Professional Documents
Culture Documents
Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter
Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter
Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter
Farimah Farahmandi
Visit to download the full and correct content document:
https://ebookmeta.com/product/cad-for-hardware-security-1st-edition-farimah-farahm
andi/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://ebookmeta.com/product/behavioral-synthesis-for-hardware-
security-srinivas-katkoori-editor/
https://ebookmeta.com/product/the-hardware-hacking-handbook-
breaking-embedded-security-with-hardware-attacks-1st-edition-
jasper-van-woudenberg/
https://ebookmeta.com/product/the-hardware-hacking-handbook-
breaking-embedded-security-with-hardware-attacks-early-
release-1st-edition-jasper-van-woudenberg/
https://ebookmeta.com/product/nanoelectronic-devices-for-
hardware-and-software-security-security-privacy-and-trust-in-
mobile-communications-1st-edition-arun-kumar-singh-editor/
The Hardware Hacking Handbook Breaking embedded
security with hardware attacks 1st Edition Jasper Van
Woudenberg Colin O Flynn
https://ebookmeta.com/product/the-hardware-hacking-handbook-
breaking-embedded-security-with-hardware-attacks-1st-edition-
jasper-van-woudenberg-colin-o-flynn/
https://ebookmeta.com/product/the-next-era-in-hardware-security-
a-perspective-on-emerging-technologies-for-secure-
electronics-1st-edition-nikhil-rangarajan/
https://ebookmeta.com/product/scrum-for-hardware-design-1st-
edition-david-g-ullman/
https://ebookmeta.com/product/git-for-electronic-circuit-design-
cad-and-version-control-for-electrical-engineers-1st-edition-
altay-brusan/
https://ebookmeta.com/product/git-for-electronic-circuit-design-
cad-and-version-control-for-electrical-engineers-1st-edition-
altay-brusan-2/
Farimah Farahmandi
M. Sazadur Rahman
Sree Ranjani Rajendran
Mark Tehranipoor
© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland
AG 2023
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Farimah Farahmandi would like to dedicate
this book to her Parents: Fatemeh
Hashmei-Kashani and Mohammad
Farahmandi, Sisters: Farzaneh Farahmandi
and Fargol Farahmandi, Friends: Roshanak
Mohammdivojdan and Masi Rajabi for their
constant support in my up and down times.
M Sazadur Rahman would like to dedicate
this book to his parents-Ghulmaur Rahman
and Shamima Rahman, wife-Tasnuva
Farheen, siblings-Shaikhur Rahman and
Sabrina Rahman, friend-Adib Nahiyan for
their constant support, encouragement, and
effort whenever he needed.
Sree Ranjani Rajendran would like to
dedicate this book to her daughter Tanusree.
S, Parents: A. R. Rajendran and R.
Thilagavathy, sibling: R. Rajpradeep,
friends, and teachers for their
encouragement and constant support.
Mark Tehranipoor would like to dedicate
this book to his project sponsors.
Preface
vii
viii Preface
ix
Contents
xi
xii Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 1
Introduction to CAD for Hardware
Security
1.1 Introduction
We live in a world where embedded, and internet of things (IoT) devices have
become a part of our daily lives. In addition to smart consumer products, electronic
system-on-chips (SoCs) are used in industrial automation solutions and military
and space applications. Over the last four decades, digital convergence has created
a demand for functionally complex integrated circuits (ICs) at mass-market costs
every six to nine months. As shown in Fig. 1.1, the number of IoT devices has
risen significantly to 30 billion in 2020 [58] in contrast to a human population
of eight billion, which boils down to, on average, four devices per person. VLSI
system-on-chip (SoC) designers face enormous challenges as VLSI technologies
grow in speed and shrink in size. Thus, billions of transistors are integrated into a
single chip with digital/analog circuits. SoC is a single unified structure integrated
with formerly individual microelectronic devices. The semiconductor industry has
made a profound technological development in modern electronic devices through a
system-level architecture. The main objective of SoC is to build a system through the
integration of pre-designed hardware and software blocks, often collectively known
as intellectual properties (IPs). Based on the target specification, the SoC integration
team collects the IPs either from in-house or third-party vendors and assembles them
as a target device. The behavior of a design is involved in the operations of IPs and
the communication of IP interface providers in the context of SoC design. High
SoC integration is achieved through advances in IC process technology, computer-
aided design (CAD) tools, and system-level IP blocks. The primary purpose of
component integration in SoC products is to reduce costs, improve performance,
and reduce time to market. System reliability and low power dissipation are some
of the other advantages of SoC integration. However, SoC design integration is
not straightforward, and many challenges arise while meeting tight time-to-market
deadlines. The facets of complexity in today’s SoCs are functional complexity and
architectural and verification challenges.
8 Billion
People
30 Billion
Electronic Devices
Network Security
1. Denial of Service
Information Security
2. Man-in-the-middle attacks Software Security
1. Corruption
3. Phishing/spoofing Attacks 1. IP theft/piracy
2. Leakage
4. Social engineering 2. Privilege escalation
3. Unavailability ... Software 3. Man-in-the-middle
4. Malware
Storage 5. Denial of service
Smart Car
PDA
IC
Hardware Security
Electronic 1. IP theft/piracy
Wearables Modem/
Hardware 2. Hardware trojan
Router 3. Reverse-engineering
4. Cloning/overproduction
5. Side-channel attack
6. Fault-injection attack
Computers Smart home Servers 7. Privilege escalation
Fig. 1.2 The spectrum of hardware security threats in various user application level [4]. The
overall threats on hardware security can be categorized among—network, information, software,
and hardware related threats
Fig. 1.3 Several events of hardware security breaches in last five years. These treats span from
hardware trojan to IP theft and remote attacks which make user data and credentials insecure
malware every time they booted up due to a small malicious chip in the motherboard.
Though the attack was initiated in 2014, this incident got publicly exposed no
sooner than 2018. Supermicro’s motherboards are used in data centers of NASA, US
Navy, DoD, CIA, Amazon, Apple, etc. Very recently, Bloomberg reported another
incident [45] where an insider engineer from ASML, the largest company for
manufacturing lithography equipment that shrinks and prints transistor patterns onto
silicon wafers, stole intellectual property and fled to a different country. Another
recent incident [65] shows that attackers can exploit network security to unlock and
start a smart car in seconds without requiring any key. All these current threats to
the electronic hardware supply chain raise the security concern about personal data
and credentials stored in these potentially suspicious devices.
The possible hardware attacks like side-channel attacks, exploitation of Test/De-
bug infrastructure, fault injection, information leakage, and malicious hardware
known as Hardware Trojans (HT) can also be potentially detected using CAD
tools [5]. Such hardware attacks must be carefully addressed due to their possible
impact on the hardware and the underlying software and firmware. Based on a
common vulnerability exposure (CVE-MITRE) [37] report, the overall system
1.1 Introduction 5
Figure 1.4a, b shows the various stages of the SoC and security development
life-cycle. In any SoC design, IPs developed by different IP vendors, known as
third-party IP (3PIP) vendors, are integrated, synthesized using CAD tools, and
fabricated. The end products are used in many applications, including the internet
of things (IoT), cyber-physical systems (CPS), and embedded computing systems.
...
SoC Synthesis Physical End
3rd party IP Fabrication
Integrator DFT & DFF Layout product
(a) SoC Development Lifecycle
Fig. 1.4 SoC development life-cycle alongside with SoC security development life-cycle (SDL)
6 1 Introduction to CAD for Hardware Security
SoC used in any such systems should be verified and validated for hardware and
software security threats. However, the design complexity of modern SoC chips
makes verification a bottleneck problem, and the chip manufacturing companies are
utilizing more than 70% of efforts and resources to ensure the correctness of the
chip design in all aspects of performance, functionality, timing, and reliability [13].
On the other hand, the verification techniques were expected to provide the required
security against hardware bugs or vulnerabilities in the life-cycle of the SoC. The
hardware bugs are more challenging because patching is not always possible at
any level of abstraction and results in persistent/permanent denial-of-service, IP/IC
leakage, or exposure of assets to untrusted entities. However, the semiconductor
industry has taken extensive measures to provide security assurances with the
existing simulation, emulation, and formal verification techniques to detect or
prevent hardware bugs in the design. On the contrary, the security development life-
cycle starts from product conceptualization and definition, as shown in Fig. 1.4b.
Later it performs threat modeling, secure architecture development and deployment,
design review, testing, and critical incident response.
Asset
Secondary Asset
Primary Asset (Supports Primary Assets, e.g.,
(High Priority Protection)
shared bus)
Static Asset
(Stored in SoC key, password,
Firmware, etc.)
Dynamic Asset
(Generated in run-time, e.g., on-
chip generated key, true random
numbers, etc.)
Fig. 1.5 Classification of security assets in an SoC [14]. Assets in an SoC are classified based on
their abstraction level and adversarial intention
CAD tools play a vital role in the rapid increase of SoC design complexity. The
full span of design flow utilizes CAD tools: High-level synthesis (discussed in
Chap. 12), Verification (discussed in Chap. 9), Logic Synthesis, Placement and
Routing, Static Timing Analysis, Post-Silicon Validation, and Manufacturing Test-
ing. Figure 1.6 describes how CAD tools are utilized for synthesizing, analyzing,
and testing the SoC design flow. CAD tools may be used in behavioral, RTL,
FPGA, Logic, physical, and DSP synthesis, and while optimizing, CAD tools can
perform transistor sizing, process variation, and statistical design. While analyzing
an SoC design for threats, CAD tools may perform as checkers and verifiers. The
checkers do a design rule check (DRC) to ensure that the designers do not violate
design rules to achieve a high overall yield and reliability for the design. Electric
rule check (ERC), netlist compare, ratio checker, fan-in/fan-out checker, and power
checkers are applied to check the correctness of the design to meet the specification.
However, verifiers will check/verify the condition explicitly specified as part of
the design. The verifiers are of two types, timing, and functional verifiers. Timing
verifiers optimize the circuit performance by determining the longest delay path and
also checking for a correct clock cycle. Functional verifiers are symbolic checkers,
which compare the symbolic description of circuit functionality with its individual
parts derived behavior. However, in both cases, checkers ensure that rules meet the
design specification. The CAD tools also perform as testers by generating suitable
automatic test patterns to test the design, which is done by an automatic test pattern
generation (ATPG) and a design-for-Test (DFT).
Synopsys, Mentor, and Cadence are the three major commercial CAD tool
vendors, Fig. 1.8 shows the usage of those CAD tools in various stages of the SoC
design flow. Other than these tools there exist open-source tools also, in a vast and
vibrant ecosystem. However, the post-silicon validating tools are not common and
only Mentor Graphics have Tessent.
Fig. 1.6 Steps in semiconductor design where CAD tools are used, such as synthesis, analysis,
and testing in the SoC design flow
1.2 CAD Tools in SoC Supply Chain 9
This section describes how CAD tools play a significant role in the supply chain
challenges of the SoC life-cycle and various possible hardware threats associated
with each stage. Due to globalization, the SoC development cycle is distributed
globally, and the possibility of adding/embedding threats to the design increases. As
a result, the end-users and IC manufacturing industries lose trust in their products.
The significance of commercially available and newly developed CAD tools in
hardware security is highlighted below.
• With the exponential growth in design complexity and the number of potential
attack surfaces, the effort required to secure electronic circuits tends to grow
drastically. Therefore, there is only one way to address the mismatch between
demand and supply to ensure hardware security: to improve the qualitative
security that these CAD tools can offer. Qualitative security is meant the CAD
tools not only perform design implementation, optimization, verification, and
testing as mentioned at the beginning of Sect. 1.2 but also ensure that the
underlying electronic circuit meets the security requirements as discussed in
Sect. 1.1.3.
• Using CAD tools can ensure that hardware security requirements can be assessed
and addressed (when required) during the design and implementation stage of
the semiconductor supply chain. It is more suitable to detect any vulnerability
in the design at the early stage, for instance, RT-level, than in later stages,
such as physical layout. As presented in Fig. 1.6, CAD tools are already used
throughout the different stages of the SoC design flow for various tests, checks,
and verification tasks. For example, logical equivalency is checked between the
input and output of any synthesis step to ensure functional similarity during the
flow. Suppose security requirements mentioned in Sect. 1.1.3 can be broken down
into tangible rules and checks. Then those can be verified during the design flow
using CAD tools. In that case, scalable hardware security can be ensured.
• The researchers proposed several solutions [4] to meet hardware security require-
ments. However, their practical usage is severely challenged due to being ad-hoc
in nature and a lack of automation, implementation overhead, and scalability.
The use of CAD tools can bring enhanced productivity, scalability, and reduced
turnaround times with minimal cost to meet security requirements in supply
chain.
Figure 1.7 highlights the existing hardware security threats in the SoC life-cycle.
On the other hand, Fig. 1.8 shows different CAD tools from different vendors that
are used in the industry throughout the different steps of the SoC design flow. The
10 1 Introduction to CAD for Hardware Security
Fig. 1.7 Hardware threats in globally distributed supply chain on SoC life-cycle
following briefly explains the major hardware security threats from Fig. 1.7 and
associated CAD tools used exploit those threats.
1. IP Piracy: Intellectual property is an original design idea of any IC. The attacker
may steal the intellectual property of the design without the knowledge of the
designer [6, 25, 32, 38]. During the design phase, any synthesis, place, and route
CAD tools from Fig. 1.8 can be used to exploit these threats. Techniques to
mitigate IP piracy are discussed in Chap. 11.
2. Hidden Backdoor: Hidden backdoor is the logic functions added to the design
and they enable remote control of the IC, such that the adversary can access the
design when the IC is functioning [30]. The adversary can leak the secret infor-
mation or create any malfunction to the design. Usually such threats are included
during the design synthesis or manufacturing phase. Hence, synthesis, place and
route CAD tools from Fig. 1.8 are mostly used to insert such vulnerabilities.
3. Reverse Engineering: IC reverse engineering is a process of identifying the
device functionality by extracting the gate-level netlist [35, 56]. The attacker may
reverse engineer either the end product or the GDSII layout of the design [10, 56].
Nowadays reverse engineering tools and techniques are available at lower cost
[9, 11], to steal or pirate a design (discussed in Chap. 15).
4. IC Overbuilding: The attacker in the foundry may overproduce the IC and sell
those illegally in the market [7, 48]. Overproduction does not necessarily require
any specific CAD tools. The GDSII shared with the foundry for fabrication is
good enough to build more chips than the contract and sell those in the open
market.
5. Counterfeiting: The counterfeit ICs are produced and distributed in the market
at less price without the knowledge of the original component manufacturer [30]
(discussed in Chap. 13).
VCS, ModelSim, NCSim, Conformal LEC,
Vivado HLS, Stratus, JasperGold, Incisive Design Compiler, Formality
LegUp, Bambu, Genus, Precision,
Catapult C Functional Post-synthesis
Yosys PrimePower,
Verification Verification Voltus, RedHawk
High Level Logic
Power and
1.2 CAD Tools in SoC Supply Chain
Synthesis Synthesis
Security DFM SigSeT, Tessent
Security
Verification Verification Post-Silicon
IC Compiler,
Innovus, Xpedition Validation
Fig. 1.8 The list of CAD tools used at different stages of SoC design flow
11
12 1 Introduction to CAD for Hardware Security
While CAD tools are an integral part of the modern SoC design flow, several
researchers explored the possibility of CAD tools inserting vulnerabilities in the
design unintentionally. Authors of [8] analyzes IEEE P1735, which describes
methods for encrypting electronic-design intellectual property (IP) and managing
access rights, and highlights that the standard contains several cryptographic errors.
By exploiting the most egregious errors, authors were able to recover the entire
plaintext IP. Padding-oracle attacks, for instance, are well-known attack vectors
exploited in [8]. As a result of the underlying IP being required to support typical
applications, new capabilities emerge, for instance, commercial system-on-chip
14 1 Introduction to CAD for Hardware Security
(SoC) tools that combine multiple IP pieces into a fully specified chip design. On the
other hand, in a black-box oracle approach an attacker can exploit various mistakes
made in a commercial SoC tool. As well as recovering plaintext IP, authors of [8]
demonstrates how to create ciphertexts of IP that include targeted hardware Trojans
in a standard-compliant way.
Researchers have also shown that circuit design CAD tools can be leveraged
to insert and avoid detection of hardware trojans [47]. Figure 1.8 shows how
CAD tools are being used in the IC designs for the purpose of verifying the
security assurance of the chip. Due to scaling, the entire RTL to GDSII design
flow has moved from standalone synthesis, placement, and routing algorithms to an
integrated construction and analysis approach. Apart from the traditional functional
design implementation, optimization, and verification steps, the SoC design flow
must undergo security verification steps after every design transformation steps as
depicted in Fig. 1.8. These security verification steps ensure that the final GDSII is
free from any potential security vulnerabilities. Moreover, the required effort and
resource to identify and fix any security vulnerability increases multiple times as
the design moves from one abstraction level to another. Therefore, the subsequent
chapters of this book discusses how security vulnerabilities can be detected and
mitigated at the early stage of the SoC design flow.
Hardware validation is more challenging at the SoC level due to the stealthy nature
of the potential attacks and the diversity of vulnerabilities. EDA companies [20, 33]
face security challenges while designing SoC chips. Security challenges such as
design complexity, integration of third-party IPs, customized functionality, and
globally distributed supply chain are addressed using verification and validation
techniques of CAD tools. Figure 1.8 describes the usage of CAD tools in IC
chip design for verification and validation of security assurance. The evolution of
CAD tools results in compact electronic gadgets and systems, whereas the design
complexity challenges are also resolved to an extent. However, CAD tools used
in SDL will provide security assurance for most existing attacks. This book is a
collection of existing CAD techniques providing security assurance by validating
the security specifications.
The book is an attempt to cover the foundation of understanding CAD tools
used to enhance the security assurance of the hardware verification and validation
techniques. It presents a comprehensive summary of the threat models and attack
scenarios and describes the fundamental principles with highlighted research results.
The book systematizes the application of CAD tools to the SoC life-cycle devel-
opment to provide an assessment of existing security development techniques. It
groups similar analysis and verification techniques to explain the common principles
1.2 CAD Tools in SoC Supply Chain 15
in detail. Important concepts are elaborated with illustrative circuit examples. The
book includes 18 chapters. Each chapter highlights the fundamental principles
behind the application of CAD techniques in the existing security assessments of
the SoC development life-cycle. The first chapter is an introduction to SoC life-
cycle development with the security development life-cycle. The following chapter
will focus on the application of CAD approaches, in the assessment, at the pre-
silicon level of the SoC life-cycle. Below is a conspectus of each chapter:
• Chapter 2 describes security assets and their classification. This chapter also
discusses the existing challenges to identify security vulnerabilities and necessity
of an automated framework for security asset identification. The later part of
the chapter provides an overview of automated security asset identification
framework.
• Chapter 3 is all about security metric. The security of a system greatly depends
on the standard it is founded. The mitigation technique for one threat might
be hurting the security of another threat. Therefore, this Chap. 3 discusses the
metrics for IP-level security metric, platform-level security metric, transition of
a metric from IP to the platform, security quantification and estimation, etc.
• Chapter 4 focuses on the usage of CAD techniques for Information Leakage
Assessment. It also discusses the various state-of-the-art techniques which
track the flow of information at different abstraction levels, including software,
hardware, and the HDL level. This chapter summarizes information flow tracking
in three categories and presents the designer with methodologies that may prevent
system violations.
• Chapter 5 presents computer-aided hardware Trojan detection techniques. The
focus of this chapter is to introduce tools developed by academics and provide an
overview of the concepts incorporated to address the Trojan detection schemes.
• Chapter 6 presents a survey on CAD for Power Side-Channel Detection. The
chapter includes a collection of CAD techniques used for power side-channel
analysis at various stages of the design flow.
• Chapter 7 elaborates on fault injection attacks by addressing challenges asso-
ciated with clock glitching. It includes the challenges associated with current
vulnerability assessment tools and how CAD tools are used to detect fault
injection attacks to safeguard the device.
• Chapter 8 focuses on Electromagnetic (EM) Fault injection attacks on SoC. The
chapter includes a review of CAD techniques used to inject EM attacks on a
targeted SoC and possible countermeasures that can be incorporated at the design
stage. This chapter aims to consolidate the attack models against SoCs, security
evaluation metrics of a design at the pre-silicon stage, and a triplication-based
error correction code that is resilient against varying electromagnetic fields.
• Chapter 9 elaborates on a collection of CAD techniques used to enhance security
verification at hardware and software levels to find design vulnerabilities.
• Chapter 10 describes the machine learning (ML) techniques used in hardware
security verification and validation. This chapter includes various machine
16 1 Introduction to CAD for Hardware Security
learning techniques used for different threat models addressed in the domain of
hardware security.
• Chapter 11 focuses on the application of CAD tools to reinforce the logic locking
technique. This chapter elaborates on cutting-edge logic locking techniques,
along with their advantages and limitations, to ensure trust in the design.
• Chapter 12 discusses the vulnerabilities addressed while designing hardware with
High-level languages (HLL) by using High-level synthesis (HLS) tools. This
chapter provides a literature survey of prominent research done in this domain
and highlights research work that ensures security-aware HLS translation.
• Chapter 13 elaborates on anti-counterfeiting techniques and how machine learn-
ing algorithms are applied to detect counterfeit ICs accurately. This chapter
presents the taxonomy of counterfeit types in detail with the detection of
counterfeit IC and existing countermeasures.
• Chapter 14 focuses on the countermeasures against a probing attack. It includes
a survey of existing probing attacks, limitations of detecting probing attacks, and
an assessment of IC vulnerability through a layout-driven framework.
• Chapter 15 compiles a collection of CAD tools applicable for reverse engineer-
ing. It presents a high-level algorithm to extract gate-level netlists with reverse
engineering techniques.
• Chapter 16 discusses the CAD techniques applied to Physical Unclonable
Functions (PUF) security. This chapter enumerates error correction technology
for PUF and numerical modeling attacks on several PUF implementations.
• Chapter 17 elaborates on the state-of-the-art of Field-programmable gate array
(FPGA) security, including general FPGA security mechanisms, system-on-chip
(SoC) FPGA security, cloud FPGA security, and FPGA initialization security.
High-level security issues in FPGAs are discussed to provide an overview of
various concerns in wide applications.
• Chapter 18 finally concludes the book by providing a summary of the chapter
contents and provides direction for future research in using CAD tools for
hardware security.
1.3 Summary
This chapter elaborates on the hardware vulnerability challenges in the SoC design
flow and the utilization of CAD tools to address the need for security assurance.
The hardware threats related to the SoC life-cycle are discussed, and the SDL
flow developed with CAD tools to provide a security assessment at all stages of
SoC design was elaborated. This chapter also highlights a brief description of each
chapter on how CAD tools are applicable in the domain of hardware security.
References 17
References
46. J. Robertson, M. Riley, The big hack: how China used a tiny chip to infiltrate us companies.
Bloomberg Businessweek 4(2018) (2018)
47. J. Roy, F. Koushanfar, I. Markov, Extended abstract: circuit cad tools as a security threat,
in 2008 IEEE International Workshop on Hardware-oriented Security and Trust, pp. 65–66
(2008)
48. J.A. Roy, F. Koushanfar, I.L. Markov, Ending piracy of integrated circuits. Computer 43(10),
30–38 (2010)
49. H. Salmani, M. Tehranipoor, Trojan benchmarks [Online]. Available: https://trust-hub.org/
benchmarks/trojan
50. H. Salmani, M. Tehranipoor, R. Karri, On design vulnerability analysis and trust benchmarks
development, in 2013 IEEE 31st International Conference on Computer Design (ICCD) (IEEE,
Piscataway, 2013), pp. 471–474
51. B. Shakya, T. He, H. Salmani, D. Forte, S. Bhunia, M. Tehranipoor, Benchmarking of hardware
trojans and maliciously affected circuits. J. Hardw. Syst. Secur. 1(1), 85–102 (2017)
52. M. Tehranipoor, F. Koushanfar, A survey of hardware trojan taxonomy and detection. IEEE
Des. Test Comput. 27(1), 10–25 (2010)
53. M. Tehranipoor, C. Wang, Introduction to Hardware Security and Trust (Springer Science &
Business Media, Berlin, 2011)
54. M. Tehranipoor, R. Cammarota, S. Aftabjahani, Microelectronics security and trust-grand
challenges. TAME: Trusted and Assured MicroElectronics Working Group Report (2019)
55. K. Tiri, Side-channel attack pitfalls, in 2007 44th ACM/IEEE Design Automation Conference
(IEEE, Piscataway, 2007), pp. 15–20
56. R. Torrance, D. James, The state-of-the-art in semiconductor reverse engineering, in 2011 48th
ACM/EDAC/IEEE Design Automation Conference (DAC) (IEEE, Piscataway, 2011), pp. 333–
338
57. Trust-hub Benchmark. [online]. https://www.trust-hub.org
58. I. Ullah, Q.H. Mahmoud, Design and development of a deep learning-based model for anomaly
detection in IoT networks. IEEE Access 9, 103906–103926 (2021)
59. K. Vaidyanathan, B.P. Das, E. Sumbul, R. Liu, L. Pileggi, Building trusted ICs using split
fabrication, in 2014 IEEE International Symposium on Hardware-oriented Security and Trust
(HOST) (IEEE, Piscataway, 2014), pp. 1–6
60. A. Vijayakumar, V.C. Patil, D.E. Holcomb, C. Paar, S. Kundu, Physical design obfuscation of
hardware: a comprehensive investigation of device and logic-level techniques. IEEE Trans. Inf.
Forensics Secur. 12(1), 64–77 (2016)
61. H. Wang, H. Li, F. Rahman, M.M. Tehranipoor, F. Farahmandi, SoFI: security property-driven
vulnerability assessments of ICs against fault-injection attacks. IEEE Trans. Comput. Aided
Des. Integr. Circuits Syst. 41(3), 452–465 (2022)
62. Y. Xie, A. Srivastava, Mitigating sat attack on logic locking, in International Conference on
Cryptographic Hardware and Embedded Systems (Springer, Berlin, 2016), pp. 127–146
63. M. Yasin, B. Mazumdar, J. Rajendran, O. Sinanoglu, SARLock: sat attack resistant logic
locking, in 2016 IEEE International Symposium on Hardware Oriented Security and Trust
(HOST) (IEEE, Piscataway, 2016), pp. 236–241
64. M. Yasin, B. Mazumdar, O. Sinanoglu, J.V. Rajendran, CamoPerturb: secure IC camouflaging
for minterm protection, in 2016 IEEE/ACM International Conference on Computer-Aided
Design (ICCAD) (IEEE, Piscataway, 2016), pp. 1–8
65. K. Zetter, New attack can unlock and start a Tesla Model Y in seconds, say researchers. The
Verge (2022). https://www.theverge.com/2022/9/12/23348765/tesla-model-y-unlock-drive-
car-thief-nfc-relay-attack
Chapter 2
CAD for Security Asset Identification
2.1 Introduction
Systems on Chips (SoCs) have become integral to every computing system. SoCs
integrate multiple hardware functional blocks, called intellectual property (IP)
blocks, to provide the various functionality demanded by the current computing
systems. Each IP block performs a specific functionality that the SoC requires.
Examples include the ALU IP block performing arithmetic operations, crypto IP
blocks performing the cryptographic function, etc. As the SoC design process inte-
grates many hardware IP blocks, hidden under this shadow of higher functionality
lies the threat of security vulnerabilities. As SoCs get more and more complicated,
the lack of security awareness in the SoC design process has resulted in various
security threats such as Spectre [18], Meltdown [20], MDS [8, 29].
As computing devices become ubiquitous and user data is digitalized, it is
no longer safe to assume that secure software is enough to protect user data.
In the current horizontal model of silicon fabrication, with design, fabrication,
and assembly spread over various parts of the world, threats can be introduced
through unintentional design practices or through malicious implants [3, 4, 31] as
well. Comprehensive hardware security is paramount during the device’s lifecycle,
starting at the design phase. Incorporating security from the design phase gives
designers greater flexibility for design changes. It can reduce security vulnerabilities
at the post-silicon stage and save the design house money and time [1]. Achieving
comprehensive security of the SoC requires complete knowledge of the SoC
functionality and the threats that the SoC would face under various operating
conditions. With this knowledge, designers can now identify the critical components
in the SoC design that carry user and device-sensitive data and need to be protected.
These critical components are called security assets.
As more devices connect to the internet of things network, more and more user
data is being stored in devices. The critical security assets of these devices need to
be secured. Security assets in current computation devices range from the hardware
registers storing user bank details, health data, passwords, photos, etc. to the intricate
state machines controlling mechanisms that can give a user or adversary access to
the user information. These control mechanisms can be finite state machines that
check for password or fingerprint matching and can be attacked by fault injection
[21]. Security assets can also comprise the firmware that is stored and interacts with
the hardware and thus can cause security leaks.
Identifying security assets is the first and one of the most crucial steps toward
ensuring SoC security. However, current practices of identifying security assets are a
manual and laborious task. It requires a designer/security engineer to understand the
functionality of each hardware IP block and its interactions with the rest of the sys-
tem. The designer/security engineer also needs to understand the various conditions
of the environment in which the SoC operates and assess all possible security threats
that the SoC faces. Gathering all such information, the designer/security engineer
needs to identify the various design components that must be protected. Any lapse
in judgment of either the threat faced or the importance of the design component
can result in design choices that leave a security asset vulnerable. The possibility
of these qualms demands a technique for the automated identification of security
assets in an SoC.
The rest of the chapter is organized as follows. Section 2.2 describes the
background for security assets and their classification. Section 2.2.1 describes the
various literature delved into security asset identification. Section 2.3 explores some
of the tools developed for the automated identification of security assets. Section 2.4
talks about future work and concludes the chapter.
2.2.1 Motivation
threat models. However, for bigger SoCs containing hundreds of IP blocks and
thousands of signals, manual analysis of the design for security assets is not
pragmatic. This problem requires an automated approach that can easily integrate
into the current design process.
As described in Sect. 2.2.1, as the designs and threat models change, so do the
security assets. Hence it becomes nearly impossible to give a proper definition
for security assets that can help designers/security engineers to identify them. To
help address this, Nusrat et al. in [14] have described the classification of security
assets. This classification describes characteristics that can help designers/security
engineers with security asset identification. The two board categories of security
assets described in [14] are:
1. Primary Assets: Primary assets are the design components that are the ultimate
target of the adversary/attack. These primary assets can be design components
that contain hardware secrets such as hardware keys, firmware, users’ passwords,
and personal information. Other design components, such as PCR registers,
entropy to true random number generator (TRNG), physical unclonable functions
(PUF), etc., which provide security for authentication and integrity, can also be
considered primary assets.
2. Secondary Assets: Secondary assets are design components that interact with/
propagate the secondary asset to various design regions. Secondary assets can be
design components that inherit sensitive information from primary assets through
functionality. These can also be design components that can help propagate the
sensitive information from the primary asset to its target location in the design.
Some secondary assets in an SoC are system buses, peripheral ports, internal
registers, etc.
An overview of security asset classification can be seen in Fig. 2.1. Primary
security assets are further classified as Static and Dynamic assets. Static security
assets are secrets embedded in the hardware during design and manufacturing.
Static assets are embedded into the ROM or FLASH of the SoC. Examples of static
assets are secure hardware, encryption & logic locking keys, etc. Dynamic security
assets are security assets that are generated during the runtime of the SoC infield.
True random numbers, PUF responses, on-chip generated keys, etc. are examples of
dynamically generated security assets.
This classification of security assets aids designers in observing the characteris-
tics of various design components and categorizing them as primary and secondary
assets. This categorizing can help design houses to identify regions of the design
that require protective measures, i.e., primary and secondary security assets. This
classification further helps designers to focus security efforts towards protecting the
24 2 CAD for Security Asset Identification
Fig. 2.1 Classification of security assets into Primary and Secondary assets. Primary assets are the
ultimate target of protection and can further be classified as static and dynamic assets. Static assets
are stored in the chip from design time, whereas dynamic assets are generated during the run-time.
Secondary assets are all design components that help propagate or store the primary asset
security assets, thus providing a higher level of security with lesser effort rather than
trying to protect all design components.
Fig. 2.2 A sample SoC consisting of a processor core and security IPs like Symmetric Encryption
Core, Public Key Encryption Core, TRNG, PUF. A RAM and ROM memory and DMA memory
controller. Also present are peripherals such as GPIO and UART and a system and peripheral bus
to connect all the components together
embedded in the secure memory regions of the ROM or be generated by the PUF
responses, making them either static or dynamic primary assets, respectively. The
keys flow to/from the encryption cores through the system bus. As the system bus
propagates these security assets, it is our secondary asset.
2. Integrity Threat Model: In the integrity threat model, no access should be there
from a lowly secure region to a highly secure region that can modify the secure
data. The “program counter” value stored in registers in the processor core keeps
track of the program running. An adversary who can gain access to the program
counter and change it can alter its running, resulting in a malignant program or
denial-of-service. The program counter now becomes our primary asset.
From the previous section, we have determined that for an SoC integrating a few
diverse hardware IP blocks, multiple design components are identified as security
assets depending on the threat model under consideration. For an SoC integrating
a few hundred hardware IPs with tens of threat models, this task becomes nay
impossible. However, there has not been much progress in this area of research. The
authors in the works [2, 24] describe security policy enforcement through security
asset identification but do not describe how these assets have been identified. The
26 2 CAD for Security Asset Identification
works described in [10, 22] analyze the confidentiality and integrity of hardware
designs with DfT inserted, utilizing security assets. They chose the primary assets
through complete manual analysis or selected every primary input as an asset but
did not specify any methodology for asset identification. Reference [25] emphasize
the need for automation of security assets but do not provide any tool to accomplish
it.
All the previous works described above discuss how security assets can be
utilized for security assurance but do not lay out any methodologies for security
asset identification. In [13] authors, Nusrat et al., have developed an automated CAD
framework titled “Secondary Asset Identification Tool” (SAIF). The authors of [13]
developed SAIF as an automated tool to help designers identify the secondary assets
in their designs for various threat models. It is the first-of-its-kind tool developed
to help detect security assets in an SoC design. We explore SAIF in detail in the
following sections.
2.3.1 Inputs
Figure 2.3 shows an overview of the SAIF tool. SAIF identifies secondary assets in
an SoC at the register-transfer level (RTL). SAIF requires the following inputs to
detect secondary assets in an SoC at the RTL.
Fig. 2.3 Overview of SAIF workflow. It consists of three steps. Asset propagation analysis to
identify the common components. Candidate components identification to identify the common
components. Pruning steps to identity common components vulnerable to threats and then output
the final set of secondary assets
2.3 CAD for Security Asset Identification 27
1. Primary Assets: SAIF defines primary assets as input ports or design components
into secure or sensitive information flows for the SoC or hardware IP block
under consideration. Analyzing the design specification and documentation can
easily discern these primary assets. As observed in the Sect. 2.2.3, security of
the program counter (PC) value is paramount to prevent any modification to the
program execution. Hence the PC register is annotated as a primary asset and can
be input into the SAIF tool.
2. Observable Points: SAIF defines observable points as the design points inter-
acting with the outside world. Information flow control defines and classifies
data into trusted and untrusted lattices [11]. The observable points to which the
primary asset information can flow as defined by the architectural specification
are annotated as trusted observable points. All other observable points are
annotated as untrusted observable points. Reverting to our sample SoC in
Fig. 2.2, taking the PC as the primary asset, the PC value can flow to the
debug port in “HALT” debug mode of operation, when the processor halts
for debugging [9, 32]. The processor then allows the user to see the program
execution via PC value and debug through the debug port [23]. However, in the
normal mode of operation, the PC value should never flow to the debug port,
as it exposes the program execution. Hence in the normal mode of operation, the
“debug port” of the SoC is an untrusted observable point, and all other observable
points are annotated as trusted.
The designer must identify and annotate the primary assets, trusted and
untrusted observable points for the SoC. SAIF can read multiple primary assets
and observable points and output the secondary assets. Once inputs are given,
SAIF performs three significant steps for identifying the secondary assets.
The design search space for secondary assets in an SoC consisting of thousands
of design components can be computationally expensive. SAIF tackles this issue
through its “Asset Propagation Analysis” step. SAIF prunes the design search
space for secondary asset identification through the asset propagation analysis step.
SAIF utilizes structural analysis of the design to perform the design space pruning.
Modern CAD tools such as Synopsys Design Compiler [26] and Cadence Synthesis
[7] can analyze a design and identify all the components connected structurally,
i.e., a path exists for information propagation between the two nodes. SAIF utilizes
the principle stated: “While the presence of a structural path between two nodes in
a design does necessarily imply an information flow, the absence of a structural
path confirms the absence of any information flow between the nodes.” Hence
by detecting all the design components that are not structurally connected to the
primary input asset, we can prune out the various design components that cannot
be security assets. The asset propagation analysis step is made up of three smaller
substeps defined below:
28 2 CAD for Security Asset Identification
1. Forward Analysis: SAIF performs a fan-out analysis for the primary inputs
annotated as primary assets. A fan-out analysis is a technique for analyzing the
RTL design and, for a given component, identifying its cone of influence. Using
modern CAD design tools [7, 26], SAIF performs this fan-out analysis for the
primary assets and identifies all the design components structurally connected to
it. All the identified components are stored as a set
2. Backward Analysis: To further prune the design components search space, SAIF
tries to identify the design components accessible from the observable points.
An adversary can exploit any structural path from a design component to an
observable point to gather information from it or manipulate its value. For this,
employ a technique called fan-in analysis. A fan-in analysis takes a design
component and identifies all components that affect the said design component.
By doing this we come to a trusted observable point, we can identify all the
design components structurally connected to the trusted observable point. All the
identified components are stored in a set.
3. Intersection Analysis: The final step is the intersection analysis step. With the
result sets from the forward and backward analysis, SAIF performs a common
component analysis step to identify the common components between the two
result sets. These identified components are the subset of design components in
the RTL, which are structurally connected to the primary asset and hence can
carry a non-zero probability of propagating sensitive information. They are also
connected to observable points and carry a non-zero probability of being attacked
by an adversary. This set of common design components is stored in a set termed
“Common Components.”
Thus, SAIF utilized the asset propagation analysis step for pruning the design
search space and identifying only design components with a non-zero probability
of propagating secret and secure information and a non-zero probability of being
accessed through an observable point.
A structural connection from the primary asset to the design component does not
entail carrying any of the primary asset’s sensitive information. There needs to exist
a functional path that propagates the sensitive information from the primary asset
to the design component for it to annotate it as a secondary asset. The sensitive
information would undergo various operations along the functional. Hence it also
becomes essential to identify how much of the sensitive information is preserved
in the final information reaching the design component. The candidate component
identification step allows SAIF to take the set of common components identified
from the asset propagation analysis step. It identifies all the design components
with a functional path connection to the primary asset input. It also calculates the
Another random document with
no related content on Scribd:
et en habit du soir; où au sortir Sa Majesté toucha les malades, puis
disnèrent encore ensemble.» (Statuts de l’Ordre de Saint-Michel.)
La fraternité qui régnait entre les chevaliers de Saint-Michel contrastait
singulièrement avec la division qui désolait la France. Les dévots serviteurs
de l’Archange avaient besoin de fidélité, d’union et de dévouement, pour
soutenir les intérêts de l’Église et de l’État; car, bientôt après, la guerre
éclata et couvrit le royaume de sang et de ruines. Le prince de Condé se mit
à la tête des hérétiques et se déclara l’ennemi juré de Charles IX, son
souverain, et de tous les catholiques de France. Comme en toutes les
calamités publiques, les regards se portèrent aussitôt vers le prince de la
milice céleste. Paris donna l’exemple. Le 29 septembre 1568, jour de la fête
de saint Michel, on fit dans la capitale une procession solennelle pour
implorer la protection de l’Archange vainqueur de Satan; la cour, plusieurs
évêques, les ordres religieux, une foule innombrable de fidèles assistaient à
cette pieuse cérémonie; au milieu des rangs pressés de la multitude, on
portait les reliques insignes de toutes les églises de la ville. Jamais Paris
n’avait organisé une manifestation plus imposante en l’honneur de saint
Michel. L’année suivante, les ennemis furent taillés en pièce à Jarnac et à
Moncontour, et, en 1570, la paix fut signée à Saint-Germain.
De son côté le mont Tombe recevait chaque jour de nombreux pèlerins.
Ceux-ci venaient, à la suite de l’évêque et des chanoines d’Avranches,
déposer leurs trésors sous la garde des moines; ceux-là priaient le saint
Archange de les protéger contre les attaques des hérétiques, et de les délivrer
des embûches du démon; d’autres imploraient des grâces surnaturelles ou
demandaient la santé du corps. Le roi de France, Charles IX, voulut se mêler
à cette foule de pieux visiteurs, et, en 1561, un an après avoir reçu le titre de
chevalier, il vint en pèlerinage au Mont avec son frère, le prince Henri. Le 3
avril 1565, il modifia, comme nous l’avons dit, certains articles des statuts
primitifs, et réduisit le nombre des frères à cinquante. D’après les manuscrits
du temps, et au témoignage des autorités les plus graves citées par S.
Prévost, Feuardent et dom Huynes, cette époque fut signalée par des faits
miraculeux.
Bientôt les pèlerinages allaient devenir plus difficiles et plus périlleux, à
cause des attaques continuelles qui devaient être dirigées contre le Mont. En
1570, François le Roux se démit de sa charge en faveur de l’évêque de
Coutances, Arthur de Cossé-Brissac. Pendant que ce dernier vidait ses
démêlés avec Jean de Grimouville, prieur claustral, et le parlement de
Normandie, les disciples de Calvin, nommés huguenots, levaient de nouveau
l’étendard de la révolte et dévastaient une partie des campagnes. En l’année
1576, le Mont-Saint-Michel embrassa contre eux le parti de la ligue et
résolut de leur opposer une vigoureuse résistance. Alors, comme au temps de
la guerre des Anglais, la cité de l’Archange devint le boulevard de la France
en Normandie, et l’épée victorieuse des chevaliers repoussa les attaques des
calvinistes.
Au mois de juillet de l’année 1577 une bande de huguenots, conduits par
le sieur «du Touchet,» s’approchèrent du Mont à la faveur de la nuit. Sur les
huit heures du matin, vingt-cinq d’entre eux placèrent des armes sous la selle
de leurs chevaux et pénétrèrent dans la place déguisés en pèlerins; les autres,
cachés sur la rive d’Ardevon, attendaient le moment favorable pour voler au
secours de leurs compagnons d’armes. Les huguenots, après avoir entendu la
messe et visité le monastère, se réunirent sur le Saut-Gautier, et, de là, se
répandirent dans la ville pour accomplir leur dessein. Au signal donné, ils
désarmèrent les soldats, en tuèrent un qui refusait de rendre son épée, et
frappèrent plusieurs moines et pèlerins. Jean Le Mansel, secrétaire de
l’abbaye, reçut un coup de sabre sur la tête. En même temps le sieur «du
Touchet sortit de son embuscade avec ses cavaliers et se dirigea au galop
vers les portes de la ville.» Déjà les calvinistes criaient: «ville gaignée, ville
gaignée.» Les habitants étaient dans la consternation et n’avaient d’espoir
que dans la protection de Saint-Michel.
Le lendemain on vit apparaître à la tête d’une poignée de soldats Louis de
la Moricière, seigneur de Vicques, et enseigne du maréchal de Matignon. Il
triompha des huguenots, les fit sortir de la ville et rentra dans la forteresse au
milieu des acclamations des Montois qui le regardaient comme un libérateur.
En récompense d’un tel service, le roi de France, Henri III, le nomma
capitaine du Mont, à la place de René de Baternay et lui donna le titre de
gouverneur du château. Le brave officier repoussa pendant dix ans les
attaques réitérées des calvinistes. En 1589, le sieur de Montgommery
accompagné des capitaines Corboson et La Coudraye, surprit la ville et la
livra au pillage; mais tous ses efforts échouèrent devant la résistance de la
citadelle dont il ne put jamais s’emparer. Le gouverneur alors absent du
Mont-Saint-Michel, accourut en toute hâte et pénétra dans la place par une
entrée secrète; il rallia autour de lui une poignée de braves, fit une
vigoureuse sortie contre les huguenots et les rejeta loin des remparts.
L’année suivante, le héros chrétien mourut au siège de Pontorson victime
d’une lâche perfidie. Les moines transportèrent sa glorieuse dépouille dans
la basilique de Saint-Michel, et, après lui avoir rendu tous les honneurs
funèbres, ils l’inhumèrent dans la chapelle Sainte-Anne, où reposaient déjà
plusieurs guerriers célèbres. Au-dessus de la tombe on suspendit «la lance, le
guidon, le casque et la rondache» dont l’illustre capitaine se servait dans les
combats. Sa digne épouse, Esther de Tessier, mourut trente ans plus tard et
reçut la sépulture à l’ombre du même autel. Leur fils, Jacques de la
Moricière, doyen de la cathédrale de Bayeux, donna quarante-cinq livres de
rente au monastère pour une fondation de trois messes annuelles; l’une
devait être chantée en l’honneur des saints anges, le 23ᵉ jour de juillet; à la
procession tous les moines portaient un cierge de cire blanche, afin de
témoigner leur reconnaissance «à Dieu, à la Vierge et à saint Michel» qui
s’étaient servi de l’épée du bon et pieux gouverneur, pour délivrer la ville de
l’oppression des huguenots.
Louis de la Moricière fut remplacé par le sieur de Boissuzé. Les
calvinistes occupaient alors une partie de l’Avranchin, et le Mont-Saint-
Michel leur offrait seul une sérieuse résistance. Pendant plusieurs années, ils
employèrent tour à tour la force et la ruse pour s’emparer de cette place,
mais toujours ils furent pris dans les pièges qu’ils tendaient eux-mêmes aux
catholiques. Dom Huynes raconte en ces termes une des tentatives de
Montgommery: «Les huguenots tenant une grande partie de cette province
de Normandie sous leur puissance et particulièrement les villes et chasteaux
des environs de ce Mont, dressoient des embusches pour envahir ce sainct
lieu. Et dès aussy tost qu’ils pouvoient attraper quelqu’un de cette place le
tuoient sur le champ ou le réservoient pour le mener au gibet. Il arriva un
jour en autres qu’ils prirent un soldat et luy ayant desjà mis la corde au col
luy dirent que s’il vouloit sauver sa vie qu’il leur promit de leur livrer cette
abbaye, et que de plus ils lui donneroient une bonne somme de deniers. Cet
homme bien content de ne finir sitost ses jours, et alléché de l’argent qu’ils
luy promettoient, dit qu’il le feroit et convint avec eux des moyens de mettre
cette promesse à exécution, qui furent que le soldat reviendroit en ce Mont,
espiroit sans faire semblant de rien la commodité de les introduire
secrettement en cette abbaye et leur assigneroit le jour qu’il jugeroit plus
commode pour cet effect. Le soldat leur ayant promis de n’y manquer, ils luy
donnèrent cent escus, et, bien résolu de jouer son coup, revint où il fut receu
du capitaine de ce Mont et des soldats, sans aucun soupçon, puis se mit en
devoir d’exécuter sa promesse. Pour donc la mettre à chef, il advertit
quelques jours après ces huguenots de venir le vingt-neufiesme de
septembre, à huict heures du soir, jour de dimanche et de la dédicace des
esglises Sainct-Michel, qu’ils montassent le long des degrez de la Fontaiyne
Sainct-Aubert; qu’estant là au pied de l’édifice, il se trouveroit en la plus
basse sale de dessous le cloistre, ou se mettant dans la roue il en esleveroit
quelques-uns des leurs qui par après luy ayderoient en grand silence à
monter les autres. Ainsi par cet artifice, ce Mont estoit vendu. Mais ce soldat
considérant le mal dont il alloit estre cause, fut marry de sa lascheté et
advertit le capitaine de tout ce qui se passoit. Iceluy luy pardonna et se
résolut avec tous ses soldats et autres aydes de passer tous ses ennemys au fil
de l’espée. Quant à eux ne sçachant le changement de volonté de cet homme,
et se réjouissans de ce que le temps sembloit favoriser leur dessein, tout l’air
estant ce jour là rempli d’espaisses vapeurs (comme nous voyons arriver
souvent), qui empeschoit qu’on les put veoir venants de Courteil jusques sur
ce rocher, ne manquèrent de se trouver au lieu assigné à l’heure prescrite.
Alors le soldat faisant semblant qu’il estoit encore pour eux, se mit dans la
roue et commença de les enlever l’un après l’autre, puis deux soldats de cette
place les recevoient à bras ouverts, les conduisant jusques dans la sale qui est
dessous le refectoire, où ils leur faisoient boire plein un verre de vin pour
leur donner bon courage, mais les menant par après dans le corps de garde,
ils les transperçoient à jour, se comportans ainsy consécutivement envers
tous. Sourdeval, Montgomery et Chaseguey, conducteurs de cette canaille,
s’esmerveillans de ce qu’ils n’entendoient aucun tumulte, y en ayant desjà
tant de montez, demandoient impatiemment qu’on leur jettast un religieux
par les fenestres afin de connoistre par ce signe si tout alloit bien pour eux,
ce qui poussa les soldats de céans desjà tout acharnez de tuer un prisonnier
de guerre qu’ils avoient depuis quelques jours, lequel ils revestirent d’un
habit de religieux, puis luy firent une couronne et le jettèrent à ces ennemys.
Mais entrant en soupçon si c’estoit un religieux, Montgomery voulant
sçavoir la vérité, donna le mot du gué à un de ses plus fidelles soldats et le fit
monter devant luy; estant monté en haut et ne voyant personne des siens, il
ne manqua de s’escrier: trahison! trahison! et de ce cry les ennemys prenant
l’espouvante descendirent au plus fort du rocher, se sauvèrent le mieux
qu’ils purent, laissant quatre vingt dix huict soldats de leur compagnie,
lesquels on enterra dans les grèves à quinze pas des poulins.» Cette tentative
eut lieu en 1591.
Le Mont-Saint-Michel triomphait des ennemis de l’Église; mais la
discipline religieuse s’affaiblissait au milieu du tumulte des armées. Le
cardinal de Joyeuse, qui porta le titre d’abbé de 1588 à 1615, ne fut pas aimé
des bénédictins; en retour, il parut insensible aux intérêts du monastère et
négligea les réparations même les plus urgentes. En 1594, un onzième
incendie allumé par le feu du ciel renversa la flèche et fondit les cloches. Le
sieur de Brévent, gouverneur de l’abbaye, et Jean de Surtainville élevèrent la
tour massive qui existe aujourd’hui; mais cette belle «pyramide» qui «estoit,
au dire des annalistes, l’une des plus hautes du royaume,» ne fut pas
reconstruite et l’on ne vit plus l’image de l’Archange dominer sur le pinacle
de l’édifice.
La trahison se joignit encore aux horreurs de la guerre et de l’incendie.
Jacques de Boissuzé, jaloux de voir le sieur Vaulouet nommé à sa place
capitaine du château, jura de tirer une vengeance éclatante et tourna ses
armes contre la cité de saint Michel. Après plusieurs tentatives il pénétra
dans la ville en 1595; mais il ne put se rendre maître de la citadelle, et
quelque temps après il fut tué par les habitants du Mont. Un an plus tard, le
marquis de Belle-Isle voulut se faire ouvrir les portes de la forteresse, en sa
qualité de gouverneur de la Basse-Normandie, et, «aussy, disait-il, pour prier
l’Archange saint Michel.» Henri de la Touche, frère et lieutenant du
capitaine Julien de Quéroland, qui venait de succéder au sieur de Vaulouet,
sortit du corps de garde et alla représenter au marquis de Belle-Isle, qu’il
n’était pas prudent de pénétrer dans l’intérieur du château avec sa suite
nombreuse. Il fut convenu que cinq hommes seulement le suivraient. Julien
de Quéroland, gentilhomme breton aussi loyal que brave, reçut le traître avec
tous les honneurs possibles, sans soupçonner sa perfidie; mais comme tout le
monde entrait malgré les conventions, le caporal de garde ferma la porte. Le
sieur de Belle-Isle dit alors que si sa suite n’entrait pas il allait sortir.
Aussitôt, par ordre du capitaine, la porte fut ouverte de nouveau. Le traître
mit la main à l’épée, se précipita sur le caporal et le tua; puis, se tournant
vers Henri de la Touche, il l’étendit mort sur le pavé. Ceux de sa suite armés
de pistolets et d’épées attaquèrent le sieur de Quéroland, massacrèrent sept
hommes de la garnison et s’emparèrent du corps de garde; mais le capitaine
rallia ses hommes et revint au combat. Le marquis de Belle-Isle tomba mort,
et parmi ses gens les uns furent tués ou blessés, et les autres prirent la fuite.
Le brave de Quéroland restait maître de la ville. Les annalistes disent qu’il
reçut dans le combat «dix-huit coups tant d’espée que de pistolet.» Après
avoir triomphé d’un traître, il périt victime d’un infâme complot. Un jour, il
était sorti de la place et chevauchait sur les grèves suivi de son valet; celui-ci
soudoyé par la famille de Belle-Isle, s’approcha de lui, le tua d’un coup de
pistolet et prit la fuite à toute bride. Le héros breton fut inhumé avec son
frère dans la basilique de l’Archange auprès de la tour.
Les mêmes scènes se reproduisaient dans le reste de la France, et partout
saint Michel était vénéré comme le vainqueur de l’hérésie; il suffira d’en
citer un exemple. Avallon, perchée à la cime de son rocher de granit, était au
pouvoir de la Ligue. Dans la nuit du 28 au 29 septembre 1591, les
assiégeants y pénétrèrent après avoir pratiqué une large brèche dans le mur
d’enceinte. Ils croyaient la ville prise, quand le maire et le syndic
accoururent à la tête des habitants et les repoussèrent avec vigueur. Ce
triomphe, coïncidant avec la fête de saint Michel, fut attribué à la protection
du glorieux Archange, et, l’année suivante, les magistrats de la ville, de
concert avec les chanoines de Saint-Lazare, arrêtèrent que l’on ferait en
l’honneur du prince de la milice céleste une procession générale à laquelle
assisteraient les habitants d’Avallon «jusqu’aux escoliers, deux à deux,
honestement vestus, ayant chacun ung cierge ardent, accompagnés et
conduits par le principal du collège et ses subalternes;» et tout celà, disaient-
ils, parce que «l’Archange, monsieur saint Michel,» les avait protégés contre
les efforts de «Sathan,» et s’était montré sur la «braîche» de la place pour en
défendre l’entrée «aux hérétiques» et à leurs suppôts; de même que jadis, au
«temps de Jehanne la Pucelle,» il parut sur le pont d’Orléans et préserva la
ville contre les attaques des Anglais.
Toutes ces luttes ajoutèrent plus d’une page émouvante à l’histoire de
saint Michel. D’un autre côté, la perfidie et la cruauté des huguenots
n’arrêtèrent pas complètement les manifestations religieuses. Les rois de
France, il est vrai, ne visitaient plus le sanctuaire national depuis la mort de
Charles IX; mais ils favorisaient la dévotion du peuple envers le saint
Archange: par lettres patentes de 1585, 1588 et 1601, Henri III et Henri IV
confirmèrent les privilèges de la confrérie établie dans la capitale pour les
pèlerins du Mont-Saint-Michel. Cependant l’abbaye était en décadence.
François de Joyeuse avait réduit à treize le nombre des religieux et plusieurs
articles de la règle primitive étaient tombés en désuétude; mais l’Archange
veillait à l’honneur de son sanctuaire et l’on vit bientôt se lever des jours
plus calmes et plus prospères.
II.
qu’il n’était pas permis de porter son image en procession; d’autres, parmi
les protestants, osèrent nier l’existence personnelle de saint Michel, malgré
l’enseignement unanime de l’Écriture sainte, de la tradition et de la
théologie. Bossuet dans son langage énergique vengea le nom et la gloire du
saint Archange: «Il ne faut point hésiter, dit-il, à reconnaître saint Michel
pour défenseur de l’Église, comme il l’étoit de l’ancien peuple, après le
témoignage de saint Jean... conforme à celui de Daniel... Les protestants qui
par une grossière imagination