METHOD OF GENERATING AND MONITORING A DIGITAL SIGNATURE
The present invention relates to a method of generating and monitoring a digital signature representing activity observed on signals on an integrated chip, in particular on an integrated chip in a normal mode of operation.
Embedded systems comprising multiple core devices incorporated on to a printed circuit board (PCB) have been in use for many years. The core devices, such as a central processing unit (CPU), memory, secondary storage and other computing or electronic system components, communicate via a series of buses connected between each compo nent and the printed circuit board. Increasing demand for smaller electronic products and the growth in mobile computing and telecommunications led to the development of so-called System-on-Chip (SoC) devices. Rather than multiple core devices on a PCB, an SoC is an integrated chip, or circuit, where most or all of the components of a system are integrated onto a single substrate. Communication between the components takes place by means of an internal bus system, with all traffic in the embedded system conveyed over these buses. Given that such SoC devices are increasingly implemented within mo bile devices (smartphones, tablets) and in other applications, such as vehicles, the integri ty of the data being communicated within the SoC is a primary concern. Data corruption or data error may occur due to variety or reasons, including malicious entities (viruses and malware), hardware or system malfunction or system corruption, and results in the alteration of data from its expected or correct form. This is manifested as a change in one or more bits in a signal.
Silent data corruption occurs when data errors go undetected, risking that the undetected errors propagate through the SoC and are utilised by the various compo nents. Whilst initially this may be a benign error in more extreme cases the error propa gation may lead to cascading failures within the SoC or in any device or system that the SoC is deployed in. Error detection within an SoC is therefore of great importance in maintaining the operation of the system. One manner in which errors may be detected during a normal mode of operation of the SoC is by analysing transaction communications over the existing interconnect circuitry. This may include parity and cyclic redundancy checks to determine whether the data contains an error. However, whilst effective, such a methodology involves both analysing transactions and scanning memory blocks to de termine if an error has been stored. A simpler alternative for use when the SoC is in a normal mode of operation would therefore be desirable.
Another option to determine whether or not there are faults inherent in the SoC itself is to utilise a PRBS (pseudo-random binary sequence) monitor. A PRBS is a binary sequence that, although generated using a deterministic algorithm, is difficult to predict. When generated by a linear feedback shift register acting as a pattern generator the PRBS
1 may be used for exhaustive testing of an integrated circuit. For example, a signature rep resenting a "good" circuit can be compared with the signature of a Device Under Test (DUT) to determine whether or not the physical circuit is functioning correctly, and there fore that there . However, this requires additional logic to be added to the DUT and can only be carried out as part of the design process in a test mode and does not allow any form of monitoring during the normal mode of operation of an SoC. Therefore, whilst the process is relatively simple in determining whether data corruption could occur from faults within the SoC itself, this is only of limited benefit.
It is therefore of interest to be able to provide a method of monitoring activity on an integrated chip, such as an SoC, during its normal mode of operation to determine whether or not data corruption or incorrect operation has occurred.
The present invention aims to address these issues by providing, in a first aspect, a method of generating and monitoring a digital signature representing activity observed on signals on an integrated chip in a normal mode of operation, comprising: a) receiving n signals at n signal selectors; b) receiving a start signal at the n signal selectors, wherein on receipt of the start signal, the n signal selectors begin to feed the n signals as n selected signals to a temporary memory store to create n values in the temporary memory store; c) receiving a stop signal at the n signal selectors, wherein on receipt of the stop signal, the n signal selectors cease to feed the n signals as the n selected signals to the tempo rary memory store and the values in the temporary memory store become available; d) using the values in the temporary memory store as the basis of N digital signatures rep resenting activity observed on n signals, comparing the N digital signatures with N corre sponding stored digital signatures representing expected activity on the n signals; and e)if the comparing indicates a mismatch between any of the N digital signatures and a corre sponding stored digital signature, generating an alarm signal.
Utilising a simple signature generated from a selected digital signal and a compari son technique enables the method to be used during a normal mode of operation of the integrated chip. No additional test logic is required, and the method does not need to be performed using any form of special mode and takes advantage of being able to configure the temporary memory device during boot up and the start/stop signal during runtime. Coupled with an ability to learn ideal activities expected on a signal, the embodiments of the present invention offer an efficient, low computing cost and highly accurate error and security compromise detection system.
Preferably, n = N. Alternatively, n > 1, N > 1 and n = N. Yet further alternatively, n > 1 and N = 1. Yet still further alternatively, n =1 and N > 1.
Preferably, the step of comparing comprises comparing a digital signature with the corresponding stored digital signature created from previous digital signatures an itera tive process.
2 Alternatively, the step of comparing may comprise comparing a digital signature with the corresponding stored digital signature exemplifying ideal signal activity.
Preferably, the mismatch indicates that a digital signature has a value outside a pre-determined tolerance of the corresponding stored digital signature.
Preferably the pre-determined tolerance is zero.
Steps d) and e) may be performed by an analyser. In this situation, the digital sig natures and the corresponding stored digital signatures may be compressed, and the compressed digital signature and the compressed corresponding stored digital signature may be uncompressed by the analyser before comparison.
Preferably, a time window between the start signal and the stop signal is runtime configurable. If this is the case, preferably steps d) and e) are synchronised with the time window such that the N digital signatures are accessed from the temporary memory store periodically with the time window.
The method may further comprise the integrated chip resolving a cause of the mismatch between a digital signature and the corresponding stored digital signature on receipt of the alarm signal.
Preferably, the temporary memory store is a pre-initialised feedback shift register. The signal selector may be one of a filter array, a software filter or a mask comprising a Boolean array.
Preferably, the digital signature is a pseudo-random binary sequence generated from the signal.
The present invention also provides, in a second aspect, an integrated chip digital signature generator and monitor adapted to generate and monitor a digital signature representing activity observed on signals on an integrated chip in a normal mode of oper ation, comprising; n signal selectors adapted to receive at n signals, a start signal and a stop signal; a temporary memory store adapted to receive n signals fed by the n selectors as n selected signals and to output values used as the basis for N digital signatures repre senting activity observed on the n signals; and a comparison circuit comprising a memory adapted to store N corresponding stored digital signatures, a comparator adapted to compare the N signatures with the N corresponding stored digital signatures and an alarm generator adapted to generate an alarm signal if a mismatch between any of the N digital signatures and the corresponding stored digital signature is indicated.
Preferably, the comparison circuit is separate to and in communication with the n signal selectors and at temporary memory store.
Preferably, the method further comprises a demultiplexer connected to the com parator and to the temporary memory store. Preferably, the temporary memory store is a pre-initialised feedback shift register.
3 The present invention will now be described by way of example only and with ref erence to the accompanying drawings, in which:
Figure 1 is a schematic circuit diagram illustrating an integrated chip digital signa ture generator and monitor in accordance with a first embodiment of the present inven tion;
Figure 2 is a schematic circuit diagram illustrating an integrated chip digital signa ture generator and monitor in accordance with a second embodiment of the present in vention; and
Figure 3 is a flow chart illustrating a method of generating and monitoring a digital signature representing activity observed on signals on an integrated chip in a normal mode of operation in accordance with embodiments of the present invention.
As a way of removing the need to add additional logic or to require specific analy sis of transactions or memory content, embodiments of the present invention utilise the concept of digital signature comparison. This enables the use of a method of generating and monitoring a digital signature representing activity observed on signals on an inte grated chip in a normal mode of operation. Initially, n signals are received at a signal se lector, along with a start signal. On receipt of the start signal, the signal selector begins to feed the n signals as n selected signals to a temporary memory store to create values in the temporary memory store. This continues until a stop signal is received at the signal selector, wherein on receipt of the stop signal, the signal selector ceases to feed the n signals as n selected signals to the temporary memory store and the value in the tempo rary memory store becomes available. Using the value in the temporary memory store as the basis of N digital signatures representing activity observed on the n signals, this is compared with N corresponding stored digital signatures representing expected activity on the n signals. If the comparing indicates a mismatch between any of the N digital sig natures and the N corresponding stored digital signatures, an alarm signal is generated. The digital signature therefore represents activity being observed on the signals of the integrated chip, and by using only a comparison, rather than an analysis, during the nor mal mode of operation of the integrated chip, errors are detected simply and easily.
Figure 1 is a schematic circuit diagram illustrating an integrated chip digital signa ture generator and monitor in accordance with a first embodiment of the present inven tion. The integrated chip signal generator and monitor 1 is adapted to generate and mon itor a digital signature 2a, 2b...2 N that represents activity observed on signals 3a, 3b...3/V on an integrated chip (ICC) 4 in a normal mode of operation. The integrated chip signal generator and monitor 1 comprises a signal selector, which in this example, are in the form of a digital filter array 5. The digital filter array 5 is provided with a first input 6 for receiving the signals 3a, 3b...3n, and a second input 7 for receiving a start/stop signal 8 for triggering the storage of selected signals 9a, 9b...9n in at a temporary memory store. In
4 this example, the temporary memory store comprises pre-initialised feedback shift regis ters 10a, 10b...10/1 adapted to receive selected signals 9a, 9b...9/i fed by the digital filter 5 and to output a value as the basis of digital signatures 2a, 2b...2 N representing activity observed on the n signals 3a, 3b...3/i. Each digital signature is preferably a pseudo random binary sequence (PRBS) generated from the corresponding signal. Each pre initialised shift register 10a, 10b...l0/i is initialised during boot up of the integrated chip, removing the need to carry out any additional run time activities. A comparison circuit 11 is provided to compare corresponding stored digital signature 2as, 2bs...2/Vs with the digi tal signatures 2a, 2b...2 N. To do this, the comparison circuit 11 comprises a comparator 12 that is adapted to compare the digital signatures 2a, 2b...2 N with the corresponding stored digital signature 2as, 2bs...2/Vs. In the embodiment illustrated in Figure 1 an opera tional amplifier is used as a simple comparator 12, however it may be preferable to use an alternative, such as a clocked comparator (for example, a dynamic latched compara tor), depending on the origin of the signals 3a, 3b...3/i. A demultiplexer 13 is provided to feed the digital signatures 2a, 2b...2 N received from the pre-initialised feedback shift reg isters 10a, 10b...10/1 to the comparator 12. The comparison circuit 11 also comprises a memory 14 for storing the corresponding stored digital signature 2as, 2bs...2/Vs, which represent the expected signatures for the signals 3a, 3b...3/i if there are no errors or data corruption present in these signals 3a, 3b...3/i. However, should the comparator 12 de termine that there is a mismatch between the digital signatures 2a, 2b...2 N and the at corresponding stored digital signature 2as, 2bs...2/Vs, the comparison circuit 11 further comprises an alarm generator 15 to generate an alarm signal 15 to alert to a possible compromise of the signal 3a, 3b...3/i. Preferably the signals 3a, 3b...3/i are data signals, such as those capable of transmission over exemplary communication interfaces, such as traditional debug interfaces such as JTAG, parallel trace input/output, and Aurora based high-speed serial interface; and reuse of system interfaces such as USB, Ethernet, RS232, PCIe and CAN. Alternatively, the signals may be address signals, control signals (signifying status, enable or other control action), security information (such as interconnect side band signals) or the like, or a combination of any of these.
Figure 2 is a schematic circuit diagram illustrating an integrated chip digital signa ture generator and monitor in accordance with a second embodiment of the present in vention. The integrated chip signal generator and monitor 20 is adapted to generate and monitor a digital signature 21a, 21b.. 21n that represents activity observed on signals 22a, 22b...22/1 on an integrated chip 23 in a normal mode of operation. The integrated chip signal generator and monitor 20 comprises a signal selector, which in this example, is in the form of a digital filter array 24. The digital filter array 24 is provided with a first input 25 for receiving the signals 22a, 22b...22/1, and a second input 26 for receiving a start/stop signal 27 for triggering the storage of the selected signals 28a, 28b 28/i in a temporary
5 memory store. In this example, the temporary memory store comprises pre-initialised feedback shift registers 29a, 29b.. 29n adapted to receive the selected signals 28a,
28b...28/1 fed by a digital filter 24 and to output a value as a digital signature 21a,
21b...21 N representing activity observed on the signals 22a, 22b...22/1. Each digital signa ture is preferably a pseudo-random binary sequence (PRBS) generated from the corre sponding signal. Each pre-initialised shift register 28a, 28b...28/1 is initialised during boot up of the integrated chip, removing the need to carry out any additional run time activi ties.
An analyser 30 is provided to house a comparison circuit 31, which is provided to compare a corresponding stored digital signature 21as, 21bs...21/Vs with the digital signa ture 21a, 21b...21 N. To do this, the comparison circuit 31 comprises a comparator 32 that is adapted to compare the digital signature 21a, 21b...21 N with the corresponding stored digital signature 21as, 21bs...21/Vs. In the embodiment illustrated in Figure 2 an opera tional amplifier is used as a simple comparator 32, however it may be preferable to use an alternative, such as a clocked comparator (for example, a dynamic latched compara tor), depending on the origin of the first signal 22. A demultiplexer 33 is provided to feed the digital signatures 21a, 21b...21 N received from the pre-initialised feedback shift regis ters 29a, 29b...29/1 to the comparator 32. The comparison circuit 30 also comprises a memory 34 for storing the corresponding stored digital signatures 21as, 21bs...21/Vs, which represent the expected signatures for the signals 22a, 22b...22/1 if there are no er rors or data corruption present in these signals 22a, 22b...22/1. However, should the comparator 32 determine that there is a mismatch between a digital signature 21a,
21b...21 N and the corresponding stored digital signature 21as, 21bs...21/Vs, the compari son circuit 31 further comprises an alarm generator 35 to generate an alarm signal 36 to alert to a possible compromise of the signal 22a, 22b...22/1. The analyser 30 may be sepa rate to and in communication with the at least first signal selector 24 and at least first temporary memory store 29a. This enables the analyser 30 to be housed remotely from the other components of the integrated chip digital signature generator and monitor 20. Preferably the signals 22a, 22b...22/1 are data signals, such as those capable of transmis sion over exemplary communication interfaces, such as traditional debug interfaces such as JTAG, parallel trace input/output, and Aurora based high-speed serial interface; and reuse of system interfaces such as USB, Ethernet, RS232, PCIe and CAN. Alternatively, the signals may be address signals, control signals (signifying status, enable or other control action), security information (such as interconnect sideband signals) or the like, or a com bination of any of these.
The operation of the integrated chip digital signature generator and monitor 1, 20 to generate and monitor a digital signature 2a, 2b...2 N, 21a. 21b...21 N representing activi ty observed on signals 3a, 3b...3/i, 22a, 22b...22/1 on the integrated chip 4, 23 will now be
6 described. Figure 3 is a flow chart illustrating a method of generating and monitoring a digital signature representing activity observed on signals on an integrated chip in a nor mal mode of operation in accordance with embodiments of the present invention. The method 100 described below is equally applicable to both embodiments of the integrated chip digital signature generator and monitor 1, 20 described above. Although the moni toring and generation of a digital signature 2a for a single signal 3a, 22a is detailed below, the method applies equally to all n possible signals 3a, 22a that may be handled by the signal selector 5, 24.
Initially, at step 102, a signal 3a, 22a, is detected at a signal selector. Preferably, the signal selector is an array of digital filters 5, 24. Next, at step 104, a start signal 8, 27 is received at the signal selector, and on receipt of the start signal 7, 26, the signal selec tor begins to feed the signal 3a, 22a as a selected signal 9a, 28a to a temporary memory store to create a value in the temporary memory store. Preferably the temporary memory store is a pre-initialised feedback shift register 10a, 29a, which has been initial ised during the boot up of the integrated chip 1, 20 rather than during runtime. At step 106, a stop signal 8, 27 is received at the signal selector. On receipt of the stop signal 8, 27, the signal selector ceases to feed the signal 3a, 22a as the selected signal 9a, 28a, to the temporary memory store 10a, 29a and the value in the temporary memory store 10a, 29a becomes available. At step 108, using the value in the first temporary memory store 10a, 29a as the basis of a digital signature 2a, 21a representing activity observed on the signal 3a, 22a, the digital signature 2a, 21s is compared with a corresponding stored digi tal signature 2as, 21as representing expected activity on the first signal 3a, 22a. Each digi tal signature is preferably a pseudo-random binary sequence (PRBS) generated from the corresponding signal. This step preferably comprises comparing the digital signature 2a, 21a with a corresponding stored digital signature 2as, 21as created from previous digital signatures 2a, 21a using an iterative process. Such an iterative process may be a machine learning process, for example. Alternatively, this step may comprise comparing the digital signature 2a, 21a with a corresponding stored digital signature 2as, 21as exemplifying ideal activity observed on the signal 3a, 22a. Such a signal may be loaded into the memory 13, 34 of the comparison circuit 11, 31 at boot up. Finally, at step 110, if the comparing indicates a mismatch between the digital signature 2a, 21a and the corre sponding stored digital signature 2as, 21as, an alarm signal 14, 36 is generated.
One criterion for assessing the comparison is where the mismatch indicates that the digital signature 2a, 21a has a value outside a pre-determined tolerance of the corre sponding stored digital signature 2as, 21as. Ideally, the pre-determined tolerance is zero, but it may be desirable to have a range of tolerance depending upon the application of the integrated chip signature generator and monitor 1, 20. As outlined above with re spect to Figure 2, steps 108 and 110 may be performed by an analyser 30. If this is the
7 case, it may be desirable for the digital signature 21a and the corresponding stored digital signature 21as to be compressed. The compressed digital signature 21a and the com pressed corresponding stored digital signature 21s are then uncompressed by the analys er BO before comparison.
In the examples above the behaviour of n signals is monitored using N generated signatures. There are four scenarios where this occurs. Firstly, n = N = 1, such that there is a one-to-one correspondence of a single signal to a single corresponding signature. Secondly, n > 1, N > 1 and n = N, such that there is a many-to-many correspondence of signals and corresponding signatures. Each of these situations requires that the signal selector is able to select n signals, and that there are n temporary memory devices. Third ly, n > 1 and N = 1, where many signals are combined into a single signature. This may be a group of signals where once abnormal behaviour of the group is observed, an alarm is raised. For example, the signature represents the behaviour of the group of signals with in the time window between the start and stop signals. Fourthly, n =1 and N > 1, where a single signal is represented by N signatures. This requires that several PRBS are generat ed for the signal. For the third and fourth cases, again a signal selector able to select n signals is required, along with N temporary memory devices, but some of these may be redundant during the generating and monitoring process.
A further benefit of the approach of the embodiments described above is that a time window between the start signal 8, 26 and the stop signal 8, 26 that is runtime con figurable may be provided. This enables steps 108 and 110 to be synchronised with the time window such that a digital signature 2a, 21a representing activity observed on a sig nal 3, 22 is accessed from the temporary memory store periodically with the time win dow. Step 110 results in the generation of an alarm signal 14, 36, on receipt of which it may be desirable for the integrated chip 4, 23 to resolve the cause of the mismatch be tween a digital signature 2a, 21a and the corresponding stored digital signature 2as, 21as.
In the embodiments described above a filter array 5, 24 is used to filter the signals to an appropriate temporary memory store. However, it may be desirable to use an al ternative approach to filter the signals, for example, implementing a software filter func tion or using a mask comprising a Boolean array. Whilst the temporary memory store is preferably a pre-initialised feedback shift register, other types of temporary memory may be implemented as required. For temporary memories that are not used to generate PRBS signatures, other signature generation techniques, such as hashing, may be used.
The integrated chip signature generator and monitor 1, 20 and method 100 in ac cordance with the embodiments of the present invention have a wide variety of possible applications within a System-on-Chip device. Since the integrated chip signature genera tor and monitor 1, 20 is simple and does not require any specific test logic or special mode of operation it may be used throughout an SoC environment. For example, it may
8 be employed to monitor bus communications, such as transactions between blocks on the integrated chip, determine access to a region of the integrated chip (address monitor ing), determining whether or not a malicious agent has corrupted data (viruses or mal ware) or that data has been otherwise compromised, both within the SoC itself and any system in which it operates. The non-intrusive nature of the integrated chip signature generator and monitor 1, 20 and boot up configuration are also advantageous, enabling the monitoring and signature generation to take place during the normal mode of opera tion of an SoC device.
9