A Learning-based Approach to Secure JTAG against Unseen Scan-based Attacks

Xuanle Ren\textsuperscript{1,2}, R. D. (Shawn) Blanton\textsuperscript{2}, and Vítor Grade Tavares\textsuperscript{1}

\textsuperscript{1}INESC TEC and Faculty of Engineering, University of Porto, Porto, Portugal
\textsuperscript{2}Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA, USA

Abstract—Security is becoming an essential problem for integrated circuits (ICs). Various attacks, such as reverse engineering and dumping on-chip data, have been reported to undermine IC security. IEEE 1149.1, also known as JTAG, is primarily used for IC manufacturing test but inevitably provides a "backdoor" that can be exploited to attack ICs. Encryption has been used extensively as an effective mean to protect ICs through authentication, but a few weaknesses subsist, such as key leakage. Signature-based techniques ensure security using a database that includes known attacks, but fail to detect attacks that are not contained by the database. To overcome these drawbacks, a two-layer learning-based protection scheme is proposed. Specifically, the scheme monitors the execution of JTAG instructions and uses support vector machines (SVM) to identify abnormal instruction sequences. The use of machine learning enables the detection of unseen attacks without the need for key-based authentication. The experiments based on the OpenSPARC T2 platform demonstrate that the proposed scheme improves the accuracy of detecting unseen attacks by 50\% on average when compared to previous work.

I. INTRODUCTION

Security is becoming a central problem for integrated circuits (ICs). Among the potential attacks, scan-based attacks are performed through the standard test access port and the boundary-scan architecture which is defined by the IEEE 1149.1 (or named JTAG). Scan-based attacks are one of the most commonly exploited methods due to two main reasons [1]–[3]. First, the JTAG is widely used as an interface for manufacturing testing and in-field debugging in modern ICs [4]. So it is easy to find the test access ports in most chips. Second, the JTAG provides powerful features to access on-chip data, such as firmware and on-chip memory. For example, the OpenSPARC T2 benchmark [5] has more than ten debugging functions accessible through the JTAG, e.g., L2 cache r/w, memory built-in self-test (MBIST), shadow scan, direct memory observation, etc. All these functions are undocumented, that is, unauthorized users do not know which JTAG functions are implemented and how they are operated. In [6], an attacking flow is described for reverse engineering undocumented JTAG functions within the OpenSPARC T2.

The attackers may have different levels of access to the IC and thus may employ different types of attacks, e.g., analyzing power consumption and/or magnetic emanation, influencing IC fabrication process, modifying the communication within the IC, etc. In this paper, it is assumed that the attacker can only access the JTAG ports. Although some attackers with greater levels of access are able to utilize more powerful tools, it is still reasonable to assume that the JTAG port is an essential conduit for accessing the IC [1], [2].

Various approaches have been proposed to protect the JTAG from being misused, including disabling the JTAG before shipping the IC to customers [7], obfuscating the JTAG outputs [8], etc. The disadvantages however include hampering of in-field debugging and/or limiting JTAG use to public functions. Encrypting the JTAG using plain-text passwords or more complex protocols is deemed a more secure technique since user authentication is required [9]–[15]. However, it modifies IEEE 1149.1 due to the support of lock/unlock commands, and suffers from the problem of password leakage.

To protect the private JTAG functions and also to overcome the drawbacks of the encryption techniques, detecting attacks by monitoring user behavior is becoming a potential approach [6], [16]–[18]. One example is signature detection, which attempts to identify events that misuse the system by creating models of attacks (called signatures), and therefore knowledge of normal events is not required for these approaches [16]. Observed behavior that matches any of the signature is labeled as an attack. However, the effectiveness of a signature detector strongly relies on the completeness of the attack models. Anomaly detection, on the other hand, creates models of normal uses and detects operations that do not conform. An anomaly detector can be achieved by either finite state machines [17] or probabilistic models (e.g., Markov chain [18]). A finite state machine labels all deviations as attacks, while a probabilistic model labels the user behavior with a probability rather than a yes-no decision. However, for both models, variances of normal operation lead to a high false positive rate. The third approach is learning-based models that detect attacks using a classifier. In [6], a decision tree is learned from normal operation and various attack strategies. However, JTAG security is still threatened by novel or unseen attacks that either target a different IC component or exploits a new strategy never encountered before by the classifier.

