Professional Documents
Culture Documents
Ibrahim Mezzah, Omar Kermia Hamimi Chemali Omar Abdelmalek, Vincent Beroulle
Centre for Development of Ferhat Abbas University and David Hély
Advanced Technologies Setif, Algeria Grenoble Institute of Technology
Algiers, Algeria chemalih@univ-setif.dz Valence, France
imezzah, okermia@cdta.dz firstname.lastname@lcis.grenoble-inp.fr
Abstract—In this paper, we propose a new RFID tag to enable advanced diagnosis within RFID systems by
monitoring approach, based on adding an infrastructure circuit monitoring and saving faulty tag behaviours, on the one hand,
to simultaneously monitor and save faulty tag behaviour, in and to increase the tag security against fault attacks, on the
order to enable the implementation of advanced RFID diagnosis other hand. Hardware checkers which permit on-line fault
functions and mainly to reinforce tag security against fault detection on the tag circuit are the main element of the extra
attacks. The added infrastructure circuit is essentially composed infrastructure circuit. Some of these checkers are provided by
of hardware assertions exclusively devoted to on-line fault the OVL library (Open Verification Library) whereas other
detection on the tag. Saved information about detected faults can needed ones are to be designed to monitor tag state machines
then be read using RFID readers. Our approach is initially
transitions. The faults detected by checkers are counted and
evaluated and implemented in a developed tag emulator platform
based on an FPGA board, then thoroughly exercised to
saved within the tag memory. Then, reading this specific
demonstrate its valuable contribution to diagnosis means. information is possible through RFID reader and consequently
Experimental results, obtained via random fault injection diagnosis could be developed.
mechanism, show the effectiveness of the proposed approach. Such approach has several benefits on RFID systems as
summarized in the following points:
Keywords—RFID; EPC UHF Class1 Gen2; On-line fault
detection; Diagnosis; Security; Fault attack. x The added infrastructure circuit feedbacks the number
of detected faults within the tag, if this number is not
I. INTRODUCTION zero, this indicates that either the tag is defective or
that there is an external cause that influences the
Nowadays, Radio Frequency Identification (RFID) is operation of the tag.
widely deployed to a vast range of applications including
supply chain management, access control, identity recognition, x Existing methods allowing the detection of tags defects
passports, localization, wireless sensor networks and much and diagnosis failures of RFID system components are
more important applications. based essentially on readers results [4] [5]. Though, the
proposed approach provides more information by
Just as usual electronic devices, RFID tag is subject to delivering the number of detected faulty tag behaviours
faults and errors due to internal defect or external disturbance. and permits therefore a better diagnosis on RFID
A tag when defective leads to RFID detection and systems.
identification failures and thus derogates the availability, the
reliability and the safety of the whole RFID systems [1]. x The present approach allows to detecting faults
However, security and privacy are the major factors that produced by fault attacks and thereafter permitting two
interest the RFID community. There is a serious menace for several actions: 1) Secure the tag against this type of
RFID systems delivered by malicious attacks that cannot be attacks by resetting the tag function when a susceptible
caught and then may lead to disastrous consequences on the behaviour is detected. This action constitutes an
people life. RFID tags are vulnerable to fault injection attacks efficient way to prevent adverse to capture any usual
through several means like power variation, electromagnetic information from the tag or introduce undesired
interference and optical induction to obliging the tag to modification within it. 2) Saving incorrect tag
perform inaccurate behaviours like jumping a cryptographic behaviours in the tag memory would permit the owner
task or buck in a secured state and finally delivering secured of the tag to access the saved information and identify
data [2] [3]. Although important efforts have been deployed to whether its tag has been subjected to fault attacks.
improve RFID systems reliability and security, much more
researches are still needed to meet the ever increasing fault x The integration of sensors into semi-passive RFID tags
sources. becomes widely used in Wireless Sensor Networks
(WSN) [6]. In order to keep an WSN application
In this paper, we propose a new approach which consists running accurately, it is essential to detect failed sensor
of adding an infrastructure circuit to an RFID tag chip in order
In this field, we have used assertions for on-line fault Fig. 2. Hardware assertions based proposed self monitoring tag.
