A method to conceal true NV memory updates through feigned updates with no additional NV memory wear
Publication Date: 2014-Jul-14
The IP.com Prior Art Database
Franciscus M. Vermunt: INVENTOR [+7]
This method provides the means to conceal true updates of NV memory through feigned updates without increasing wear of NV memory
Page 01 of 4
Title: A method to conceal true NV memory updates through feigned updates with no additional NV memory wear
Franciscus M. Vermunt
Philippe M. Cau
Joachim C. H. Garbe Sönke Ostertun Maurits M. N. Storms Erik M. van Bussel Stefan Lemsitzer
Abstract: This method provides the means to conceal true updates of NV memory through feigned updates without increasing wear of NV memory.
Non-volatile (NV) memory storage is subject to wear as result of data updates, which in turn limits the possible number of updates.
For secure products it is essential that the actual behavior of the product cannot be observed on the outside under any circumstance, e.g. by avoiding certain energy consumption or EMI or activity patterns during an NV data update.
State of the art is to do that by interleaving relevant data updates with very frequent irrelevant data updates. The resulting update frequency can be such that it easily exceeds the guaranteed update limits of NV memory, typically resulting in corrupted data that is damaged beyond repair.
An example is a smartcard attack counter that is used to disable the smartcard after a number of attacks. The actual update of this counter shall not be observable on the outside because if known when to manipulate it, this can prevent the smartcard from being disabled. Observation of the actual update can be obscured by regularly updating the counter in an irrelevant ('false') way such that a relevant ('true') update cannot be observed. If the counter is updated more often than allowed by the NV memory then the counter value cannot be trusted anymore.
Problem is that a regular frequent update pattern of updates will quickly update NV memory more often than is allowed according to its specification, which can and ultimately will damage the data and make it unusable.
The proposed method offers the same regular frequent update pattern without the excessive wear that damages the data in the end.
Page 02 of 4
A mechanism to update NV memory that does not distinguish between a true and a false update except for the actual data update, does not wear our NV memory. At least not in the same way as a large number of true updates do. It also prevents any external observer, e.g. an attacker, from extracting any piece of information to build an understanding of an update with the purpose of influencing it.
Any update of data in NV memory consists of three distinct activities:
1) Erasing the location in NV memory to be updated.
2) Preparing NV memory for the actual update by setting up representative data to write (typically by writing to a page register).
3) Program the update at the right location in NV memory.
Erase and program of NV memory require high voltages (relative to the ones during read-only use), which are generated by special on-chip charge pumps. The energy required by these charge pumps can easily be recognized when observing the energy pattern of NV memory during use.
The key limitation of an...