In this paper, a two-layer learning-based protection scheme is proposed. The scheme mitigates the problem of unseen scan-based attacks and allows variances of normal operation. Layer-I applies a basic check that verifies if basic rules for JTAG operations are violated. Layer-II labels the user behavior (i.e., the sequence of opcodes) as normal or attack using a support vector machine (SVM) classifier. The user behavior
of operating the JTAG is initially examined by layer-I, and then examined by layer-II only if it passes layer-I. Experiments based on the OpenSPARC T2 demonstrate a detection improvement for unseen scan-based attacks by 50% on average when compared to previous work. However, the capability to detect new attacks is difficult to verify comprehensively since different types of attacks are always arising. In the experiments, a known attack is treated as unseen by excluding it from classifier training. The experiments therefore provide a preliminary evaluation of the capability to detect new scan-based attacks.

The rest of this paper is organized as follows. Section II describes the two-layer protection scheme. In Section III, the hardware architecture of the protection scheme is presented and its overhead is estimated. Section IV compares the performance of the scheme with previous approaches. Section V discusses the limitations of the two-layer protection scheme. Finally, Section VI concludes the paper.

II. TWO-LAYER PROTECTION SCHEME

As assumed, the attacker can supply inputs and observe the corresponding outputs via the JTAG ports. In addition, the attacker may apply attacks that are not known by the protection scheme. The proposed approach employs a hierarchical scheme that comprises two layers of protection (Figure 1). The user behavior is initially examined by layer-I, and then examined by layer-II only if it passes layer-I.

A. Layer-I: Basic Check

Basic check is intended to detect attackers that violate the basic rules of JTAG operation. An attacker that knows little to nothing about the IC may operate the JTAG in a manner that substantially differs from normal users. The basic check can block the obvious attacks, including the use of an illegal opcode and/or incorrect length of read/write data. Illegal opcode refers to the bits loaded into the instruction register (IR) that do not correspond to any valid JTAG function. An \( n \)-bit IR means that at most \( 2^n \) opcodes are available. However, usually only a subset of all the possible opcodes correspond to valid JTAG functions, while others remain unused and are thus considered illegal. The illegal opcodes cannot control or observe any internal signal of the IC, and therefore will not be used by an authorized user. The second misuse involves invoking an incorrect length of read/write data. Specifically, most legal opcodes utilize a data register (DR) in order to perform their functions, and an authorized user should read/write the same length of data as required by the DR. For example, to access on-chip memory, a JTAG opcode for loading the memory address is necessary. However, if an attacker is not aware of the address length, then the length of the supplied input might differ from the correct one.

Both of these misuses can be easily avoided by an authorized user, but not for a user with no prior knowledge. If either misuse is detected, then the user is labeled as an attacker immediately; otherwise, layer-II is invoked.

B. Layer-II: SVM Classification

1) Opcode Sequence: The misuses examined by layer-I might be avoided by an attacker with prior knowledge of the specific JTAG. In layer-II, the sequential order of JTAG instructions is considered because it better characterizes the behavior of a user. Specifically, a sequence of \( n \) instructions (i.e., the opcode sequence) is a behavioral pattern of the user utilized for identifying an attacker.

For the OpenSPARC T2 [5], an individual JTAG operation is usually achieved by a sequence of specific instructions. For example, the memory built-in-self-test (MBIST) operation is performed by an instruction sequence of MBIST_BYPASS, MBIST_MODE, MBIST_START and MBIST_RESULT. Another observation is that the opcode sequence length varies for different operations, which makes it a challenging task to identify the starting point and the ending point of a real-time operation. In this work, the opcode sequence length, denoted by \( n \), is set to a fixed value, and the value chosen for \( n \) is determined empirically from experiments.

Finally, the opcode sequences of the OpenSPARC T2 are extracted from both normal operation and attacks in an overlapping manner using a fixed-size sliding window.

2) SVM Classification: The extracted opcode sequences \((n=4)\) are visualized in a two-dimensional space using principle component analysis (PCA) as shown in Figure 2 [19]. Specifically, the opcode sequences are “rescaled” in a space that is based on a set of linearly uncorrelated variables (called principle components). The \( x \)-axis and \( y \)-axis represent the “scale” in terms of the first and the second principle components, respectively. Figure 2 shows that normal operation and attacks not only have a non-linear boundary, but also have overlapping regions. To learn the non-linear boundary, a support vector machine (SVM) is used.

