Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107619
D. Hu, H. Hashimoto, Li-Fong Tseng, Ken Chau-Cheung Cheng, Katherine Shu-Min Li, Sying-Jyan Wang, Sean Y.-S. Chen, Jwu E. Chen, Clark Liu, Andrew Yi-Ann Huang
Wafer test integrates innovative works from upstream, automatic test equipment (ATE); middle stream, 2.3D/2.5D; and downstream, statistical analysis of randomness on wafer pattern recognition. NXP Taiwan proposes an AI-driven yield prediction of ATE to reduce test cost during frequent modification and changes in test systems. SiPlus proposes competitive 2.3D and SiPlus eHDF to compare many metrics with 2.5D interposer technology. Powertech Technology Inc. focuses the statistical analysis of randomness on conventional spatial wafer defect patterns. This session addresses an integrated innovation along test systems in ATE in upstream, then 2.3D/SiPlus eHDF integration structure design, finally novel randomness effects on wafer defect diagnosis.
{"title":"Innovative Practice on Wafer Test Innovations","authors":"D. Hu, H. Hashimoto, Li-Fong Tseng, Ken Chau-Cheung Cheng, Katherine Shu-Min Li, Sying-Jyan Wang, Sean Y.-S. Chen, Jwu E. Chen, Clark Liu, Andrew Yi-Ann Huang","doi":"10.1109/VTS48691.2020.9107619","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107619","url":null,"abstract":"Wafer test integrates innovative works from upstream, automatic test equipment (ATE); middle stream, 2.3D/2.5D; and downstream, statistical analysis of randomness on wafer pattern recognition. NXP Taiwan proposes an AI-driven yield prediction of ATE to reduce test cost during frequent modification and changes in test systems. SiPlus proposes competitive 2.3D and SiPlus eHDF to compare many metrics with 2.5D interposer technology. Powertech Technology Inc. focuses the statistical analysis of randomness on conventional spatial wafer defect patterns. This session addresses an integrated innovation along test systems in ATE in upstream, then 2.3D/SiPlus eHDF integration structure design, finally novel randomness effects on wafer defect diagnosis.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115515709","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107609
Hadjer Benkraouda, Muhammad Ashif Chakkantakath, A. Keliris, M. Maniatakos
Attacks on Industrial Control Systems (ICS) are increasingly targeting field devices and the firmware that instruments their operation. Securing the firmware images and their update procedure has, therefore, become an important challenge. This is especially true for widely deployed legacy devices which are not equipped with the necessary security mechanisms/capabilities. In this paper, we address the problem by reverse engineering PLC firmware update tools to build a device that ensures the integrity and authenticity of firmware updates, before allowing them to be flashed onto a field device. Our tool is directly connected to field devices and consists of a firmware signing mechanism, a PLC emulation module, and a payload detection classifier – all integrated in a bump-in-the-wire device, SNIFU. SNIFU monitors serial traffic sent to the PLC for firmware update commands. When it identifies such commands, it emulates a PLC, capturing the entire firmware image and verifying it before relaying it to the PLC. We implement and evaluate a prototype of SNIFU using a Raspberry Pi, that secures the update process of a commercial PLC by Wago.
{"title":"SNIFU: Secure Network Interception for Firmware Updates in legacy PLCs","authors":"Hadjer Benkraouda, Muhammad Ashif Chakkantakath, A. Keliris, M. Maniatakos","doi":"10.1109/VTS48691.2020.9107609","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107609","url":null,"abstract":"Attacks on Industrial Control Systems (ICS) are increasingly targeting field devices and the firmware that instruments their operation. Securing the firmware images and their update procedure has, therefore, become an important challenge. This is especially true for widely deployed legacy devices which are not equipped with the necessary security mechanisms/capabilities. In this paper, we address the problem by reverse engineering PLC firmware update tools to build a device that ensures the integrity and authenticity of firmware updates, before allowing them to be flashed onto a field device. Our tool is directly connected to field devices and consists of a firmware signing mechanism, a PLC emulation module, and a payload detection classifier – all integrated in a bump-in-the-wire device, SNIFU. SNIFU monitors serial traffic sent to the PLC for firmware update commands. When it identifies such commands, it emulates a PLC, capturing the entire firmware image and verifying it before relaying it to the PLC. We implement and evaluate a prototype of SNIFU using a Raspberry Pi, that secures the update process of a commercial PLC by Wago.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114489716","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107558
S. Natarajan, Andres F. Malavasi, P. Meinerzhagen
We advocate defect tolerant design to improve timing yield. A metric of defect tolerance is proposed, and an approach based on using defect tolerance metrics, derived for each cell in a library, to bias logic synthesis and automated placement and routing (APR) to achieve netlist-level defect tolerance is explored. We compare our proposed approach, in which the delays of cells are penalized in accordance with their defect vulnerability to two alternative approaches: 1) an approach in which the most defect vulnerable cells are removed from consideration during automated design, and 2) another that gains yield by frequency-push over-design. We measure timing yield based on modeling defects as cell delay increments and using static timing analysis to evaluate the various approaches. Simulation results show promising timing yield improvements, with one case showing about 9.5% timing yield increase with under 3% area and 2% power costs.
