attacking microchips through the backside · attacking microchips through the backside dmitry...
TRANSCRIPT
Attacking Microchips through the BacksideDmitry Nedospasov, Starbug
PacSec 2013
Wednesday, October 23, 13
Security of the IC Backside
Dmitry
• PhD Student TU Berlin, Security in Telecommunications
• Physical attacks against Integrated Circuits
• Semi-Invasive and Fully-invasive backside analysis, failure analysis
• Twitter: @nedos
• Email: [email protected]
2Wednesday, October 23, 13
Security of the IC Backside
Starbug
• Researcher TU Berlin, Security in Telecommunications
• 10 years of hacking biometrics, most recently Apple Touch ID
• 5 years of microchip hacking
• Email: [email protected]
3Wednesday, October 23, 13
Security of the IC Backside
Murdoch’s Pirates
• To IC hackers this is known as “The Book”
• How high-security ICs really get “hacked” in the wild
• The biggest security threat to a hardware vendor are its competitors
4Wednesday, October 23, 13
Security of the IC Backside
Outline
• Background
• Silicon Security
• The IC Backside
• Semi-invasive and Fully-invasive Analysis
• Summary
5Wednesday, October 23, 13
Security of the IC Backside
Classes of attacks against ICs.
Background
6Wednesday, October 23, 13
Security of the IC Backside
Evolution of Attacks
7
Non-Invasive Semi-Invasive Fully-Invasive
Wednesday, October 23, 13
Security of the IC Backside
Non-invasive Techniques
• Side Channel Analysis
• Clock Glitching
• Voltage Glitching
• Fuzzing
8Wednesday, October 23, 13
Security of the IC Backside
High-security vs. Non-invasive
9
• Well-equipped
• Single trace
• All known defenses
• Real-world
• Limited resources
• Millions of reps
• PoC
• Academic
Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10
MOSFET
Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10
Metalization
Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10
Passivation
Wednesday, October 23, 13
Security of the IC Backside
IC Construction basics
• Transistors are created at the surface of the silicon wafer
• Metal interconnects connect nodes within the circuit
• Passivation is deposited to ensure the IC retains its structure
Security of the IC Backside 10Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
A
BY
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret dataB
A
Y
1
Images courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Reconstructing the Netlist
11
• Image the target device
• Identify gates
• Reconstruct netlist
• Isolate vulnerable logic
• Extract secret data
Images courtesy of C. Tarnovsky
A
BY
Wednesday, October 23, 13
Security of the IC Backside
Tracing Lines
12Wednesday, October 23, 13
Security of the IC Backside 13
Recon 2013: Olivier Thomas - Hardware Reverse Engineering toolshttp://recon.cx/2013/schedule/events/44.html
ARES
Wednesday, October 23, 13
Security of the IC Backside
Die Shot
14
• An overview image of the entire device
• Passivation is transparent to visible light
• Memories are purchased as IP and are regular structures
• The core is synthesizedImage courtesy of C. Tarnovsky
Wednesday, October 23, 13
Security of the IC Backside
Die Shot
14
• An overview image of the entire device
• Passivation is transparent to visible light
• Memories are purchased as IP and are regular structures
• The core is synthesizedImage courtesy of C. Tarnovsky
Flash
Wednesday, October 23, 13
Security of the IC Backside
Die Shot
14
• An overview image of the entire device
• Passivation is transparent to visible light
• Memories are purchased as IP and are regular structures
• The core is synthesizedImage courtesy of C. Tarnovsky
Flash
SRAM/EEPROM
Wednesday, October 23, 13
Security of the IC Backside
Die Shot
14
• An overview image of the entire device
• Passivation is transparent to visible light
• Memories are purchased as IP and are regular structures
• The core is synthesizedImage courtesy of C. Tarnovsky
Core
Flash
SRAM/EEPROM
Wednesday, October 23, 13
Security of the IC Backside
Tapping the Bus
15
• Program code is stored in NVM (flash)
• Program code is loaded into the CPU core
• Find wire connecting the flash to the core
Core
Flash
SRAM/EEPROM
Wednesday, October 23, 13
Security of the IC Backside
Tapping an Encrypted Bus
16
• NVM is encrypted
• Core cannot execute encrypted code
• Hence, a hardware decryption function must be present
Flash
CoreSRAM/EEPROM
Wednesday, October 23, 13
Security of the IC Backside
Tapping an Encrypted Bus
16
• NVM is encrypted
• Core cannot execute encrypted code
• Hence, a hardware decryption function must be present
Flash
CoreSRAM/EEPROM
Decryption
Wednesday, October 23, 13
Security of the IC Backside
Microprobing• It is possible to interface directly
to the traces on the IC
• Traces are covered by passivation and must be exposed
• Chemicals such as HF are commonly used
• Scratching the device surface with the needle can also work
17
Credit: Dexter
Wednesday, October 23, 13
Security of the IC Backside
Countermeasures
• Gate-level obfuscation
• Meshes and Shields
• Routing on lower layers
• Attack sensors
18Wednesday, October 23, 13
Security of the IC Backside
Attacks that go through the bulk silicon substrate.
Security of the IC backside
19Wednesday, October 23, 13
Security of the IC Backside
IC Frontside• Frontside attacks are becoming
Increasingly unattractive
• Multiple interconnect layers obstruct the transistor devices
• Active shields/meshes may require rewiring
• Sensors are utilized to detect attacks and destroy secret
Security of the IC Backside 20Wednesday, October 23, 13
Security of the IC Backside
IC Frontside• Frontside attacks are becoming
Increasingly unattractive
• Multiple interconnect layers obstruct the transistor devices
• Active shields/meshes may require rewiring
• Sensors are utilized to detect attacks and destroy secret
Security of the IC Backside 20Wednesday, October 23, 13
Security of the IC Backside
IC Frontside• Frontside attacks are becoming
Increasingly unattractive
• Multiple interconnect layers obstruct the transistor devices
• Active shields/meshes may require rewiring
• Sensors are utilized to detect attacks and destroy secret
Security of the IC Backside 20Wednesday, October 23, 13
Security of the IC Backside
Backside Polishing
21
• Ultratec ASAP-1
• Chemical/Mechanical Polishing machine
• No electronics, completely mechanical
Wednesday, October 23, 13
Security of the IC Backside
Backside Polishing
22Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Active devices are directly
accessible from the backside
• Countermeasures cannot reliably detect backside attacks
• Only the backside is accessible on devices such as modern SoCs
• Bulk silicon is transparentto infrared light
Security of the IC Backside 23Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Active devices are directly
accessible from the backside
• Countermeasures cannot reliably detect backside attacks
• Only the backside is accessible on devices such as modern SoCs
• Bulk silicon is transparentto infrared light
Security of the IC Backside 23Wednesday, October 23, 13
Security of the IC Backside
Package is removed, circuit remains unaffected.
Semi-Invasive Analysis
24Wednesday, October 23, 13
Security of the IC Backside
Photonic Emission Analysis
25
• Transistors emit visible and infrared light while switching
• The silicon substrate is transparent to NIR light
• Emissions can be resolved spatially using an NIR CCD
• Emission can resolved temporally with a Single Photon Detector
Wednesday, October 23, 13
Security of the IC Backside
Photonic Emission Analysis
25
• Transistors emit visible and infrared light while switching
• The silicon substrate is transparent to NIR light
• Emissions can be resolved spatially using an NIR CCD
• Emission can resolved temporally with a Single Photon Detector
Wednesday, October 23, 13
Security of the IC Backside
Photonic Emission Analysis
25
• Transistors emit visible and infrared light while switching
• The silicon substrate is transparent to NIR light
• Emissions can be resolved spatially using an NIR CCD
• Emission can resolved temporally with a Single Photon Detector
Wednesday, October 23, 13
Security of the IC Backside 26
FRIGGIN LASERSWednesday, October 23, 13
Security of the IC Backside
Laser Attacks
• Backside transparent to infrared lasers as well
• Lasers can hit any transistor on the device
• One of the most effective laser attacks is corrupting encrypted instructions
Security of the IC Backside 27Wednesday, October 23, 13
Security of the IC Backside
Laser Voltage Probing• Silicon substrate is also
transparent to NIR lasers
• Laser stimulation can induce a measurable effect on the IC
• Signals on the device are modulated by the laser
• Thermal and Photonic Laser Stimulation possible
28Wednesday, October 23, 13
Security of the IC Backside
Readout of memories
29
• Read-out of memories and logic states is possible
Wednesday, October 23, 13
Security of the IC Backside
Readout of memories
29
• Read-out of memories and logic states is possible
Wednesday, October 23, 13
Security of the IC Backside
Readout of memories
29
• Read-out of memories and logic states is possible
Wednesday, October 23, 13
Security of the IC Backside
Readout of memories
29
• Read-out of memories and logic states is possible
Wednesday, October 23, 13
Security of the IC Backside
Interface to or alter the circuit directly through the bulk silicon.
Fully-Invasive Analysis
30Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
IC Backside• Bulk substrate is mechanically
thinned to approximately 25µm
• An FIB trench is milled at approximate location of the target signals
• A smaller trench exposes the target traces
• Metal can be deposited to make contacting the circuit with the probing needle easier
Security of the IC Backside 31Wednesday, October 23, 13
Security of the IC Backside
Backside Microprobing• A CPU can not operate on
encrypted data directly
• Data is deciphered by a hardware decryption function
• A location on the device can be isolated where trace of deciphered data can be obtained from the device
32Wednesday, October 23, 13
Security of the IC Backside
Backside Microprobing• A CPU can not operate on
encrypted data directly
• Data is deciphered by a hardware decryption function
• A location on the device can be isolated where trace of deciphered data can be obtained from the device
32Wednesday, October 23, 13
Security of the IC Backside
Backside Microprobing• A CPU can not operate on
encrypted data directly
• Data is deciphered by a hardware decryption function
• A location on the device can be isolated where trace of deciphered data can be obtained from the device
32Wednesday, October 23, 13
Security of the IC Backside
E-Beam Probing• High-resolution voltage
contrast image of the device
• By applying this to an exposed wire the state can be recovered
• Most security relevant signals routed on lower metal layers that are exposed from the backside
33Wednesday, October 23, 13
Security of the IC Backside
Permanent Circuit Modification• By removing transistors
completely SRAM can be turned into a ROM
• By thinning or trimming the transistor form the backside the startup behavior can be modified
• Interesting for applications such as PUFs.
34Wednesday, October 23, 13
Security of the IC Backside
Modifying Fuse Configurations• Fuses are commonly used as NVM
to store device configurations
• Fuses store a device’s secret keys as well as the security configuration
• A device configuration can be using backside voltage contrast imaging
• The value stored within the fuses can be altered with a backside circuit edit
35Wednesday, October 23, 13
Security of the IC Backside
Modifying Fuse Configurations• Fuses are commonly used as NVM
to store device configurations
• Fuses store a device’s secret keys as well as the security configuration
• A device configuration can be using backside voltage contrast imaging
• The value stored within the fuses can be altered with a backside circuit edit
35Wednesday, October 23, 13
Security of the IC Backside
Modifying Fuse Configurations• Fuses are commonly used as NVM
to store device configurations
• Fuses store a device’s secret keys as well as the security configuration
• A device configuration can be using backside voltage contrast imaging
• The value stored within the fuses can be altered with a backside circuit edit
35Wednesday, October 23, 13
Security of the IC Backside
Modifying Fuse Configurations• Fuses are commonly used as NVM
to store device configurations
• Fuses store a device’s secret keys as well as the security configuration
• A device configuration can be using backside voltage contrast imaging
• The value stored within the fuses can be altered with a backside circuit edit
35Wednesday, October 23, 13
Security of the IC Backside
Conclusions1. Invasive analysis has been eliminated, backside attacks
are difficult.
➡Backside attacks are in many cases more effective
2. Attackers must first reverse-engineer the entire device to attack it.
➡Attackers only need to target a small portion of the circuit
3. Reverse-engineering modern ICs is impossible - they are too complex.
➡Many structures are recurring.36
Wednesday, October 23, 13
Security of the IC Backside
Conclusions4. Data in NVM is encrypted and cannot be recovered from
the device.
➡Unencrypted data can be extracted from the device directly
5. Devices will fail upon backside modification, results will be unpredictable.
➡Devices continue to function flawlessly
37Wednesday, October 23, 13
Security of the IC Backside
Questions?
38Wednesday, October 23, 13
Security of the IC Backside
Photonic Emission Analysis(1) Functional IC Analysis
Nedospasov*, Schlösser*, Seifert, OrlicIEEE Hardware Oriented Security and Trust (IEEE HOST 2012)
(2) Simple Photonic Emission Analysis of AESSchlösser*, Nedospasov*, Krämer, Orlic, SeifertJournal of Cryptographic Engineering April 2013, Volume 3, Issue 1, pp 3-15
(3) Differential Photonic Emission AnalysisKrämer, Nedospasov, Schlösser, SeifertConstructive Side-Channel Analysis and Secure Design (COSADE 2013)
(4) Simple Photonic Emission Analysis of AESSchlösser*, Nedospasov*, Krämer, Orlic, SeifertWorkshop on Cryptographic Hardware and Embedded Systems (CHES 2012)
39Wednesday, October 23, 13
Security of the IC Backside
Backside laser stimulation
(5) Ultra High Precision Circuit Diagnosis Through Seebeck Generation and Charge MonitoringBoit, Helfmeier, Nedospasov, FoxPhysical and Failure Analysis of Integrated Circuits, 2013 (IPFA 2013)
(6) Invasive PUF AnalysisNedospasov*, Helfmeier*, Seifert, BoitFault Diagnonsis and Tolerance in Cryptography (FDTC 2013)
40Wednesday, October 23, 13
Security of the IC Backside
Fully-invasive IC Analysis
(7) Cloning Physically Unclonable FunctionsHelfmeier*, Nedospasov*, Boit, SeifertIEEE Hardware Oriented Security and Trust (IEEE HOST 2013)
(8) Introducing Die Datenkrake: Programmable Logic for Hardware Security AnalysisNedospasov, SchröderUSENIX Workshop on Offensive Technologies (WOOT 2013)
(9) Breaking and Entering through the SiliconHelfmeier*, Nedospasov*, Tarnovsky, Krissler, Boit, Seifert20th ACM Conference on Computer and Communications Security (ACM CCS 2013)
41Wednesday, October 23, 13