A support vector machine (SVM) is a supervised learning model used for classification. In classification, given a set of samples, each belonging to one out of two classes, a classifier based on these samples (called the training process) is constructed and later used to predict which class a new sample belongs to. In this work, a set of opcode sequences, labeled either normal or attack, are used to train an SVM classifier. In real time, each opcode and the previous \((n-1)\)
wb is a slack variable that allows samples to be included in the training set if the distance between the decision boundary and the sample is less than a certain threshold. The prediction of the SVM is given by

\[ y(x) = \text{sgn} \left( \sum_{n \in S} a_n t_n k(x, x_n) + b \right) \]

where \( D \) is the number of support vectors, \( a_n \) are the Lagrange multipliers, \( t_n \) is the label of the \( n \)-th support vector, and \( k(x, x') \) is the kernel function. The kernel function is used to map the input data into a higher-dimensional space where the data may be more easily separable.

A one-class SVM is an unsupervised learning algorithm used for novelty detection [21]. The principle of a one-class SVM is to capture regions in the input space where samples form high-density clusters as shown in Figure 3(b). The capability of detecting unseen scan-based attacks will be evaluated for both a one- and two-class SVM. In addition, other learning algorithms, including a neural network and k-nearest-neighbors, are evaluated.

3) Delayed Labeling: Since the overlap in Figure 2 may cause false positives and/or false negatives, behavior is not labeled legitimate or illegitimate in a per-instruction manner; instead, the labeling occurs after every \( n_{\text{dly}} \) instructions are executed. Specifically, the behavior is labeled malicious only when at least \( n_{\text{th}} \) out of \( n_{\text{dly}} \) instructions indicate the existence of an attacker. The optimal values for \( n_{\text{th}} \) and \( n_{\text{dly}} \) are determined empirically from experiments.

Although mitigated by delayed labeling, false positives and false negatives may still occur. To deal with false positives (i.e., an authorized user is identified as an attacker), the user should have the capability to “reset” the system in order to re-establish access to the JTAG. However, the details of system reset and access re-establishment are beyond the scope of this paper.

III. SVM HARDWARE ARCHITECTURE

Ideally, detecting a JTAG attack should be accomplished in real time, at the time a JTAG instruction is loaded. Accomplishing real-time detection therefore requires hardware architecture implementation of an SVM. As shown in Figure 4, the SVM classifier employs a pipelined architecture. The computation of the RBF function uses a look-up table (named RBF-LUT) that is built by calculating all possible values for the operators in advance. In addition, the L1-norm is used for computing the distance between samples. Let \( m \) be the length of an opcode sequence, \( b \) be the number of bits used for a JTAG opcode, and \( b \) be the precision of an RBF result. The memory size of the RBF-LUT is \( 2^m \times n \times b \). In this work, the memory size is \( 2KB \) assuming \( n=4 \), \( b=16 \) and \( m=8 \) (\( n=4 \) is...
an optimal value based on the experiments in Section V, and \( m=8 \) stems from the OpenSPARC T2 design). The latency of making a per-instruction prediction is \((S+T-1)\) cycles, where \( S \) denotes the number of support vectors and \( T \) denotes the number of pipeline stages.

Table 1 compares the area overhead and the latency of the two-layer scheme with [6]. The comparison shows that the two-layer scheme has more area overhead and longer latency but in Section IV we show that it has much better performance.

<table>
<thead>
<tr>
<th>Approach</th>
<th>Latency</th>
<th>Area (( \mu )m(^2))</th>
<th>% of chip area</th>
</tr>
</thead>
<tbody>
<tr>
<td>Two-layer scheme</td>
<td>520</td>
<td>755.592</td>
<td>1.79%</td>
</tr>
<tr>
<td>[6]</td>
<td>8</td>
<td>452.253</td>
<td>1.07%</td>
</tr>
</tbody>
</table>

Table 1: The latency and the area overhead of the two-layer SVM-based scheme (\( \nu=4 \)) is compared with [6].

The area of the SVM classifier depends on \( n \) in two folds. First, \( n \) affects the width of the pipeline linearly since it represents the dimension of the data. Second, the size of the RAM storing support vectors (named SV-RAM) relies on \( n \) which affects both the number of support vectors (SVs) and the size of each SV. A larger \( n \) produces more SVs, e.g., the numbers of SVs produced by \( n=3, 4, 5, 6 \) are 763, 844, 901 and 962, respectively. However, because these numbers are between 512 and 1024, the column size remains 1024 (each row stores an SV). Thus, the area of the SV-RAM is linearly dependent on \( n \). As shown previously, the area of the RAM storing the RBF-LUT also depends on \( n \) linearly. To summarize, the relative area overhead in terms of \( n \) is: 0.75 (\( n=3 \)), 1 (\( n=4 \)), 1.25 (\( n=5 \)), 1.5 (\( n=6 \)).

IV. EXPERIMENT

To validate the effectiveness of the two-layer protection scheme, variances of the JTAG programs used in [6] are created for the OpenSPARC T2. Specifically, the variances are generated by substituting different values for the parameters (such as the number of cycles in run-test/idle and test-logic-reset), and by modifying the sequential orders of JTAG instructions used for reverse engineering. The new data set includes 767 normal programs, containing 125,017 opcode sequences (extracted using a fixed-size sliding window), and 1,092 attacking programs, containing 154,980 opcode sequences.

Table 2: The JTAG programs are divided into eight categories, each one targeting a different IC component.

<table>
<thead>
<tr>
<th>Targeted components</th>
<th>C1</th>
<th>C2</th>
<th>C3</th>
<th>C4</th>
</tr>
</thead>
<tbody>
<tr>
<td>C1</td>
<td>Check basic profile</td>
<td>C2</td>
<td>Clock control</td>
<td>C3</td>
</tr>
<tr>
<td>C5</td>
<td>L2 cache access</td>
<td>C6</td>
<td>Logic BIST</td>
<td>C7</td>
</tr>
<tr>
<td>C8</td>
<td>Electronic fuse</td>
<td>C9</td>
<td>Shadow scan</td>
<td></td>
</tr>
</tbody>
</table>

Table 3: The JTAG programs are divided into nine categories, each one exploiting a different scan-based attacking strategy.

An unseen scan-based attack is one that targets a different IC component, or exploits a new scan-based strategy never encountered by the scheme. Thus, in the first set of the experiments, the attacking programs are divided into eight categories based on the components they target (Table 2), while in the second set, the programs are divided into nine categories based on the strategies they exploit (Table 3). More details concerning Table 2 and Table 3 can be found in [6].

For the first set of experiments, the capability to detect attacks targeting a new IC component is evaluated using different learning algorithms as shown in Table 4. The extracted opcode sequences (\( n=4 \)) are processed by each approach, and two metrics are evaluated, i.e., the accuracy of identifying normal opcode sequences (\( \text{acc}_\text{nor} \)) and the accuracy of identifying unseen attacks (\( \text{acc}_\text{atk} \)). Here, accuracy is defined as the percentage of correct predictions out of all evaluated opcode sequences (either normal operation or unseen attacks). The first set of approaches involve two-class learning algorithms, namely SVM (using an RBF kernel function\(^1\)), neural network (\( \text{hidden}_\text{layer}=1, \text{hidden}_\text{neuron}=10, k\)-nearest-neighbor (\( k\)-NN, \( k=3 \)) and the decision tree model proposed in [6]. For these approaches, seven out of eight categories of attacks in Table 2 and all cases of normal operations are simulated using 10-fold cross-validation. The resulting accuracy of identifying normal operation is denoted by \( \text{acc}_\text{nor} \). The eighth category of the component attack is evaluated as an unseen attack and the accuracy \( \text{acc}_\text{atk} \) is measured using the ten classifiers trained in the cross-validation. The second set of approaches involve one-class learning algorithms, including a one-class SVM (\( \nu=0.1 \)) and a one-class \( k\)-NN (radius=2). The one-class \( k\)-NN identifies an opcode sequence by searching for the neighboring area (radius=2) centered by the opcode sequence. If at least one training sample resides within the