{"title":"Automated Design For Yield Through Defect Tolerance","authors":"S. Natarajan, Andres F. Malavasi, P. Meinerzhagen","doi":"10.1109/VTS48691.2020.9107558","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107558","url":null,"abstract":"We advocate defect tolerant design to improve timing yield. A metric of defect tolerance is proposed, and an approach based on using defect tolerance metrics, derived for each cell in a library, to bias logic synthesis and automated placement and routing (APR) to achieve netlist-level defect tolerance is explored. We compare our proposed approach, in which the delays of cells are penalized in accordance with their defect vulnerability to two alternative approaches: 1) an approach in which the most defect vulnerable cells are removed from consideration during automated design, and 2) another that gains yield by frequency-push over-design. We measure timing yield based on modeling defects as cell delay increments and using static timing analysis to evaluate the various approaches. Simulation results show promising timing yield improvements, with one case showing about 9.5% timing yield increase with under 3% area and 2% power costs.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127101821","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107617
I. Pomeranz
Test data compression methods reduce the input storage requirements of a test set by storing compressed tests. To enhance the ability to reduce the input test data volume, earlier approaches use the same input test data to apply several different tests. This paper considers two methods that have not been used before for this purpose. The methods are considered in the context where a linear-feedback shift-register (LFSR) is used as part of the decompression logic, and tests are compressed into seeds for the LFSR. The first method complements a bit of a seed to obtain a different test than the one produced by the uncomplemented seed. The second method uses the same seed for different LFSRs to produce different tests. The two methods are used together to demonstrate the advantages of a hybrid approach where the methods complement each other. Experimental results for benchmark circuits are presented to demonstrate the effectiveness of a hybrid approach.
{"title":"Input Test Data Volume Reduction Using Seed Complementation and Multiple LFSRs","authors":"I. Pomeranz","doi":"10.1109/VTS48691.2020.9107617","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107617","url":null,"abstract":"Test data compression methods reduce the input storage requirements of a test set by storing compressed tests. To enhance the ability to reduce the input test data volume, earlier approaches use the same input test data to apply several different tests. This paper considers two methods that have not been used before for this purpose. The methods are considered in the context where a linear-feedback shift-register (LFSR) is used as part of the decompression logic, and tests are compressed into seeds for the LFSR. The first method complements a bit of a seed to obtain a different test than the one produced by the uncomplemented seed. The second method uses the same seed for different LFSRs to produce different tests. The two methods are used together to demonstrate the advantages of a hybrid approach where the methods complement each other. Experimental results for benchmark circuits are presented to demonstrate the effectiveness of a hybrid approach.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124841353","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107628
R. Cantoro, Sandro Sartoni, M. Reorda
The Controller Area Network (CAN) bus is a serial bus protocol widely used in the automotive domain to allow communication between different Electronic Control Units in the car. Being often part of safety-critical systems, the hardware implementing the CAN network must be constantly tested along the system lifetime, even during the operational phase. CAN controllers are relatively complex modules in charge of managing the sending and the receiving of packages through the CAN bus and defects affecting them can easily compromise the whole CAN network. In this work, the CAN controller is tested by test programs to be executed by the CPU connected to the device under test and by another unit connected to the same CAN bus. A fault grading with respect to structural permanent faults of a functional test based on the execution of a software test library for the CAN bus is presented for the first time. Results show how the approach can cover more than 90% of stuck-at faults on an open-source implementation of the standard, which is significantly more than what a usual functional test based on some sample application can achieve.