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
TABLE I. TYPE OF USED ASSERTIONS
One symbol
Assertion name clk
Assertion checker type Assertion number
(figure 2)
ovl_always 3 c2, c4 and c5 Tag input 0 1 0 1
ovl_one_hot 1 c9
FSM checker 2 c12 and c13 The second FSM checker c13 is devoted to monitor Tag
FSM transitions. Indeed, there is an important need in
monitoring this state machine because it controls a large part
Among implemented checkers, eleven ones are OVL
of the tag. Figure 5 illustrates the activity of this checker: the
checkers used to control the main tag signals composed of
previous tag state is saved in an 8-bit register for each clock
synchronous frame's reception, emission and tag state
period, and then decoded to identify the expected states; an
transition. The used OVL checkers types have been namely
error signal is activated if the current tag state does not
selected to monitor the whole tag behaviour. For example, as
correspond to any expected state. Unlike c12 checker, the
tag functionality is organized in three phases: the frame
transition condition checking is not added in c13 checker since
reception or waiting, the frame processing and finally the
there are several signals with the length of 250 bits that control
response transmission. The main signals that deal with these
the tag state transition; notice that adding the check of
phases are checked by c9 checker “ovl_one_hot” for detecting
transition condition in this case increases considerably the
any overlapping phase.
checker size. However, the error coverage of this checker
Nevertheless, as the synthesizable checkers of OVL library remains high (96.42%).
do not enclose the total reliability aspects that we aim to cover
Tag FSM checker (c13)
in the RFID tag, we developed two other checkers (c12 and clk
c13) in order to monitor two relevant FSMs [18]. As shown in Tag state (8-bit) clk
8-bit register
figure 2, the first FSM checker c12 is implemented in the PIE Current
(Pulse-Interval Encoding) decoder block; its role is to monitor Next tag state tag state Previous state
Symbol FSM transitions in order to detect any false transition
in this state machine. The diagram of the figure 3 illustrates Decode
Combinational
true and false symbol FSM transitions. logic
X
Expected states
‘1’ Error
Transition related signals Compare
Tag input = ‘0’
(250 bits)
‘0’ ‘1’
S0 S1
Fig. 5. Tag FSM checker activity.
True transition
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
TABLE II. RFID TAG AREA OCCUPATION ON SPARTAN-3E FPGA injection method is used with some added features to enabling
BEFORE AND AFTER IMPLEMENTATION OF ON-LINE FAULT DETECTION
fault injection to selected main tag signals directly connected
Area occupation to checkers’ inputs. Figure 7 illustrates fault injection actions
Circuit for a formed 24-bit vector.
LUTs Flip Flops
Signal n
Signal 1_f
Area increase 15.23% 12.33%
Fault activation logic Signal 2_f
1 0 Signal 3_f
(time pseudo-random) enable
In order to evaluate the proposed monitoring approach we Fig. 7. Fault injection block overall operation.
have used the experimental platform illustrated in figure 6, it
is composed of the three following elements: Fault injection module is VHDL instantiated in the
developed tag circuit and recall that other added logic is
1) Xilinx Spartan-3E Starter Kit: FPGA development exclusively devoted to build a complete fault emulation
board, used to implement the developed tag circuit. platform. This added logic should provide useful information
2) Front-end module: it permits reception and about injected and detected faults. After instantiation of the
transmission of UHF signal through its antenna. It is fault injection block, circuit implementation is completed via
connected to FPGA I/O pins to form the UHF RFID tag the standard procedures of launching translate, place and route
processes and finally loading generated configuration file on
emulator platform.
the FPGA using Xilinx ISE.
3) LinkSprite RFID UHF Gen2 reader: used to
Monitoring circuit evaluation has been carried out through
communicate with tag emulator for performing both read and
numerous experiments where 2051 faults have been injected.
write operations. It connects to a PC like via USB interface for An experience starts by launching tag scan process by RFID
getting associated software benefit of changing configuration reader during several seconds. The fault injection with a rate
parameters and communicating with existing tags. of 0.006% is automatically activated during communication
while tag is running. During fault injection, only one fault is
injected randomly in one bit within signals vector by inverting
its value. When scan process is stopped, fault injection is
automatically halted and then results are collected in two
ways:
a) The number of faults detected by assertion checkers
is obtained through RFID reader by reading data stored at the
top address (07h) of tag User memory as shown in figure 8.
b) The number of total injected faults and the number of
real detected faults are obtained through 8 LEDs of FPGA
board with the aid of on-board switches by multiplexing
internal data.
This experimental phase is carried on disabling the tag
reset once one error is detected; disabling this option allows
observing the tag behaviour and all detected faults by
checkers. The obtained results are given by table 3, we see that
Fig. 6. Experimental platform. all number of faults detected by implemented checkers is
3358, knowing that one injected fault can produce multiple
To evaluate fault detection capability of developed errors and thereafter numerous fault detections by checkers.
infrastructure, we have used the fault injection approach Wherefore, we deliver also in the same table the actual
presented in [19]. This approach is based on VHDL fault number of detected faults which is the turn of 73% from the
inject technique by adding fault injection block in RTL level 2051 faults initially injected. Actual detected faults number
(Register-Transfer Level) to allow time and space pseudo- includes faults injected which have not been missed by
random fault injection in several targeted signals. By these checkers. This percentage represents the fault coverage of all
means, it is possible to inject permanent or transient fault implemented checkers while fault coverage differs between
according to the case study. Thus, it allows simulation and different checkers. Note that some undetected faults are
emulation of multiple physical faults where SEU (Single masked and do not provide any effect to the tag behaviour,
Event Upset) is essential for the present case. Such fault leading them to be missed by checkers.
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
injections techniques. Experimental results have shown that
73.28% of the injected faults have been detected.
In a future work, we plan to study the effectiveness of our
approach to protect the tag against fault attacks by considering
real attacks conditions and environments. We also plan to
implement new checkers for the tag software parts for
monitoring program execution flows and in consequence
improve security.
REFERENCES
[1] C.-T. Huang et al., “Construction of an Online RFID Enabled Supply
Chain System Reliability Monitoring Model,” International Symposium
on Computer, Consumer and Control, June 2012, IEEE, pp.626-629.
[2] M. Hutter, J.-M. Schmidt, and T. Plos, “RFID and Its Vulnerability to
Faults number Faults,” Cryptographic Hardware and Embedded Systems, pp. 363–379,
detected by 2008, Springer Berlin Heidelberg.
OVL checkers [3] M. Hutter, S. Mangard, and M. Feldhofer,“Power and EM Attacks on
Faults number Passive 13.56MHz RFID Devices,” Cryptographic Hardware and
detected by Embedded Systems, pp. 320-333, 2007, Springer Berlin Heidelberg.
FSM checkers [4] G. Fritz, V. Beroulle, M. D. Nguyen, and D. Hély, “RFID system on-line
testing based on the evaluation of the tags Read-Error-Rate,” Journal of
Electronic Testing, 2011, Vol. 27, Issue 3, pp. 267-276, Springer.
[5] R. Kheddam et al., “Online monitoring and diagnosis of RFID readers
Fig. 8. Reading detected faults numbers with RFID reader functions.
and tags,” 20th International Conference on Software,
Telecommunications and Computer Networks, Sept. 2012, IEEE, pp.1-9.
TABLE III. FAULT DETECTION EFFECTIVENESS [6] A. Ruhanen, M. Hanhikorpi, F. Bertuccelli et al., “Sensor-enabled RFID
tag handbook,” BRIDGE, IST-2005-033546, January 2008.