\(^1\)The RBF kernel is used because it performs better than linear- and polynomial-based kernels.
area, the opcode sequence is then labeled normal. For these approaches, 90% of the normal opcode sequences are used for training, while the remaining 10% are used for evaluating \( \text{acc}_{\text{nor}} \). In addition, each category of the component attack is evaluated as an unseen attack. The next approach, named “match”, simply uses normal opcode sequences as legal ones and rejects any opcode sequence that does not conform. It is evaluated using similar procedures with one-class learning algorithms, i.e., building a legal database that contains 90% of all cases of normal operation, while using the remaining 10% for measuring \( \text{acc}_{\text{nor}} \). Also, each category of the attack is evaluated as an unseen attack.

As shown in Table 4, an SVM has balanced performance for identifying both normal operation and unseen attacks, indicating that the SVM can not only tolerate the variances occurring during normal operation but also detect unseen scan-based attacks. Among the correctly-classified unseen attacks, 0.2% are detected by Layer-I while 99.8% are classified by Layer-II. A neural network and \( k \)-NN are capable of identifying normal operation or an attack, but not both. The overall performance of a one-class SVM and a one-class \( k \)-NN is worse than an SVM, even for identifying unseen attacks. A likely explanation for this outcome difference is that having some general knowledge of attacks is quite beneficial for detecting new types of attacks. The “match” approach fails to identify variances exhibited by normal operation because the matching rule, by definition, simply does not allow for any variance. Finally, the decision tree model in [6] performs much worse in identifying unseen attacks than the SVM (i.e., 41.3% versus 91.1% overall). However, it is noted that the decision tree performs better than the SVM for identifying attacks targeting \( C_1 \). A likely explanation is that “checking the basic profile” of the JTAG may result in frequent easy-to-detect mistakes because the attacker has no prior knowledge of the specific JTAG. The approach in [6] performs better in that situation because various features, other than only the sequential order of instructions, are used to capture user behavior.

For the second set of experiments, the capability to detect attacks exploiting a different strategy is evaluated in a similar manner as shown in Table 4. It is noted that strategies \( S_1\text{-}S_3 \) of Table 3 are excluded because they can easily be detected by layer-I. The results again show that the SVM has better overall performance than other approaches. It is noted that the decision tree performs better than the SVM for strategy \( S_4 \) due to the reasoning earlier described.

Figure 5 shows that the accuracy of identifying normal operation and unseen attacks trends in opposite directions when the opcode sequence length increases. The accuracy of Figure 5 is the average accuracy of each category of attacks weighted by the population size. Figure 5 reveals that a larger \( n \) is preferable for detecting unseen attacks, but at the cost of more false positives. The optimal value for \( n \) is 4 or 5 if false positives and false negatives have equal cost. Figure 5 also demonstrates that the length of most normal JTAG operations is typically less than 7 or 8.

Figure 6 shows the accuracy after applying delayed labeling for normal operation and unseen attacks. Even though the optimal values for \( n_{\text{dly}} \) and \( n_{\text{th}} \) should correspond to the highest overall accuracy, \( n_{\text{dly}} \) should not be too large because attackers can disguise malicious operations within a long interval more easily. Finally, \( n_{\text{dly}}=5 \) and \( n_{\text{th}}=3 \) are selected, which achieve an overall accuracy of 94%.

### V. Discussion

Table 5 compares the proposed two-layer scheme and other JTAG protection techniques. When compared to encryption techniques, the two-layer scheme is an orthogonal approach that can be combined with encryption to achieve complementing protection for the JTAG. In addition, the proposed scheme is considered valid under the assumptions that the attacker can only access the JTAG ports and does not know how to operate the private JTAG functions.
VI. CONCLUSION

Detecting attacks based on the user behavior has become a potential technique to ensure the security of modern integrated systems. In this paper, a two-layer learning-based protection scheme is proposed to detect scan-based JTAG attacks. The experiments on the OpenSPARC T2 show that the scheme can detect unseen scan-based attacks with high accuracy (i.e., 94%) under the assumptions that the user can utilize the JTAG ports to apply unseen scan-based attacks.

ACKNOWLEDGMENT

The authors acknowledge the support of the Foundation for Science and Technology of Portugal under Grant BD/28163/2006 (project reference CMU-PT/SIA/0005/2009).

REFERENCES