{"title":"In-field Functional Test of CAN Bus Controllers","authors":"R. Cantoro, Sandro Sartoni, M. Reorda","doi":"10.1109/VTS48691.2020.9107628","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107628","url":null,"abstract":"The Controller Area Network (CAN) bus is a serial bus protocol widely used in the automotive domain to allow communication between different Electronic Control Units in the car. Being often part of safety-critical systems, the hardware implementing the CAN network must be constantly tested along the system lifetime, even during the operational phase. CAN controllers are relatively complex modules in charge of managing the sending and the receiving of packages through the CAN bus and defects affecting them can easily compromise the whole CAN network. In this work, the CAN controller is tested by test programs to be executed by the CPU connected to the device under test and by another unit connected to the same CAN bus. A fault grading with respect to structural permanent faults of a functional test based on the execution of a software test library for the CAN bus is presented for the first time. Results show how the approach can cover more than 90% of stuck-at faults on an open-source implementation of the standard, which is significantly more than what a usual functional test based on some sample application can achieve.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125741533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107583
Wendong Wang, Ujjwal Guin, A. Singh
The recycling of used integrated circuits (ICs) has raised serious problems in ensuring the integrity of today’s globalized semiconductor supply chain. This poses a serious threat to critical infrastructure due to potentially shorter lifetime, lower reliability, and poorer performance from these counterfeit new chips. Recently, we have proposed a highly effective approach for detecting such chips by exploiting the power-up state of on-chip SRAMs. Due to the symmetry of the memory array layout, an equal number of cells power-up to the 0 and 1 logic states in a new unused SRAM; this ratio gets skewed in time due to uneven NBTI aging from normal usage in the field. Although this solution is very effective in detecting recycled ICs, its applicability is somewhat limited as a large number older designs do not have large on-chip memories. In this paper, we propose an alternate approach based on the initial power-up state of scan flip-flops, which are present in virtually every digital circuit. Since the flip-flops, unlike SRAM cells, are generally not perfectly symmetrical in layout, an equal number of scan cells will not power-up to 0 or 1 logic states in most designs. Consequently, a stable time zero reference of 50% logic 0s and 1s cannot be used for determining the subsequent usage of a chip. To overcome this key limitation, we propose a novel solution in this paper that reliably identifies used ICs from testing the part alone, without the need for any additional reference data or even the netlist of the circuit. Through scan testing of the IC, we first identify a significant number of asymmetrically stressed flip-flops in the design, divided into two groups. One group of flip-flops is selected such that it mostly experiences the 1 logic state during functional operation, while the other group mostly experiences the 0 state. The resulting differential stress during operation causes growing disparity over time in the number of 0s (and 1s) observed in these two groups at power-up. When new and unaged, these two groups behave similarly, with similar percentage of 1s (or 0s). However, over time the differential stress makes these counts diverge. We show that this changing count can be a measure of operational aging. Our simulation results show that it is possible to reliably detect used ICs after as little as three months of operation.
{"title":"A Zero-Cost Detection Approach for Recycled ICs using Scan Architecture","authors":"Wendong Wang, Ujjwal Guin, A. Singh","doi":"10.1109/VTS48691.2020.9107583","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107583","url":null,"abstract":"The recycling of used integrated circuits (ICs) has raised serious problems in ensuring the integrity of today’s globalized semiconductor supply chain. This poses a serious threat to critical infrastructure due to potentially shorter lifetime, lower reliability, and poorer performance from these counterfeit new chips. Recently, we have proposed a highly effective approach for detecting such chips by exploiting the power-up state of on-chip SRAMs. Due to the symmetry of the memory array layout, an equal number of cells power-up to the 0 and 1 logic states in a new unused SRAM; this ratio gets skewed in time due to uneven NBTI aging from normal usage in the field. Although this solution is very effective in detecting recycled ICs, its applicability is somewhat limited as a large number older designs do not have large on-chip memories. In this paper, we propose an alternate approach based on the initial power-up state of scan flip-flops, which are present in virtually every digital circuit. Since the flip-flops, unlike SRAM cells, are generally not perfectly symmetrical in layout, an equal number of scan cells will not power-up to 0 or 1 logic states in most designs. Consequently, a stable time zero reference of 50% logic 0s and 1s cannot be used for determining the subsequent usage of a chip. To overcome this key limitation, we propose a novel solution in this paper that reliably identifies used ICs from testing the part alone, without the need for any additional reference data or even the netlist of the circuit. Through scan testing of the IC, we first identify a significant number of asymmetrically stressed flip-flops in the design, divided into two groups. One group of flip-flops is selected such that it mostly experiences the 1 logic state during functional operation, while the other group mostly experiences the 0 state. The resulting differential stress during operation causes growing disparity over time in the number of 0s (and 1s) observed in these two groups at power-up. When new and unaged, these two groups behave similarly, with similar percentage of 1s (or 0s). However, over time the differential stress makes these counts diverge. We show that this changing count can be a measure of operational aging. Our simulation results show that it is possible to reliably detect used ICs after as little as three months of operation.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124837378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107630
Chris Nigh, A. Orailoglu
While many side-channel methods have been proposed for detecting hardware Trojans inserted by an untrusted foundry, they are challenged in the face of process variation noise. The impacts of process variation have forced researchers to propose costly design enhancements to improve detection as a counter to the deficiency of current easy-to-implement test pattern-based methods. To overcome process variation noise with no design cost, we propose a novel self-referencing adaptive approach based on test pattern construction, which learns from and conforms to device characteristics to maximally magnify the Trojan signal. Through iterative test pattern modifications, response analyses, and decision-making, we can pursue suspicious behaviors and increase the likelihood of Trojan detection. Experiments on Trust-Hub Trojan circuit benchmarks show the efficacy of this technique, magnifying an equivocal starting signal 22 to 130 to deliver crisp resolution to the question of Trojan existence.
