Minimal Witnesses for Security Weaknesses in Reconfigurable Scan Networks

Reconfigurable Scan Networks (RSNs) allow flexible access to embedded instruments for post-silicon validation and debug or diagnosis. However, the increased observability and controllability can be exploited by an attacker to manipulate or read out sensitive data, if no adequate precautions are taken by the designer. For large RSNs taking those precautions without algorithmic support is virtually impossible. This work proposes a method to automatically generate “minimal witnesses” demonstrating security weaknesses w.r.t. data flow in RSNs. The method provides condensed information to the designer on how to prevent data flow attacks, e.g. by locally modifying the RSN or by preventing active scan paths which contain those minimal witnesses. Experimental results confirm the applicability of the proposed method to diverse benchmark sets, including large designs. Additionally, the benefit of generating “minimal witnesses” for security weaknesses is shown.