Since equipment for security testing is usually expensive negative checks can be done to validate and ensure SoC security.
« Previously: Negative tests for SoC security validation – Part 1
Supply voltages can be tweaked to perturb the device and security modules. There should not be any effect on the operation of device if we tamper with the voltage. These scenarios can be tried:
The SoC supports different types of asynchronous events such as non-maskable interrupts, change in power mode, etc. Testing these asynchronous events is critical for validation of security engines. For example, trigger a low power mode request while some of the secure operation is ongoing, then return to normal. There should be no leakage of secure data.
The next step is to apply async events at different intervals of secure operation. This will help us to identify that there is no leakage of secure data or secure keys due to events at random intervals or random power loss. This sweeping can be tried during secure booting, encryption/decryption, signature generation/verification, etc.
Figure 2: Asynchronous event generation at varying intervals during secure operation.
Asynchronous events can be generated at different time intervals in different power cycles or in the same power cycle, and the time window for generation of these events can be increased or decreased.
Security validation can never be considered 100 per cent complete. There will always be some other way to perturb the device, possibly leaking secure information. Always try to do the opposite of what the security spec says. While validating security, the purpose shouldn’t be to check if the device is working properly, but how to break it.