converting the clock signal according to a second sequence conversion rule by taking the second sequence as an initial sequence under the condition that the clock signal is changed, and outputting an actual output sequence at least one observation point; if the actual output sequence and the reference output sequence corresponding to the observation point do not meet the preset association relation, obtaining a detection result of abnormality of the chip; the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule. Therefore, the detection device realizes differentiation of logic between each module in the chip and the mutation detection circuit, the detection device is inserted into the chip, the difference of the turnover results of the two circuits after the injected faults is introduced, the failure risk of the monitoring circuit and the verification design is reduced, and the attack difficulty is increased; meanwhile, the correlation between the mutation detection circuit and the original circuit can be reduced due to the logic differentiation of the mutation detection circuit and the original circuit, so that the detection circuit has higher reliability and robustness, and the safety of a chip is improved.
Drawings
Fig. 1 is a schematic structural diagram of a detection device according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating an operation example of a detection device according to an embodiment of the present application;
fig. 3 is a schematic diagram of a second operation example of the detection device according to the embodiment of the present application;
fig. 4 is a schematic structural diagram of a detection device according to the embodiment of the present application;
fig. 5 is a schematic structural diagram of a chip according to an embodiment of the present application;
fig. 6A is a schematic structural diagram of a second chip according to an embodiment of the present application;
fig. 6B is a schematic structural diagram III of a chip according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a chip according to an embodiment of the present application;
fig. 8 is a schematic diagram of a chip according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a chip according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a chip according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will clearly and completely describe the technical solution in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms "first," "second," and the like in the description of the present application and in the above-described figures, are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In order to better understand the detection device provided in the embodiment of the present application, the embodiment of the present application describes a background technology for performing a fault injection attack on a chip, and a detection method for the fault injection attack in the related art.
The fault injection attack (Fault Injection Attack) is an active attack means aiming at the chip, makes the chip run in error through a specific attack means or equipment, and analyzes the error phenomenon by utilizing a fault analysis technology to obtain key sensitive information in the chip, thereby causing information leakage. The fault injection attack commonly used for the device such as the chip includes, but is not limited to, voltage interference, clock interference, electromagnetic radiation attack, illumination attack, and the like, so as to interfere with the normal operation of the chip. It should be noted that the purpose of the fault injection attack is to make the attacked chip generate errors in the operation process, steal sensitive information, destroy the function of the chip or reduce the security of the chip. To combat these attacks, corresponding safeguards are required during chip design and manufacturing to improve chip security and robustness.
At present, in the related art, fault injection detection is a detection method based on side channel analysis aiming at a detection mode of a chip, and the state inside the chip is deduced by monitoring a power line, a clock and power consumption on the chip in real time. When an attacker or detector tries to change the behavior of the chip by injecting faults, variations in the chip voltage, clock and power consumption are caused, so that by monitoring these variations it is determined whether the chip is abnormal or not, such as if it is under fault injection attack, and fault location information can be provided. Of course, the fault injection detection method described above may also be implemented based on sensors.
For example, when the chip is tested by voltage, the voltage monitoring method may not be able to effectively detect the voltage waveform changes generated by faults because the voltage monitoring method relies on the voltage waveform changes, but some fault injection attacks may not cause significant voltage waveform changes. In addition, the voltage monitoring method relies on voltage waveform change monitoring due to faults, and accurate measurement and analysis of the difference between a normal voltage waveform and an abnormal voltage waveform are required. However, this approach is at least susceptible to noise and signal interference.
Still another example, when detecting a chip with a clock, since clock monitoring relies on the impact of faults on sequential logic, some attacks may not directly affect sequential logic, or may cause only minor sequential errors, resulting in detection difficulties; in addition, the clock monitoring method requires a stable and accurate clock source and performs accurate analysis of the timing of the chip.
Still another example is to detect a chip with power consumption, since the power consumption analysis detects a fault injection attack by analyzing the difference in power consumption of the chip at normal and abnormal operations, however, some attacks may not cause a significant power consumption change or may cause only a minute power consumption fluctuation, resulting in limited sensitivity of detection; in addition, certain noise is introduced during power consumption acquisition, and the complexity and cost of the test are increased. After the attacker or the detector carries out interference attack, the chip state can be continuously monitored and analyzed to guess the position of the attack point to restore the chip design or steal sensitive data.
In summary, the voltage monitoring method, the clock monitoring method and the power consumption analysis method in the related art are all insensitive to some attack forms when fault injection detection is performed, and have certain limitations. In addition, the deployment of observation points of the detection method depends on simulation means, is influenced by environmental factors, such as detection precision, environmental noise and the like, and needs to perform accurate calibration and data processing. The method is not easy to flexibly realize, accurate monitoring of a full chip or a sensitive design circuit is difficult, and the chip state can still be read continuously after attack so as to predict and analyze.
Based on this, in various embodiments of the present application, the detection device is implemented by using a digital circuit, and is configured as a module independently or in pairs with a specific circuit, and by detecting the change of the digital signal, it is determined whether the chip is attacked, where the circuit implementation structure of the detection device is simple, the occupied area is small, and the detection device can be flexibly deployed in the area to be detected with high security requirements of the chip, such as a memory for storing sensitive information, so as to reduce the production cost, enhance the protection of the circuit, and improve the security of the chip.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a detection device, where the detection device 100 is disposed in a to-be-detected area of a chip (not shown in the drawing), the to-be-detected area is provided with a module that uses a first sequence as an initial sequence and performs transformation according to a first sequence transformation rule, and the detection device 100 includes: a variation detection circuit 11.
The variation detection circuit 11 is connected with the clock port, and is used for receiving the clock signal output by the clock port, converting the clock signal according to a second sequence conversion rule by taking the second sequence as an initial sequence under the condition that the clock signal is changed, and outputting an actual output sequence at least one observation point; if the actual output sequence and the reference output sequence corresponding to the observation point do not meet the preset association relation, obtaining a detection result of abnormality of the chip; the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule.
In this embodiment of the present application, the preset association relationship may be that an actual output sequence corresponding to the observation point is the same as or identical to a reference output sequence corresponding to the observation point.
In the embodiment of the application, the mutation detection circuit is further used for obtaining a normal detection result of the chip when a preset association relation is not satisfied between an actual output sequence corresponding to the observation point and a reference output sequence corresponding to the observation point.
In this embodiment of the present application, the area to be detected may be any blank area in the chip, and the area to be detected may also be a surrounding blank area of a module with security requirements, where the module with security requirements includes, but is not limited to, a cryptographic operation module, a module storing privacy data, and the like. When an attacker or a detector attacks or detects a module with a security requirement on a chip, the attacker or the detector cannot judge the specific position of the module, cannot accurately control the attack on one or a plurality of transistors, and can only continuously try the attack in each area of the chip. Therefore, by disposing the detection means in a blank area around the module, when an external attack signal or control signal injected into the chip is injected into the detection means, the detection means can detect the external attack signal or control signal.
In the embodiment of the present application, the Clock signal (Clock) is the basis of sequential logic for determining when the state in the logic cell is updated, and is a signal quantity which has a fixed period and is irrelevant to the operation. The clock signal has a fixed clock frequency, which is the inverse of the clock period. In synchronous digital circuits of signals, the clock signal is the high and low states between oscillations of a particular signal of the signal, the use of the signal acts in concert like a metronome, the digital clock signal being essentially a square wave voltage.
In the embodiment of the present application, the application scenario of the detection device may be that the detection device is combined with a sensitive module in a chip, so as to perform targeted fault detection on actual operation of a circuit, such as a state machine or a counter, of the sensitive module having a predetermined sequence conversion rule in the chip; of course, the application scenario of the detection device may also be that the detection device is set independently of each module in the chip, that is, the detection device is randomly distributed at any position of the chip, for example, in a blank area around each module, so as to perform fault detection on the surrounding module with the predetermined sequence transformation rule.
In the embodiment of the application, the setting of the observation point is related to the application scene of the detection device, and if the application scene of the detection device is combined with the sensitive module in the chip, the setting of the observation point is related to the processing completion time of the sensitive module; if the application scenario of the detection device is that the detection device is set independently of each module in the chip, the setting of the observation points can be arbitrary, or can be set based on the protection intensity of the module, for example, if the protection intensity is lower, the time interval between the adjacent observation points is greater than a first interval threshold; if the protection intensity is higher, the time interval between the adjacent observation points is smaller than a second interval threshold value; of course, if the protection intensity is moderate, the time interval between the adjacent observation points is greater than or equal to the second interval threshold and less than or equal to the first interval threshold, where the second interval threshold is less than the first interval threshold.
In this embodiment of the present application, the first sequence and the second sequence may be preset sequences, where the first sequence and the second sequence have the same bit, for example, 4 bits (bit), and the value of each bit may be represented by 0 and 1; the first sequence and the second sequence may be the same, or the first sequence and the second sequence may be different.
In this embodiment of the present application, the first sequence transformation rule and the second sequence transformation rule may be the second sequence transformation rule, and may be one of the following rules: the linear feedback shift register may be one of an LFSR sequence conversion rule, a galois LFSR sequence conversion rule, a gray code sequence conversion rule, a one-hot code sequence conversion rule, a ring count sequence conversion rule, and a johnson count sequence conversion rule.
In this embodiment of the present application, the LFSR sequence transformation rule may be to place the exclusive or result of the lower two bits of the sequence in the upper bit, and shift the rest bits one bit to the right in turn; of course, the LFSR sequence transformation rule may also be to put the exclusive or result of the upper two bits of the sequence in the lower bit and shift the rest of the bits one bit to the left in turn.
In this embodiment of the present application, the galois LFSR sequence transformation rule may be to place the exclusive or result of the most significant bit and the least significant bit of the sequence in the high order, and shift the remaining bits one bit to the right in sequence.
In this embodiment of the present application, the gray code sequence transformation rule may be based on binary codes, starting from the lowest bit, sequentially xoring each bit with one bit on the left, and placing the xored result in the bit; of course, the gray code sequence transformation rule may be based on binary codes, and each bit is xored with one bit on the right side in turn from the most significant bit, and the xored result is set in that bit.
In this embodiment of the present application, the one-hot code sequence transformation rule may be that only one bit of the multiple bits is 1, the other bits are all 0, the lowest bit is located in the high bit, and the rest bits are sequentially shifted to the right; the one-hot code sequence transformation rule may also be that only one bit of the plurality of bits is 1, the other bits are all 0, the highest position is located at the lower position, and the rest bits are sequentially shifted to the left.
In this embodiment of the present application, the transformation rule of the ring count sequence may be that only one bit of the plurality of bits is 1, the other bits are all 0, the lowest bit is located in the high bit, and the rest bits are sequentially shifted to the right.
In this embodiment of the present application, the johnson count sequence transformation rule may be to place the inversion result of the lowest order in the high order and shift the rest of the bits one bit to the right in turn.
In the embodiment of the application, the actual output sequence corresponding to the observation point is the sequence actually output by the mutation detection circuit at the observation point; the reference output sequence corresponding to the observation point is a sequence corresponding to the observation point when normal transformation (without being attacked by signals or other control signals) is carried out according to a second sequence transformation rule by taking the second sequence as an initial sequence; if the detection device is not attacked or otherwise inputted with the control signal, the actual output sequence corresponding to the observation point is the same as the reference output sequence; if the detection device is attacked or other input control signals, the actual output sequence corresponding to the observation point is different from the reference output sequence.
In this embodiment of the present application, after the detection device is turned on, in a case where the module in the determination chip uses the first sequence as an initial sequence and performs conversion according to the first sequence conversion rule, if the clock signal output by the clock port changes in a case where at least one observation point determined based on the usage scenario of the detection device is obtained, the mutation detection circuit uses the second sequence as the initial sequence (the time of the clock signal corresponding to the second sequence is the same as the time of the clock signal corresponding to the first sequence), performs conversion according to the second sequence conversion rule different from the first sequence conversion rule, and outputs the actual output sequence at the first observation point. Then, the mutation detection circuit judges whether the actual output sequence corresponding to the first observation point and the reference output sequence meet the preset association relation or not; and if the actual output sequence corresponding to the first observation point and the reference output sequence meet the preset association relation, obtaining a normal detection result of the chip at the current moment. Further, the mutation detection circuit continuously judges whether the actual output sequence corresponding to the next observation point and the reference output sequence meet the preset association relation or not; if the preset association relation between the actual output sequence corresponding to the next observation point and the reference output sequence is not met, determining that the chip has an abnormal detection result at the current moment, and stopping obtaining the output sequence corresponding to the subsequent observation point.
In one possible scenario, referring to fig. 2, if the chip includes a module (also called an original circuit) that uses a first sequence, such as 0001, as an initial sequence and performs transformation according to a first sequence transformation rule, such as a count rule (0001- >0010- >0011- > 0100), the mutation detection circuit uses a second sequence, such as 1100, as an initial sequence and performs transformation according to a second sequence transformation rule, such as an LFSR sequence transformation rule, or uses a second sequence, such as 0000, as an initial sequence and performs transformation according to a second sequence transformation rule, such as a gray code sequence transformation rule. After determining that the observation point is the moment corresponding to the sequence 0100, as the original circuit and the mutation detection circuit are synchronously turned (belong to the same clock), under normal conditions, when the original circuit is turned 3 times, the sequence of the original circuit is 0100, and when the mutation detection circuit is turned 3 times according to the LFSR sequence conversion rule, the sequence of the mutation detection circuit is 0101; in abnormal situations (attack signals injected by faults or external input control signals), the sequence of the original circuit is 0100 after the original circuit is overturned for 3 times (4 times in fig. 3) due to the attack of the external signals, the actual output sequence output at an observation point after the mutation detection circuit is overturned for 4 times is 1110 instead of 0101 after the original circuit is overturned for 3 times. Then, when the observation point is not attacked or controlled by an external signal, the mutation detection circuit acquires a reference output sequence 0101 which is supposed to be output at the observation point; further, the mutation detection circuit determines whether the actual output sequence 1110 is consistent with the reference output sequence 0101, and if not, it indicates that the chip is attacked or controlled by an external signal. Therefore, the embodiment of the application inserts the detection device into the chip based on the logic implementation differentiation between each module in the chip and the mutation detection circuit, introduces the difference of the turnover results of the two circuits after the injected faults, reduces the failure risk of the monitoring circuit and the verification design, and increases the attack difficulty. The detection device can be widely applied to basic designs such as counters, state machines and the like in chips. The code algorithm chip based on multi-round encryption can be subjected to targeted protection, namely, the logic differentiation between the mutation detection circuit and the original circuit is realized through the logic transformation rule of the differentiation so as to reduce the relevance of the mutation detection circuit and the original circuit.
In some embodiments, the at least one observation point comprises: taking the moment of inputting each data to the module as the starting moment, and determining the corresponding moment after the module finishes processing the data; wherein, the initial time is the same as the time corresponding to the clock signal corresponding to the initial sequence; or taking the clock signals corresponding to the initial sequence as the starting time, and each time corresponding to the first number of clock signals is separated.
In this embodiment of the present application, if an application scenario of the detection device is to combine with a sensitive module in a chip, at least one observation point includes: taking the moment of inputting each data to the sensitive module as the starting moment, and determining the corresponding moment after the sensitive module finishes processing the data; wherein the starting time is the same as the time corresponding to the initial sequence. For example, the sensing module can sensitively design a round function counter for the cryptographic algorithm, and the observation point is the time from the counter to the end of the round function; of course, the sensitive module may also be a storage module, and the observation point is a time after the storage module stores the data, where the observation point is used to determine whether the storage module overflows, and/or the remaining storage space.
In this embodiment of the present application, if an application scenario of the detection device is that each module in the chip is set independently, at least one observation point includes: taking the clock signals corresponding to the initial sequence as starting moments, and taking the moments corresponding to the first number of clock signals at intervals; wherein the starting time is the same as the time corresponding to the initial sequence.
Here, the first number of settings is inversely related to the detection frequency, and the higher the detection frequency, the smaller the first number of settings, and the lower the detection frequency, the larger the first number of settings.
In some embodiments, the mutation detection circuit is further configured to convert the current sequence transformation rule into a third sequence transformation rule when the detection result corresponding to each observation point indicates that the chip is normal; performing transformation processing according to a third sequence transformation rule, and outputting a next actual output sequence at a next observation point;
wherein the third sequence transformation rule is different from the current sequence transformation rule, and the current sequence transformation rule comprises a second sequence transformation rule; the third sequence conversion rule is also different from the first sequence conversion rule.
Wherein the third sequence transformation rule comprises one of a linear feedback shift register LFSR sequence transformation rule, a galois LFSR sequence transformation rule, a gray code sequence transformation rule, a one-hot code sequence transformation rule, a ring count sequence transformation rule, and a johnson count sequence transformation rule.
In the embodiment of the application, the mutation detection circuit uses the second sequence as an initial sequence under the condition that the clock signal is changed, performs transformation according to a second sequence transformation rule, and outputs an actual output sequence at least one observation point; and if the actual output sequence and the reference output sequence corresponding to the observation point meet the preset association relation, obtaining a normal detection result of the chip. Further, after one observation and verification, changing logic of the mutation detection circuit, namely converting the second sequence transformation rule into a third sequence transformation rule different from the second sequence transformation rule; and taking the third sequence as an initial sequence, performing transformation processing according to a third sequence transformation rule, outputting a next actual output sequence at a next observation point, and further judging whether the next actual output sequence corresponding to the next observation point and a reference output sequence corresponding to the next observation point meet a preset association relation or not, thereby obtaining a detection result of the chip. It should be noted that the third sequence may be the same as or different from the second sequence. Therefore, under the condition that the detection result corresponding to each observation point represents that the chip is normal, the current sequence transformation rule is transformed to obtain other sequence transformation rules different from the current sequence transformation rule, and after one-time observation and verification, the logic of the mutation detection circuit is changed, so that the sequence transformation rule is more flexible, namely the monitoring of logic difference is more flexible. The attacker cannot accurately predict the location and manner of the differentiation. Thus, even if an attacker successfully analyzes one attack, the difference is changed in the next attack, and the complexity and success rate of the attack are increased.
In one possible scenario, referring to fig. 3, fig. 3 is a schematic diagram of an operation example of a logic implementation difference of a sequence transformation rule between a mutation detection circuit and a module. Where clk is the clock signal and ori_cnt is the sequence output by the module with the first sequence conversion rule, i.e. the original logic sequence, it can be seen that the counting is done in binary form. The comparison observation point monitored by the first segment is selected as the moment corresponding to the sequence 0100, the current segment counting is finished, and the observation point check_en is pulled high. chk_cnt is a sequence output by the mutation detection circuit with the second sequence conversion rule, namely, a sequence of logic implementation of the mutation detection circuit, and at this time, the mutation detection circuit outputs an actual output sequence 0101 at the observation point. It can be seen that the first stage is implemented by using the LFSR sequence conversion rule, and each shift result is that the lower two-bit exclusive-or result is placed at the higher position, and the rest bits are sequentially shifted to the right by one bit. And after the first comparison is finished, obtaining a normal detection result of the chip. Further, converting the LFSR sequence conversion rule into a Gray code sequence conversion rule, so that the mutation detection circuit converts the Gray code sequence conversion rule to obtain the output of the next monitoring point, and comparing and judging again to determine whether an abnormal detection result exists on the chip; as can be seen from fig. 3, the skew detection circuit uses gray code counting, and the codes of adjacent clock periods are only 1bit different. Therefore, under the condition that the detection result corresponding to each observation point represents that the chip is normal, the current sequence transformation rule is transformed to obtain other sequence transformation rules different from the current sequence transformation rule, and after one-time observation and verification, the logic of the mutation detection circuit is changed, so that the sequence transformation rule is more flexible, namely the monitoring of logic difference is more flexible. The attacker cannot accurately predict the location and manner of the differentiation. Thus, even if an attacker successfully analyzes one attack, the difference is changed in the next attack, and the complexity and success rate of the attack are increased.
In some embodiments, the mutation detection circuit is further configured to receive the first control signal and convert the current sequence transformation rule into a third sequence transformation rule corresponding to the first control signal when the detection result corresponding to each observation point indicates that the chip is normal; performing transformation processing according to a third sequence transformation rule, and outputting a next actual output sequence at a next observation point; the first control signal is a periodic signal or a signal generated based on random number driving.
In the embodiment of the application, the first control signal is used for changing the sequence transformation rule in the variation detection circuit.
The first control signal may be a periodic signal passing through a first number of observation points, so that the plurality of sequence conversion rules are converted according to a first order, where the first order may be an LFSR sequence conversion rule- > a galois LFSR sequence conversion rule- > a gray code sequence conversion rule- > a one-hot code sequence conversion rule- > a ring count sequence conversion rule and a johnson count sequence conversion rule- > an LFSR sequence conversion rule.
Of course, the first control signal may be a signal generated based on random number driving, so that the mutation detection circuit selects a sequence conversion rule specified by the first control signal from a plurality of sequence conversion rules. Illustratively, the number of the remaining sequence transformation rules except the current sequence transformation rule and the first sequence transformation rule in all the sequence transformation rules is a second number S, the number of each sequence transformation rule corresponds to 0 to S-1, the random number is divided by the second number, and each remainder obtained can be in one-to-one correspondence with each sequence transformation rule in the remaining sequence transformation rules.
In the embodiment of the application, the mutation detection circuit uses the second sequence as an initial sequence under the condition that the clock signal is changed, performs transformation according to a second sequence transformation rule, and outputs an actual output sequence at least one observation point; and if the actual output sequence and the reference output sequence corresponding to the observation point meet the preset association relation, obtaining a normal detection result of the chip. Further, the mutation detection circuit receives the first control signal, and decides whether to replace the sequence conversion rule and the sequence conversion rule to be converted based on the first control signal. If the first control signal determines that the sequence conversion rule needs to be replaced, converting the second sequence conversion rule into a third sequence conversion rule corresponding to the first control signal; and taking the third sequence as an initial sequence, performing transformation processing according to a third sequence transformation rule, outputting a next actual output sequence at a next observation point, and further judging whether the next actual output sequence corresponding to the next observation point and a reference output sequence corresponding to the next observation point meet a preset association relation or not, thereby obtaining a detection result of the chip. It should be noted that the third sequence may be the same as or different from the second sequence. Thus, under the condition that the detection result corresponding to each observation point represents that the chip is normal, determining whether to transform the current sequence transformation rule based on the first control signal; therefore, after one-time observation and verification, the logic of the mutation detection circuit is changed through random or periodic transformation, so that the sequence transformation rule is more flexible, namely the logic difference is more flexible to monitor. Thus, by means of irregular modes, an attacker is harder to master the actual logic of the circuit, and the attacker cannot accurately predict the differentiated position and mode. In addition, even if an attacker successfully analyzes one attack, the difference is changed in the next attack, and the complexity and success rate of the attack are increased.
In one possible scenario, with continued reference to fig. 3, the i_sel signal is a first control signal, where the i_sel signal may be a signal generated based on random number driving, or may be a periodic signal; as can be seen from fig. 3, the i_sel signal changes from 01 to 10, which is used to illustrate the transition sequence conversion rule or count logic of the transition detection circuit. After the i_sel signal is received by the mutation detection circuit, the replacement count logic is determined. For example, instead of gray code counting logic monitoring, single hot code counting logic monitoring, ring counter logic monitoring, etc., here, as can be seen from fig. 3, the mutation detection circuit converts LFSR sequence counting into gray code counting, so that the monitoring logic difference is more flexible through such random or periodic conversion. The attacker cannot accurately predict the location and manner of the differentiation. Thus, even if an attacker successfully analyzes one attack, the difference is changed in the next attack, and the complexity and success rate of the attack are increased.
In some embodiments, the sequence includes a plurality of bits, and the mutation detection circuit is further configured to, when the second control signal is received, inversely transform the target bit in the third sequence to obtain a fourth sequence if the clock signal changes, transform the fourth sequence according to a second sequence transformation rule, and output an actual output sequence at least one observation point;
The third sequence is a pre-conversion sequence obtained by conversion according to a second sequence conversion rule when the second control signal is not received by the mutation detection circuit, and the target bit is a bit converted in the sequence when the second control signal is received by the module.
In the embodiment of the present application, the target bit may be any one of a plurality of bits in the sequence.
In this embodiment of the present application, the second control signal may be a fault attack signal externally injected by an attacker, and the second control signal may also be a signal input by a detector.
In the embodiment of the application, if the module in the chip receives the second control signal and if the clock signal changes, the target bit in the fifth sequence is inversely transformed to obtain a sixth sequence, and the sixth sequence is continuously transformed according to the transformation rule of the first sequence; and when the module in the chip does not receive the second control signal, the third sequence is a pre-conversion sequence obtained by conversion according to the conversion rule of the first sequence. Similarly, as the distance between the detection device and the module in the chip is relatively short, the mutation detection circuit in the detection device also receives the second control signal, if the clock signal changes, the target bit in the third sequence is inversely transformed to obtain a fourth sequence, the fourth sequence is transformed according to a second sequence transformation rule, and an actual output sequence is output at least one observation point; the third sequence is a pre-conversion sequence obtained by conversion according to a second sequence conversion rule when the mutation detection circuit does not receive the second control signal. Therefore, the same clock and control signal are adopted for triggering the turnover of the mutation detection circuit and the module, and no extra logic design is adopted; meanwhile, the pre-transformation sequences in the fault attack signal injection or external control signal triggering module and the mutation detection circuit are turned over in the same bit position, and different turning results are brought to different logics in the turning process, so that the observation point can still be compared with the reference output sequence based on different actual output sequences, and the detection result of the attack received by the chip is obtained.
In one possible scenario, with continued reference to fig. 2, the second sequence transformation rule may be an LFSR sequence transformation rule or a gray code sequence transformation rule, where the sequence includes 4 bits, the target bit being the lowest bit, also referred to as the last bit as an example. After determining that the observation point is the moment corresponding to the sequence 0100, at a branch in the diagram, when a module (also called an original circuit) is attacked by fault injection and the pre-transformation sequence (corresponding to the fifth sequence) is 0011, after being attacked by fault injection, the last bit of the pre-transformation sequence 0011 is 1- >0 hopped; specifically, the previous sequence 0010 should be flipped to the pre-transformed sequence 0011, but the last bit of the pre-transformed sequence 0011 is hopped by 1- >0 due to the fault injection attack, so that the previous sequence 0010 is flipped to the sixth sequence 0010. Because the distance between the mutation detection circuit and the original circuit in the chip is generally short, the same jump is likely to occur at the same position when the mutation detection circuit is attacked. As shown in fig. 2, if the check circuit implemented by the differential logic using a different differential sequence conversion rule from the original circuit is attacked at the same time and the same inversion occurs in the same bit, the differential detection circuit using the LFSR sequence conversion rule jumps at the last 1- >0 of the pre-conversion sequence 1011 (corresponding to the third sequence); specifically, the previous sequence 0110 should be flipped to the pre-transformed sequence 1011, but the last bit of the pre-transformed sequence 1011 makes a 1- >0 transition due to the fault injection attack, so that the previous sequence 0110 is flipped to the fourth sequence 1010. Similarly, the mutation detection circuit adopting the gray code sequence transformation rule jumps at the last 1- >0 of the pre-transformation sequence (corresponding to the third sequence) 0011, specifically, the last sequence 0001 should be flipped to the pre-transformation sequence 0011, but the last bit of the pre-transformation sequence 0011 jumps at 1- >0 due to the fault injection attack, so that the last sequence 0001 is flipped to the fourth sequence 0010. And continuing to jump according to the second sequence transformation rule, further, determining whether the actual output sequence corresponding to the observation point is consistent with the reference output sequence by the mutation detection circuit, and if not, indicating that the chip is attacked or controlled by an external signal.
In some embodiments, referring to fig. 4, the detection apparatus 100 further includes: an alarm circuit 12.
The alarm circuit 12 is connected with the mutation detection circuit 11 and is used for receiving the detection result, and when the detection result represents that the chip is abnormal, an alarm is generated.
In this embodiment, the alarm circuit 12 is connected to the mutation detection circuit 11, the mutation detection circuit 11 sends a detection result to the alarm circuit 12, and when the detection result indicates that the chip is abnormal, the alarm circuit 12 generates an alarm. Therefore, when the chip is attacked by external injection or has faults, the alarm circuit sends out a safety alarm signal to prompt the chip system to be attacked, so that the chip enters a safety state according to the alarm signal, such as reset and interruption, and further the safety of the chip is protected, sensitive information is prevented from being leaked, and the external attack is failed.
Referring to fig. 5, fig. 5 shows a schematic structural diagram of a chip, where the chip 200 includes one or more detection devices 100, the detection devices 100 are disposed in a to-be-detected area of the chip 200, the to-be-detected area is provided with a module that uses a first sequence as an initial sequence and performs transformation according to a first sequence transformation rule, and the detection devices 100 include: and a variation detection circuit.
The variation detection circuit is connected with the clock port and is used for receiving the clock signal output by the clock port, taking the second sequence as an initial sequence under the condition that the clock signal is changed, converting according to a second sequence conversion rule, and outputting an actual output sequence at least one observation point; if the actual output sequence and the reference output sequence corresponding to the observation point do not meet the preset association relation, obtaining a detection result of abnormality of the chip; the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule.
In some embodiments, the detection device may be combined with a sensitive module in the chip, so as to perform targeted fault detection on actual operation of a circuit, such as a state machine or a counter, of the sensitive module having a predetermined sequence conversion rule in the chip. For example, referring to fig. 6A, after the designer identifies any number of sensitive modules, such as sensitive module 1, sensitive module 2, and sensitive module 3, i.e., the sensitive modules that need to be protected, a detection device and an observation point (corresponding to the detection device that appears in a group with the sensitive module in the figure), i.e., detection device 100 that appears in a group with sensitive module 1, detection device 100 that appears in a group with sensitive module 2, and detection device 100 that appears in a group with sensitive module 3, may be added to the sensitive modules. The detection device has a simple design method, adopts the same overturn excitation as the circuit of the sensitive module, and performs periodic response on the same thing without additional logic design.
In some embodiments, the detection devices may be deployed at any location on the chip, and the number and deployment form of the detection devices is determined based on the strength of protection of the chip and the resource consumption of the detection devices.
Here, the detection device may be disposed at any position of the chip, and may perform fault injection detection for any region of the chip. Each detection device operates independently, and any detection device goes wrong, namely, the actual output sequence of the mutation detection circuit in the detection device output at the observation point is different from the corresponding reference output sequence, and an alarm can be generated. Illustratively, referring to fig. 6B, the modules (also called original circuits) and the detecting devices in the chip are arranged randomly in groups at any position (corresponding to the design in which the original circuits and the detecting devices appear in groups) of the chip independently of the modules (such as the module 1, the module 2, the module 3 and the module 4), that is, the detecting devices 100 arranged around the module 1, the detecting devices 100 arranged around the module 2, the detecting devices 100 arranged around the module 3 and the detecting devices 100 arranged around the module 4. Under the application scene, the overturn excitation and overturn adopted by the original circuit and the detection device can be definedLogic, and specify observation points. The comparison result of the monitoring circuit and the module at any observation point is not an expected comparison result, and an alarm signal can be generated. In this application scenario, the number of the detection devices deployed depends on the chip area and the object to be protected, and in principle, there is no number limitation, and only comprehensive consideration needs to be given to the protection strength, the resource consumption, the cost, and the like. For example, referring to fig. 7 and 8, when a plurality of detecting devices are deployed in a chip, the detecting device shown in fig. 7 may be employed The matrix is placed in a certain area, where M-N in fig. 7 may be used to identify an identification number of the detection device 100, such as a serial number or a serial number, and may also be used to identify a location of the detection device 100; of course, when a plurality of detecting devices are deployed in a chip, Q detecting devices 100 may be scattered and randomly distributed at any position in the chip as shown in fig. 8, and randomly mixed with each module, so as to enhance protection of each module, where Q detecting devices 100 in fig. 8 are provided, each detecting device is provided with an identification number such as a serial number or a serial number such as detecting device 1, a detecting device with a serial number 1 such as detecting device 2, a detecting device with a serial number 3 such as detecting device 3, and a detecting device with a serial number Q such as detecting device Q.
From the above, the differential implementation of the detection device and the original circuit provides a strong flexibility. According to the characteristics of different sensitive modules or each module, the logic implementation method can be flexibly selected when the detection device is deployed, and a designer can select insertion after balancing according to protection strength requirements and resource utilization angles.
In some embodiments, referring to fig. 9, the chip may further include a security protection circuit 300, where the security protection circuit 300 is configured to receive one or more detection results, and perform a security protection operation on the chip or a target circuit in the chip when at least one detection result characterizes the chip as having an anomaly, where the security protection operation includes: an alarm is generated to prompt the user to pause the current work to enter an interrupt state to wait for the CPU to process.
In this embodiment of the present application, when the detection result output by any one of the detection devices indicates that the chip has an abnormality, the security protection circuit of the chip is triggered, and a security protection operation is performed on the whole chip, that is, an alarm is generated to prompt a user to suspend the current operation to enter an interrupt state and wait for the central processing unit (Central Processing Unit, CPU) to process, so that the chip enters a security state such as interrupt, etc., preventing sensitive information from leaking, and causing a fault attack to fail.
In this embodiment of the present application, with continued reference to fig. 7 and fig. 8, when the detection result output by any one of the detection devices indicates that there is an abnormality in the chip, the security protection circuit of the chip is triggered, and security protection operation is performed on a part of the modules monitored by the detection device that generates the detection result that there is an abnormality in the chip. Here, the detection result may carry an identifier of the detection device, when the detection device outputs the detection result to the chip, the chip may further determine, according to the identifier of the detection device carried in the detection result, a target detection device outputting an alarm signal, that is, determine a target detection device to which external attack is injected to generate the detection result, further, the chip triggers the security protection circuit to execute security protection operation on a module having a security requirement monitored by the target detection device, or all modules around the target detection device, that is, generate an alarm to prompt a user, suspend the current operation to enter an interrupt state and wait for at least one of CPU processing, so that the module having the security requirement monitored by the target detection device, or all modules around the target detection device enter a security state, prevent sensitive information leakage, fail a fault attack, and other modules in the chip continue to operate.
In some embodiments, the security protection circuit is further configured to generate a third control signal and random data, and input the third control signal and the random data to all or part of the modules of the chip;
and the module is used for deleting the effective data based on the third control signal and flushing the current data by utilizing the random data.
In this embodiment of the present application, the third control signal is used to delete or discard valid data included in all or part of the modules in the chip, and the random data is used to flush valid data in all or part of the modules in the chip.
In the embodiment of the application, when the detection result output by any detection device represents that the chip is abnormal, the safety protection circuit of the chip is triggered, the safety protection circuit generates a third control signal and random data, and the third control signal and the random data are input to all modules or part of modules of the chip; further, all or part of the modules delete the valid data based on the third control signal and flush the current data with the random data, for example, referring to fig. 10, Q modules in the chip are detected, where the Q modules include modules of a sensitive module and a non-sensitive module, each module corresponds to an identification number such as a serial number or a serial number, each module corresponds to a detection device 100 provided with different serial numbers (such as 1, 2,..and Q), an observation point of each detection device is determined, and the detection device outputs a detection result of whether the chip is abnormal at the observation point. Therefore, the detection result of the abnormality of the chip generated by the detection device at any observation point can be captured by the safety protection circuit, and the chip can be triggered to enter an alarm/interrupt state. Sensitive information leakage is prevented, and fault attack is failed. When the attack is successful, the alarm is triggered, all data in the original circuit are discarded by triggering, and the data are flushed by random numbers. Even if the attack is successful, the circuit structure and the sensitive data cannot be predicted by analyzing the attack result.
Next, a detection device provided in the embodiment of the present application will be further described.
In the related art, the voltage monitoring method, the clock monitoring method and the power consumption analysis method are insensitive to some attack forms when fault injection detection is carried out, and have certain limitations. In addition, the deployment of observation points of the detection method depends on simulation means, is influenced by environmental factors, such as detection precision, environmental noise and the like, and needs to perform accurate calibration and data processing. The method is not easy to flexibly realize, accurate monitoring of a full chip or a sensitive design circuit is difficult, and the chip state can still be read continuously after attack so as to predict and analyze.
For the product side
In an application scenario, after a designer identifies any number of sensitive modules, that is, sensitive modules that need to be protected, a detection device and an observation point (detection devices that appear in groups with the sensitive modules in a corresponding diagram) can be added to the sensitive modules. The detection device has a simple design method, adopts the same overturn excitation as the circuit of the sensitive module, and performs periodic response on the same thing without additional logic design. In another application scenario, the original circuits in the chip (corresponding to each module in the chip) and the detection devices are independent of the design itself, and the groups are randomly deployed at any position of the chip (corresponding to the design in which the original circuits and the detection devices appear in groups in the figure). The application scene can define the overturn excitation and overturn logic adopted by the original circuit and the monitoring circuit, and appoint the observation point. The comparison result of the detection device at any observation point and the sensitive module is not an expected comparison result, and an alarm signal can be generated.
It should be noted that the differential implementation of the detection device and the original circuit provides a relatively high flexibility. According to the characteristics of different sensitive designs, the logic implementation method can be flexibly selected when the monitoring circuit is deployed, and a designer can select insertion after the protection strength needs and the resource utilization angle are balanced.
Further, with continued reference to fig. 10, the alarm signal triggered by the verification circuit at any observation point is captured by the acquisition and output module 400 (corresponding to the safety protection circuit described above), and triggers the chip to enter an alarm/interrupt state. Sensitive information leakage is prevented, and fault attack is failed. When the attack is successful, the alarm is triggered, all data in the original circuit are discarded by triggering, and the data are flushed by random numbers. Even if the attack is successful, the circuit structure and the sensitive data cannot be predicted by analyzing the attack result.
For the technical side
The detection device provided by the embodiment of the application can conduct targeted fault detection on the sensitive module, and can also be randomly deployed at any position of the chip for fault detection. Because the direct influence caused by the attack on any position of the chip is the error of the running result of the circuit. Therefore, the embodiment of the application directly detects faults based on the operation result of the circuit. Because of the diversity of logic implementation of the detection device, an attacker cannot predict the difference structure, and effective and accurate attack on various structural circuits is difficult. The successful attack of any position triggers the discarding of the global effective data of the chip, and simultaneously, the current data is randomly flushed. Therefore, the subsequent state after the attack cannot be used as a basis for further analyzing the internal structure of the chip or stealing data.
In one possible implementation scenario, the detection device is combined with the sensitive module in the chip, and the module in the chip is a cryptographic algorithm sensitive module round function counter for example, and in a normal state, the original circuit counter is accumulated in a binary form and controls the cryptographic algorithm round function. When the counter counts to the end time of the round function, the operation result is expected to be output. And adding detection devices which are realized by different logics into the round function counter, and periodically changing during the counting period of the original counter to obtain a corresponding sequence. The counter counts to the point of the data operation, which is selected as the observation point, checks the output sequence of the detection device (corresponding to the actual output sequence), compares the output sequence with the reference sequence (corresponding to the reference output sequence) which is obtained at the point of the observation point when the known accurate jump is performed, and determines that the chip is attacked if the output sequence is inconsistent with the reference sequence. In the multi-stage (corresponding to the above-described plural detection points) operation, at the start of each stage operation, the count logic in the detection device is changed, and the output sequence of the detection device is checked at the observation point of the next stage operation repeatedly. If the verification fails, the original circuit and at least one side of the detection device are attacked by the injection fault, and an alarm is sent out.
Aiming at an application scene of combining the detection device with a sensitive module in the chip, the steps involved in determining whether the chip receives the detection result of the attack include:
the first step: identifying the circuit to be protected (corresponding to the module with the first sequence transformation rule) in the chip can be an important/sensitive circuit, and the circuit to be included includes, for example, but not limited to, a flip circuit of a state machine and/or a circuit with a given jump sequence and an output sequence, such as a counter;
and a second step of: and acquiring trigger conditions of the turnover of the circuit to be protected, such as a state machine and/or a counter. Is suitable for circuits with established behaviors. Here, the trigger condition may be a clock signal or a control signal, including but not limited to an attack signal.
And a third step of: the design of the monitoring circuit (corresponding to the above-mentioned mutation detection circuit) in the detection device.
Here, the flip-flop condition is the same as the second step, and an initial sequence of the corresponding circuit is set. The trigger condition and the initial sequence are set, and the sequence is not in the order.
Fourth step: the design of the flipping behavior (corresponding to the second sequence transformation rule described above).
Here, an LFSR monitoring circuit (corresponding to the above-mentioned mutation detection circuit) in the detection device may be configured such that, each time the trigger condition is satisfied, the exclusive or result of the lower two bits of the sequence is set to the higher bit, and the remaining bits are sequentially shifted to the right by one bit. Of course, another LFSR monitoring circuit in the detecting device may be performed by setting the exclusive or result of the upper two bits of the sequence to the lower bit and shifting the rest bits one bit to the left in sequence each time the trigger condition is satisfied. Of course, the gray code monitoring circuit in the detection device may be configured to exclusive-or each bit with one bit on the left side in order from the lowest bit based on the binary code as the gray code value of the bit each time the trigger condition is satisfied.
Fifth step: monitoring is performed.
Firstly, setting an observation point, wherein the observation point is a specified point in the normal operation process of a circuit to be protected, and can infer the normal overturn value of the monitoring circuit at the point. As shown in fig. 2, the output sequence of the original circuit (corresponding to the above module) is turned over to 0100, and the expected value of the lfsr monitoring circuit (corresponding to the above reference output sequence) is 0101.
Then, the circuit is verified. Because the original circuit and the monitoring circuit are synchronously turned (belonging to the same clock), in normal condition, when the original circuit is turned 3 times, the value of the original circuit is 0100, and when the LFSR detection circuit is turned 3 times, the value of the LFSR detection circuit is 0101; in the abnormal case (fault injection occurs), the value of the original circuit is 0100 after the original circuit is overturned for 3 times (4 times in fig. 3) due to the attack of the fault injection, and the value of the lfsr monitoring circuit is 1110 after the lfsr monitoring circuit is overturned for 4 times, instead of 0101 after the normal expected 3 times of overturned.
With continued reference to fig. 2. The original circuit design counts from 4' b0001 to 4' b0100, and pulls the data valid flag bit high when the count value is 4' b0100, which is selected as the observation point for verification. In the figure, the branch is attacked by fault injection, and the last bit is 1- >0 hopped by impact when the original count value is 4' b 0011. Since the monitoring circuit is generally close to the original circuit in the chip, the same jump is likely to occur at the same position when the monitoring circuit is attacked. As shown in fig. 2, if the check circuit implemented by the differential logic is attacked at the same time and the same bit is turned over, the LFSR monitoring circuit is turned over 1011- >1010, and the gray code monitoring circuit is turned over 0011- > 0010. After the jump is continued, the sequence result at the observation point is different from the preset value, and the alarm can still be given. The figure only shows two logic difference checking circuit implementation methods by way of example, and other logic can be selected according to the number of the logic difference checking circuits or the characteristics of the sensitive circuits.
In another implementation scenario, the original circuit and the monitoring circuit may be arbitrarily or randomly deployed at any location of the chip. The use method is to define the flip trigger condition and the flip logic by taking the inserted original circuit as a reference, so that a group of established sequences can be generated and output in the process of flip. The length and period of the generated sequence may be designed on demand in conjunction with resource consumption. The monitoring circuit is implemented with differentiated logic, i.e. another set of independent sequence outputs is generated. The observation point is selected as a certain designated point in the overturning process of the original circuit and the monitoring circuit. By the design method of the original circuit and the monitoring circuit, the corresponding relation between the output sequences of the original circuit and the monitoring circuit can be deduced at any overturning stage, so that the selection of observation points can be arbitrary. The observation point is used for checking the inserted original circuit and the monitoring circuit, and whether the turnover of the original circuit is normal or not can be detected according to whether the corresponding relation is as expected.
The method for determining whether the chip receives the detection result of the attack or not comprises the following steps of:
the first step: the original circuit design is constructed, and the original circuit flip trigger condition and the flip logic are defined, so that the circuit with known fixed flip behavior is formed. The initial sequence is set so that the original circuit can generate and output a set of predetermined sequences during the flipping process.
And a second step of: the design of the monitoring circuit (corresponding to the mutation detection circuit) has the same flip-flop triggering condition as the step 1; and sets an initial sequence of corresponding circuits. The trigger condition and the initial sequence are set, and the sequence is not in the order.
And a third step of: the design of the flip behavior of the circuit (corresponding to the second sequence transformation rule described above) is monitored.
The monitoring circuit flip behavior is implemented using a logic implementation that is different from the flip logic defined in the original circuit. So that it can generate another set of independent sequence outputs that are distinct from the original circuit. For example: if the original circuit adopts binary counting, the monitoring circuit is realized by adopting an LFSR. Or the original circuit and the monitoring circuit adopt different realization methods with the LFSR. The implementation method is the same as the fourth step of the first application scenario, and will not be described here again.
Fourth step: monitoring is performed. The implementation method is the same as the fifth step of the first application scenario, and will not be described here again.
It should be noted that, since the detection device in this application scenario is independent of the design module, the number of deployments is not limited, and can be comprehensively considered according to the protection strength and the resource consumption. The deployment may employ multiple detection devices as shown in FIG. 7 The matrix is placed in a certain area, and a plurality of detection devices can be scattered and randomly distributed at any position in the chip as shown in fig. 8, and then the detection devices are randomly mixed with the design module, so that the protection of the design is enhanced.It should be noted that the detection modules in the figures all comprise user-defined two-part designs of an original circuit and a monitoring circuit.
For the two application scenarios, after one observation and verification, the logic of the monitoring circuit is changed, if the monitoring circuit adopts LFSR sequence counting during the first monitoring and verification, the monitoring circuit decides whether to replace the counting logic after the first verification is finished. Instead, the logic monitoring of gray code count, the logic monitoring of single hot code count, and the logic monitoring of ring counter … … make the logic difference more flexible by such random or periodic transformation. The attacker cannot accurately predict the location and manner of the differentiation. Thus, even if an attacker successfully analyzes one attack, the difference is changed in the next attack, and the complexity and success rate of the attack are increased. Illustratively, with continued reference to FIG. 3, where ori_cnt is the original logical sequence, it can be seen that counting is done in binary form. The comparison observation point monitored by the first segment is selected as the point in time when ori_cnt is 0100, the current segment counting is finished, and check_en is pulled high. At this time, the output sequence of the monitoring circuit is compared as an observation point. Chk_cnt in the figure is the sequence of monitoring the logic implementation of the circuit. It can be seen that in the first stage, LFSR logic is used to implement the shift result, with the lower two exclusive or result being placed in the higher order, and the remaining bits being shifted right one bit in turn. When the first comparison is completed, i_sel is changed from 2'b01 to 2' b10, which is an indication of the monitoring circuit transition count logic. i_sel may be driven by a random number or may be derived from a periodic signal. It can be seen that in the second segment of the count, the monitoring circuit uses gray code counting, and the codes of adjacent clock cycles are only different by one bit.
It should be noted that, the detection device provided in the embodiment of the application not only can be applied to chip fault injection protection, but also can be applied to other fields with high stability and high safety requirements such as spacecrafts, medical equipment, financial systems and the like. The method is used for checking and diagnosing the problems of random failure, human error, equipment failure and the like.
From the above, it can be seen that the detection device provided in the embodiment of the present application does not rely on side channel information analysis, and can directly monitor and verify the result of the sensitive circuit in a targeted manner, and also can be used as an independent fault detection module to be deployed randomly. The method is simple to realize and can be flexibly deployed at any position of the chip. Meanwhile, the relevance between the original circuit and the monitoring circuit is reduced by utilizing the logic realization difference, so that the detection circuit has higher reliability and robustness. Further, the monitoring circuit realizes dynamic differentiation, so that logic realization difference is flexible and unpredictable, and difficulty and complexity of attack are increased. Finally, the current data triggered by the alarm after the attack is successful is emptied and the sensitive information is protected by random flushing, so that the analysis difficulty of fault injection attack by an attacker is increased, and the safety of the chip is improved.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment of the present application" or "the foregoing embodiments" or "some implementations" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "an embodiment of the present application" or "the foregoing embodiment" or "some embodiments" or "some implementations" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The embodiment numbers are merely for the purpose of description and do not represent the advantages or disadvantages of the embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of units is only one logical function division, and there may be other divisions in actual implementation, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
The features disclosed in the several method or apparatus embodiments provided in the present application may be arbitrarily combined without conflict to obtain new method embodiments or apparatus embodiments.
The foregoing is merely an embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application.

