Patent Grant
8901954
The invention is related to integrated circuits including security critical circuit components and integrated circuits processing or storing secret information.
In security critical integrated circuits, some security countermeasures are implemented to provide safety of the critical information against some analysis and attack techniques aimed to obtain the information in an unauthorized way. Active shield is a countermeasure providing security against some attacks depending on physically monitoring or manipulating the integrated circuit from outside. These attack techniques include probing the critical information by making connections to the metal lines of the integrated circuit, faulting the integrated circuit by forcing from these outside connections and changing the connections of the internal metal lines permanently by using FIB (Focused Ion Beam).
In active shield method, the whole surface of the integrated circuit is covered by metal lines on the top metal layer. A transmitter circuitry which supplies a test data to the metal lines covering the whole chip and a number of receiver circuitries which compare the test data received from the top layer metal lines with the original test data received from the transmitter internally are added to integrated circuit. According to the result of the comparison, these receiver circuitries verify the integrity of the top layer metal lines. Since any physical attack will disturb the integrity of the top layer metal lines by making them open or short circuit, the receiver circuitries do not receive the correct test data pattern from the top layer metal lines, thus detect the physical attack.
It is believed that the references; US 2009/0024890 A1, US 2008/0244749 A1, US 2008/0150574 A1, US 2005/0092848 A1 and US 2003/0132777 A1 provide sufficient information on the background of the active shield method. In reference document US 2005/0092848 A1, a way of implementing the active shield method without requiring an additional metal layer is introduced and in reference documents US 2009/0024890 A1 and US 2008/0150574 A1, improvements are aimed to reduce the power consumption due to active shield. The reference US 2008/0244749 A1 introduces some improvements mainly on the detection circuitry part of the active shield method, not on the protection of the top metal layer shield itself.
Although being used in integrated circuits to detect any physical attack, active shield itself has still vulnerability against physical modification. Since the top layer metal lines of the active shield have fixed interconnections, it is possible to make shortcut connections between the lines and remove the parts covering the whole integrated circuit or a part of it, to perform the actual attack without being detected by the active shield. Some improvements can be made to decrease the vulnerability of the active shield to physical modification, like randomization of the connections of the top layer metal lines and increasing the number of receiver circuitries, however it is not possible to prevent the vulnerability completely.
In reference document US 2003/013277 A1, a novel countermeasure against physical modification on the active shield is introduced. A capacitive measurement between the top layer metal lines of the active shield is performed along with the verification of the test data, to check whether the top layer metal lines are integral in their actual shapes. However, since the mentioned capacitive measurement between the top layer metal lines cannot be performed precisely, it is still possible for an attacker to perform partial physical modifications on the active shield while still satisfying sufficient capacitive coupling between the top layer metal lines.
It is aimed to prevent the vulnerability caused by the fixed interconnections of the top layer metal lines by introducing a method using electrically configurable interconnections. Using electrically configurable interconnections provides the opportunity to select from more than one interconnection scheme during the operation of the integrated circuit. This dynamic configurability of the invention introduces a precise self integrity checking mechanism to the active shield method. Thus, it is prevented to bypass and remove the metal lines of the active shield by making fixed shortcut connections between them.
An integrated circuit (1) having an active shield according to the invention is illustrated in
The transmitter (7) transmits a test data, which is usually a random data, along with a select signal (11) used to determine which interconnection configuration (9 and 10) is selected by electrically controllable switching circuits (5). The receivers (8) receive the test data from the bit lines and reorder the bits of the data received according to the select signal (11) produced by the transmitter (7). The receivers (8) also receive the same test data from the transmitter (7) through internal data buses (12) arranged in lower layer conductive lines. Then, the receivers (8) compare the test data received from the bit lines with the actual test data received from the internal data buses (12), thus verify the integrity of upper layer conductive lines (2) of the active shield. Generally, the internal data buses (12) carrying the actual test data and the conductive lines carrying the select signal (11) from the transmitter (7) to the receivers (8), and the transmitter (7) and the receivers (8) themselves are arranged as a part of the integrated circuit (1) such as distributed within the whole layout and not easily recognizable for the sake of security. Thanks to the electrically controllable switching circuits used to construct different interconnection configurations (9 and 10), the active shield according to the invention, verifies the test data received from the bit lines with the actual test data for detection of the physical attacks focused on the integrated circuit (1), while providing the ability to detect any fixed modification made on the upper layer conductive lines (2) aimed to bypass the shielding pattern and remove at least a part of it. In order to satisfy the latter purpose, the transmitter (7) changes the selected interconnection configuration (9 and 10) during the operation of the integrated circuit (1) by changing the select signal (11) regularly or randomly. Thus, any fixed physical modification on the upper layer conductive lines (2) leads to an error in the verification of the test data.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2011 11432 | Nov 2011 | TR | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/IB2012/056509 | 11/16/2012 | WO | 00 | 2/13/2014 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2013/072897 | 5/23/2013 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6496119 | Otterstedt et al. | Dec 2002 | B1 |
| 6798234 | Laackmann et al. | Sep 2004 | B2 |
| 7042752 | Okuda | May 2006 | B2 |
| 7352203 | Ziomek | Apr 2008 | B1 |
| 7535744 | Okuda | May 2009 | B2 |
| 7622944 | Ziomek | Nov 2009 | B2 |
| 7982488 | Nirschl et al. | Jul 2011 | B2 |
| 20030132777 | Laackmann et al. | Jul 2003 | A1 |
| 20070189055 | Okuda | Aug 2007 | A1 |
| 20080031031 | Okuda | Feb 2008 | A1 |
| 20080150574 | Ziomek | Jun 2008 | A1 |
| 20100301896 | Nirschl et al. | Dec 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| 0268882 | Jun 1988 | EP |
| 1538666 | Jun 2005 | EP |
| Number | Date | Country | |
|---|---|---|---|
| 20140191781 A1 | Jul 2014 | US |