All Actual detected faults [7] M. Aliouat, Z. Aliouat, and M. Naidja, “Adaptative nodes diagnosis and
Injected
Assertion type detected recovery for Wireless Sensor Networks,” IEEE Symposium on Computer
faults Number Percentage
faults Applications and Industrial Electronics, Dec. 2012, IEEE, pp.256-261.
FSM checkers 1542 1011 49.29% [8] Y. Tao, “An introduction to assertion-based verification,” IEEE 8th
International Conference on ASIC, October 2009, IEEE, pp. 1318-1323.
OVL checkers 2051 1816 492 23.98%
[9] M. Boulé, and Z. Zilic, “Incorporating Efficient Assertion Checkers into
Total 3358 1503 73.28% Hardware Emulation,” IEEE Intl. Conference on Computer Design,
2005, pp. 221-228.
[10] “Accellera Standard OVL V2 Library Reference Manual,” Accellera
From the proposed approach implementation, it results that Systems Initiative Inc., CA, USA, January 2013, accellera.org.
a 15% tag area increase due to the checkers allowed up to 73% [11] M. Boule, J.-S. Chenard, and Z. Zilic, “Assertion checkers in
fault coverage; this latter may be enhanced by adding more verification, silicon debug and in-field diagnosis,” 8th International
Symposium on Quality Electronic Design 2007, pp. 613-620,
checkers in the circuit but on the behalf a considerable total Washington, DC, USA, IEEE, 2007.
area increase. Indeed, it should be emphasised, at this stage, [12] M. Riazati, S. Mohammadi, A. Afzali-Kusha and Z. Navabi, “Improved
that enhanced error coverage with a minimum added area Assertion Lifetime via Assertion-Based Testing Methodology,”
should be investigated. International Conference on Microelectronics, IEEE, 2006, pp. 48-51.
[13] P. Kubalik, P. Fiser, and H. Kubatova, “Fault tolerant system design
method based on self-checking circuits,” 12th IEEE InternationalOn-
V. CONCLUSION Line Testing Symposium, IEEE, 2006, pp. 2-pp.
In this paper, a new self-monitoring capability of an RFID [14] M. Boule, and Z. Zilic, “Incorporating efficient assertion checkers into
tag chip, based on an added infrastructure circuit, is presented. hardware emulation,” International Conference on Computer Design,
The main goals targeted by integrating this feature to the 2005, IEEE, pp. 221-228.
RFID tag is twofold, building enhanced diagnosis means [15] Katell Morin-Allory, Dominique Borrione, “Proven correct monitors
from PSL specifications,” DATE, Germany, 2006, pp. 1246-1251.
within RFID systems and reinforcing tag protection against
[16] M. R. Kakoee, M. Riazati et al., “Enhancing the testability of RTL
fault attacks. Added infrastructure comprises several hardware designs using efficiently synthesized assertions,” 9th International
blocks and OVL checkers. The fault detection number, saved Symposium on Quality Electronic Design, IEEE, 2008, pp. 230-235.
in internal tag memory can be then, read or reset through any [17] “EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF
RFID reader. RFID, Protocol for Communications at 860 MHz – 960 MHz,” Vertion
1.2.0, October 2008, EPCglobal Inc., gs1.org.
The proposed approach has been implemented and tested
[18] C. Bolchini et al., “Design of VHDL-based totally self-checking finite-
with a developed tag architecture based on finite state state machine and data-path descriptions,” IEEE Transactions on Very
machines very compatible with EPC UHF Gen2 RFID Large Scale Integration Systems, vol.8, no.1, pp.98-103, Feb. 2000.
standard. Tag emulation platform, based on FPGA board, has [19] S. R. Seward, and P. K. Lala, “Fault injection for verifying testability at
been used to evaluate fault detection capabilities of the the VHDL level,” International Test Conference, 2003, pp. 131-137.
proposed approach through building hardware random fault
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.