Claims (11)

1. The utility model provides a detection device, its characterized in that, detection device sets up the area of waiting of chip, wait to detect the area and be provided with and regard first sequence as initial sequence, change the module of rule according to first sequence, detection device includes: a variation detection circuit, wherein,
the change detection circuit is connected with the clock port and is used for receiving the clock signal output by the clock port, converting the clock signal by taking the second sequence as an initial sequence according to a second sequence conversion rule under the condition that the clock signal is changed, and outputting an actual output sequence at least one observation point; wherein the first sequence and the second sequence correspond to the same clock signal, and the first sequence transformation rule is different from the second sequence transformation rule;
obtaining an actual output sequence of the module and an actual output sequence of the mutation detection circuit under the observation point;
if the actual output sequence of the module and the actual output sequence of the mutation detection circuit do not meet the preset corresponding relation, obtaining a detection result of abnormality of the chip; the preset corresponding relation is that expected output sequences in an expected output sequence set of the module and expected output sequences in an expected output sequence set of the mutation detection circuit have a one-to-one corresponding relation.
2. The detection apparatus according to claim 1, wherein the second sequence conversion rule includes one of a linear feedback shift register LFSR sequence conversion rule, a galois LFSR sequence conversion rule, a gray code sequence conversion rule, a one-hot code sequence conversion rule, a ring count sequence conversion rule, and a johnson count sequence conversion rule.
3. The detection apparatus according to claim 1, wherein the at least one observation point comprises: taking the moment of inputting each data to the module as the starting moment, and determining the corresponding moment after the module finishes processing the data; or taking the clock signals corresponding to the initial sequence as starting moments, and taking the moments corresponding to the first number of clock signals at intervals; wherein the starting time is the same as the time corresponding to the initial sequence.
4. A test device according to any one of claims 1 to 3,
the mutation detection circuit is further used for converting the current sequence transformation rule into a third sequence transformation rule under the condition that the detection result corresponding to each observation point represents that the chip is normal; performing transformation processing according to the third sequence transformation rule, and outputting a next actual output sequence at a next observation point;
Wherein the third sequence transformation rule is different from the current sequence transformation rule, the current sequence transformation rule including the second sequence transformation rule;
wherein the third sequence transformation rule comprises one of a Linear Feedback Shift Register (LFSR) sequence transformation rule, a Galois LFSR sequence transformation rule, a Gray code sequence transformation rule, a one-hot code sequence transformation rule, a ring count sequence transformation rule and a Johnson count sequence transformation rule.
5. The detecting device according to claim 4, wherein,
the mutation detection circuit is further configured to receive a first control signal and convert the current sequence transformation rule into a third sequence transformation rule corresponding to the first control signal when the detection result corresponding to each observation point indicates that the chip is normal; performing transformation processing according to the third sequence transformation rule, and outputting a next actual output sequence at a next observation point; the first control signal is a periodic signal or a signal generated based on random number driving.
6. A detection device according to any one of claims 1 to 3, wherein the sequence comprises a plurality of bits, and the mutation detection circuit is further configured to, when receiving a second control signal, if the clock signal changes, inversely transform a target bit in a third sequence to obtain a fourth sequence, transform the fourth sequence according to the second sequence transformation rule, and output the actual output sequence at the at least one observation point;
And the third sequence is a pre-conversion sequence obtained by conversion according to the second sequence conversion rule when the second control signal is not received by the mutation detection circuit, and the target bit is a bit converted in the sequence when the second control signal is received by the module.
7. A test device according to any one of claims 1 to 3, further comprising: and the alarm circuit is connected with the mutation detection circuit and is used for receiving the detection result and generating an alarm when the detection result represents that the chip is abnormal.
8. A chip comprising one or more detection devices according to any one of claims 1 to 7.
9. The chip of claim 8, wherein the number and deployment form of the detection devices is determined based on the strength of protection of the chip and the resource consumption of the detection devices.
10. The chip of claim 8 or 9, wherein the chip comprises a security protection circuit for receiving one or more detection results, performing a security protection operation on the chip or a target circuit in the chip when at least one detection result characterizes the chip as having an anomaly, wherein the security protection operation comprises: an alarm is generated to prompt the user to pause the current work to enter an interrupt state to wait for the CPU to process.
11. The chip according to claim 8 or 9, characterized in that the chip comprises a safety protection circuit for generating a third control signal and random data and inputting the third control signal and random data to all or part of the modules of the chip, deleting valid data based on the third control signal and flushing current data with the random data.
CN202410045093.3A 2024-01-12 2024-01-12 Detection device and chip Active CN117560232B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410045093.3A CN117560232B (en) 2024-01-12 2024-01-12 Detection device and chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410045093.3A CN117560232B (en) 2024-01-12 2024-01-12 Detection device and chip