{"title":"Taming Combinational Trojan Detection Challenges with Self-Referencing Adaptive Test Patterns","authors":"Chris Nigh, A. Orailoglu","doi":"10.1109/VTS48691.2020.9107630","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107630","url":null,"abstract":"While many side-channel methods have been proposed for detecting hardware Trojans inserted by an untrusted foundry, they are challenged in the face of process variation noise. The impacts of process variation have forced researchers to propose costly design enhancements to improve detection as a counter to the deficiency of current easy-to-implement test pattern-based methods. To overcome process variation noise with no design cost, we propose a novel self-referencing adaptive approach based on test pattern construction, which learns from and conforms to device characteristics to maximally magnify the Trojan signal. Through iterative test pattern modifications, response analyses, and decision-making, we can pursue suspicious behaviors and increase the likelihood of Trojan detection. Experiments on Trust-Hub Trojan circuit benchmarks show the efficacy of this technique, magnifying an equivocal starting signal 22 to 130 to deliver crisp resolution to the question of Trojan existence.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116987539","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-01DOI: 10.1109/VTS48691.2020.9107561
M. Shihab, Bharath Ramanidharan, S. Tellakula, Gaurav Rajavendra Reddy, Jingxiang Tian, C. Sechen, Y. Makris
A recently introduced TRAnsistor-level Programmable fabric (TRAP) has demonstrated great promise towards seamless unification of high-density reconfigurable logic with Application-Specific Integrated Circuits (ASICs). However, practical deployment of TRAP relies on the development of a comprehensive mechanism for detecting manufacturing defects. Unfortunately, the state-of-the-art test schemes are developed either for ASICs or for Field-Programmable Gate Arrays (FPGAs) and do not support this new transistor-level architecture. To address this limitation, we present a novel application-agnostic test methodology specifically tailored to the TRAP fabric. We first introduce a multi-phase, cascadable scheme to efficiently test the programmable transistors in TRAP’s Logic Elements (LEs). Then, we define the required test patterns for verifying the correct functionality of the built-in D flip-flop, full-adder, and multiplexer of each LE. Next, we present a systematic approach for testing the interconnect network. Lastly, we discuss the limitations in testing the memory cells used for storing the TRAP programming bits and we propose design modifications for improving test coverage.
{"title":"ATTEST: Application-Agnostic Testing of a Novel Transistor-Level Programmable Fabric","authors":"M. Shihab, Bharath Ramanidharan, S. Tellakula, Gaurav Rajavendra Reddy, Jingxiang Tian, C. Sechen, Y. Makris","doi":"10.1109/VTS48691.2020.9107561","DOIUrl":"https://doi.org/10.1109/VTS48691.2020.9107561","url":null,"abstract":"A recently introduced TRAnsistor-level Programmable fabric (TRAP) has demonstrated great promise towards seamless unification of high-density reconfigurable logic with Application-Specific Integrated Circuits (ASICs). However, practical deployment of TRAP relies on the development of a comprehensive mechanism for detecting manufacturing defects. Unfortunately, the state-of-the-art test schemes are developed either for ASICs or for Field-Programmable Gate Arrays (FPGAs) and do not support this new transistor-level architecture. To address this limitation, we present a novel application-agnostic test methodology specifically tailored to the TRAP fabric. We first introduce a multi-phase, cascadable scheme to efficiently test the programmable transistors in TRAP’s Logic Elements (LEs). Then, we define the required test patterns for verifying the correct functionality of the built-in D flip-flop, full-adder, and multiplexer of each LE. Next, we present a systematic approach for testing the interconnect network. Lastly, we discuss the limitations in testing the memory cells used for storing the TRAP programming bits and we propose design modifications for improving test coverage.","PeriodicalId":326132,"journal":{"name":"2020 IEEE 38th VLSI Test Symposium (VTS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2020-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115925829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: