Attacking Microchips through the Backside · Attacking Microchips through the Backside Dmitry Nedospasov, Starbug PacSec 2013 Wednesday, ... 2 Wednesday, October 23, 13. Security

Attacking Microchips through the BacksideDmitry Nedospasov, Starbug

PacSec 2013

Wednesday, October 23, 13

Security of the IC Backside

Dmitry

• PhD Student TU Berlin, Security in Telecommunications

• Physical attacks against Integrated Circuits

• Semi-Invasive and Fully-invasive backside analysis, failure analysis

• Twitter: @nedos

• Email: [email protected]

2Wednesday, October 23, 13


Starbug

• Researcher TU Berlin, Security in Telecommunications

• 10 years of hacking biometrics, most recently Apple Touch ID

• 5 years of microchip hacking

• Email: [email protected]


mailto:[email protected]

mailto:[email protected]


Murdoch’s Pirates

• To IC hackers this is known as “The Book”

• How high-security ICs really get “hacked” in the wild

• The biggest security threat to a hardware vendor are its competitors



Outline

• Background

• Silicon Security

• The IC Backside

• Semi-invasive and Fully-invasive Analysis

• Summary



Classes of attacks against ICs.

Background



Evolution of Attacks

7

Non-Invasive Semi-Invasive Fully-Invasive



Non-invasive Techniques

• Side Channel Analysis

• Clock Glitching

• Voltage Glitching

• Fuzzing



High-security vs. Non-invasive

9

• Well-equipped

• Single trace

• All known defenses

• Real-world

• Limited resources

• Millions of reps

• PoC

• Academic



IC Construction basics

• Transistors are created at the surface of the silicon wafer

• Metal interconnects connect nodes within the circuit

• Passivation is deposited to ensure the IC retains its structure

Security of the IC Backside 10Wednesday, October 23, 13






Security of the IC Backside 10

MOSFET














Metalization














Passivation









Reconstructing the Netlist

11

• Image the target device

• Identify gates

• Reconstruct netlist

• Isolate vulnerable logic

• Extract secret data

Images courtesy of C. Tarnovsky




11


• Identify gates








11


• Identify gates








11


• Identify gates







A

BY


11


• Identify gates








11


• Identify gates



• Extract secret dataB

A

Y

1





11


• Identify gates





A

BY



Tracing Lines



Recon 2013: Olivier Thomas - Hardware Reverse Engineering toolshttp://recon.cx/2013/schedule/events/44.html

ARES


http://recon.cx/2013/schedule/speakers/73.html

http://recon.cx/2013/schedule/speakers/73.html


Die Shot

14

• An overview image of the entire device

• Passivation is transparent to visible light

• Memories are purchased as IP and are regular structures

• The core is synthesizedImage courtesy of C. Tarnovsky



Die Shot

14





Flash



Die Shot

14





Flash

SRAM/EEPROM



Die Shot

14





Core

Flash

SRAM/EEPROM



Tapping the Bus

15

• Program code is stored in NVM (flash)

• Program code is loaded into the CPU core

• Find wire connecting the flash to the core

Core

Flash

SRAM/EEPROM



Tapping an Encrypted Bus

16

• NVM is encrypted

• Core cannot execute encrypted code

• Hence, a hardware decryption function must be present

Flash

CoreSRAM/EEPROM



Tapping an Encrypted Bus

16

• NVM is encrypted

• Core cannot execute encrypted code

• Hence, a hardware decryption function must be present

Flash

CoreSRAM/EEPROM

Decryption



Microprobing• It is possible to interface directly

to the traces on the IC

• Traces are covered by passivation and must be exposed

• Chemicals such as HF are commonly used

• Scratching the device surface with the needle can also work

17

Credit: Dexter



Countermeasures

• Gate-level obfuscation

• Meshes and Shields

• Routing on lower layers

• Attack sensors



Attacks that go through the bulk silicon substrate.

Security of the IC backside



IC Frontside• Frontside attacks are becoming

Increasingly unattractive

• Multiple interconnect layers obstruct the transistor devices

• Active shields/meshes may require rewiring

• Sensors are utilized to detect attacks and destroy secret

















Backside Polishing

21

• Ultratec ASAP-1

• Chemical/Mechanical Polishing machine

• No electronics, completely mechanical



Backside Polishing



IC Backside• Active devices are directly

accessible from the backside

• Countermeasures cannot reliably detect backside attacks

• Only the backside is accessible on devices such as modern SoCs

• Bulk silicon is transparentto infrared light



IC Backside• Active devices are directly

accessible from the backside

• Countermeasures cannot reliably detect backside attacks

• Only the backside is accessible on devices such as modern SoCs

• Bulk silicon is transparentto infrared light



Package is removed, circuit remains unaffected.

Semi-Invasive Analysis



Photonic Emission Analysis

25

• Transistors emit visible and infrared light while switching

• The silicon substrate is transparent to NIR light

• Emissions can be resolved spatially using an NIR CCD

• Emission can resolved temporally with a Single Photon Detector




25








25







FRIGGIN LASERSWednesday, October 23, 13


Laser Attacks

• Backside transparent to infrared lasers as well

• Lasers can hit any transistor on the device

• One of the most effective laser attacks is corrupting encrypted instructions



Laser Voltage Probing• Silicon substrate is also

transparent to NIR lasers

• Laser stimulation can induce a measurable effect on the IC

• Signals on the device are modulated by the laser

• Thermal and Photonic Laser Stimulation possible



Readout of memories

29

• Read-out of memories and logic states is possible



Readout of memories

29




Readout of memories

29




Readout of memories

29




Interface to or alter the circuit directly through the bulk silicon.

Fully-Invasive Analysis



IC Backside• Bulk substrate is mechanically

thinned to approximately 25µm

• An FIB trench is milled at approximate location of the target signals

• A smaller trench exposes the target traces

• Metal can be deposited to make contacting the circuit with the probing needle easier




















































Backside Microprobing• A CPU can not operate on

encrypted data directly

• Data is deciphered by a hardware decryption function

• A location on the device can be isolated where trace of deciphered data can be obtained from the device















E-Beam Probing• High-resolution voltage

contrast image of the device

• By applying this to an exposed wire the state can be recovered

• Most security relevant signals routed on lower metal layers that are exposed from the backside



Permanent Circuit Modification• By removing transistors

completely SRAM can be turned into a ROM

• By thinning or trimming the transistor form the backside the startup behavior can be modified

• Interesting for applications such as PUFs.



Modifying Fuse Configurations• Fuses are commonly used as NVM

to store device configurations

• Fuses store a device’s secret keys as well as the security configuration

• A device configuration can be using backside voltage contrast imaging

• The value stored within the fuses can be altered with a backside circuit edit
























Conclusions1. Invasive analysis has been eliminated, backside attacks

are difficult.

➡Backside attacks are in many cases more effective

2. Attackers must first reverse-engineer the entire device to attack it.

➡Attackers only need to target a small portion of the circuit

3. Reverse-engineering modern ICs is impossible - they are too complex.

➡Many structures are recurring.36



Conclusions4. Data in NVM is encrypted and cannot be recovered from

the device.

➡Unencrypted data can be extracted from the device directly

5. Devices will fail upon backside modification, results will be unpredictable.

➡Devices continue to function flawlessly



Questions?



Photonic Emission Analysis(1) Functional IC Analysis

Nedospasov*, Schlösser*, Seifert, OrlicIEEE Hardware Oriented Security and Trust (IEEE HOST 2012)

(2) Simple Photonic Emission Analysis of AESSchlösser*, Nedospasov*, Krämer, Orlic, SeifertJournal of Cryptographic Engineering April 2013, Volume 3, Issue 1, pp 3-15

(3) Differential Photonic Emission AnalysisKrämer, Nedospasov, Schlösser, SeifertConstructive Side-Channel Analysis and Secure Design (COSADE 2013)

(4) Simple Photonic Emission Analysis of AESSchlösser*, Nedospasov*, Krämer, Orlic, SeifertWorkshop on Cryptographic Hardware and Embedded Systems (CHES 2012)


http://dx.doi.org/10.1007/978-3-642-40026-1_1

http://dx.doi.org/10.1007/978-3-642-40026-1_1


Backside laser stimulation

(5) Ultra High Precision Circuit Diagnosis Through Seebeck Generation and Charge MonitoringBoit, Helfmeier, Nedospasov, FoxPhysical and Failure Analysis of Integrated Circuits, 2013 (IPFA 2013)

(6) Invasive PUF AnalysisNedospasov*, Helfmeier*, Seifert, BoitFault Diagnonsis and Tolerance in Cryptography (FDTC 2013)



Fully-invasive IC Analysis

(7) Cloning Physically Unclonable FunctionsHelfmeier*, Nedospasov*, Boit, SeifertIEEE Hardware Oriented Security and Trust (IEEE HOST 2013)

(8) Introducing Die Datenkrake: Programmable Logic for Hardware Security AnalysisNedospasov, SchröderUSENIX Workshop on Offensive Technologies (WOOT 2013)

(9) Breaking and Entering through the SiliconHelfmeier*, Nedospasov*, Tarnovsky, Krissler, Boit, Seifert20th ACM Conference on Computer and Communications Security (ACM CCS 2013)


Documents

Attacking Microchips through the Backside · Attacking Microchips through the Backside Dmitry Nedospasov, Starbug PacSec 2013 Wednesday, ... 2 Wednesday, October 23, 13. Security