Publications (2)

Publication Number Publication Date
CN117560232A CN117560232A (en) 2024-02-13
CN117560232B true CN117560232B (en) 2024-04-02

Family

ID=89813335

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410045093.3A Active CN117560232B (en) 2024-01-12 2024-01-12 Detection device and chip

Country Status (1)

Country Link
CN (1) CN117560232B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010117316A (en) * 2008-11-14 2010-05-27 Kyocera Mita Corp Circuit inspection device
CN112100960A (en) * 2020-11-19 2020-12-18 北京智芯微电子科技有限公司 Method for dynamically detecting voltage drop in FPGA chip and FPGA chip
WO2021091217A1 (en) * 2019-11-04 2021-05-14 한양대학교 산학협력단 Detection method and apparatus
CN114092503A (en) * 2020-08-24 2022-02-25 华为技术有限公司 Detection circuit, chip and electronic equipment
CN114996257A (en) * 2022-06-20 2022-09-02 深圳前海微众银行股份有限公司 Data amount abnormality detection method, device, medium, and program product
CN115598505A (en) * 2022-10-25 2023-01-13 北京物芯科技有限责任公司(Cn) Chip detection method, device, equipment and storage medium
CN116048459A (en) * 2022-12-06 2023-05-02 苏州联芸科技有限公司 Random sequence generating device and random sequence generating method
CN117254929A (en) * 2023-07-18 2023-12-19 深圳市纽创信安科技开发有限公司 Detection device and chip

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3999877A2 (en) * 2019-07-15 2022-05-25 Blackmore Sensors & Analytics, LLC System for sidelobe suppression in phase encoded doppler lidar

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010117316A (en) * 2008-11-14 2010-05-27 Kyocera Mita Corp Circuit inspection device
WO2021091217A1 (en) * 2019-11-04 2021-05-14 한양대학교 산학협력단 Detection method and apparatus
CN114092503A (en) * 2020-08-24 2022-02-25 华为技术有限公司 Detection circuit, chip and electronic equipment
CN112100960A (en) * 2020-11-19 2020-12-18 北京智芯微电子科技有限公司 Method for dynamically detecting voltage drop in FPGA chip and FPGA chip
CN114996257A (en) * 2022-06-20 2022-09-02 深圳前海微众银行股份有限公司 Data amount abnormality detection method, device, medium, and program product
CN115598505A (en) * 2022-10-25 2023-01-13 北京物芯科技有限责任公司(Cn) Chip detection method, device, equipment and storage medium
CN116048459A (en) * 2022-12-06 2023-05-02 苏州联芸科技有限公司 Random sequence generating device and random sequence generating method
CN117254929A (en) * 2023-07-18 2023-12-19 深圳市纽创信安科技开发有限公司 Detection device and chip

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
双向全桥DC-DC变换器故障智能检测系统设计;张晨;凌跃胜;;现代电子技术;20180227(05);第152-156页 *
基于FPGA的数字序列检测系统的建模与仿真;唐敏;;装备制造技术;20200315(03);第99-102页 *

Also Published As

Publication number Publication date
CN117560232A (en) 2024-02-13

Similar Documents

Publication Publication Date Title
CN108028757B (en) Embedded test circuit for physical unclonable function
CN103425942B (en) The tampering detection device of security module
Da Rolt et al. Test versus security: Past and present
Chakraborty et al. Hardware Trojan: Threats and emerging solutions
EP3503466B1 (en) Countermeasures to frequency alteration attacks on ring oscillator based physical unclonable functions
US10361873B2 (en) Test point-enhanced hardware security
KR20170098729A (en) Method of testing the resistance of a circuit to a side channel analysis
CN103513955B (en) Method and apparatus for generating random number
CN108073831B (en) Method for detecting working state of safety chip and detection circuit
CN111027270A (en) Method and circuit for credible design of integrated circuit design flow
Hussain et al. BIST-PUF: Online, hardware-based evaluation of physically unclonable circuit identifiers
CN117254929A (en) Detection device and chip
Feiten et al. # SAT-based vulnerability analysis of security components—A case study
US20010004123A1 (en) Semiconductor integrated circuit having diagnosis function
EP3502869B1 (en) Interference detecting ring oscillators
US9836280B2 (en) Arrangement and method for checking the entropy of a random number sequence
Wang et al. Test generation for combinational hardware Trojans
US7093174B2 (en) Tester channel count reduction using observe logic and pattern generator
CN117560232B (en) Detection device and chip
CN103514080B (en) Method for the output for monitoring random generator
Yang et al. Side-channel analysis for hardware Trojan detection using machine learning
Zhao et al. Applying chaos theory for runtime hardware Trojan detection
US10853485B2 (en) Intrusion detection for integrated circuits
US9506983B2 (en) Chip authentication using scan chains
CN111800272B (en) Reliability self-checking circuit and method for RO PUF output response

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant