CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 - - PowerPoint PPT Presentation

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion

CMOS Reverse Engineering

Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky, Christoph M¨ uller

Lund University

February 10, 2012

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion

Table of Contents

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion

Why should CMOS devices be reverse engineered?

◮ As preliminary for security examinations ◮ Identify patent infringements ◮ Find errors in the manufacturing process ◮ We can - and it’s awesome! ;-)

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Determine the typ of the package

◮ Different methods according to typ of the package

◮ Cavity packages (metal and ceramic) ◮ Plastic

◮ Some need professional equipment, some can be used at

home

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Open the packages

Delidding cavity packages

◮ Grinding away the lid (mainly for ceramic packages) ◮ Cracking the lid seal with a knife ◮ Melting the lid seal and peel up the lid

Decapsulating plastic packages

◮ Fuming nitric acid, fuming sulfuric acid or a mixture of

both (ca. 90◦)

◮ Drop chip in heated acid ◮ Cavity etching ◮ Jet etching

◮ Cooking in rosin (colophony) (320◦-360◦)

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Examples

Images of several decapsulated chips Images from: http://cms.diodenring.de/electronic/microcontroller/83-ic-decapsulation/ http://www.prioritylabs.com/Decapsulation.aspx Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Methods to expose the layers

◮ Chemical

◮ Wet etching - remove layers with specific chemicals ◮ Dry etching - plasma etching (e.g. reactive ion etching)

◮ Mechanical - polishing

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Polishing

How it works

◮ Fix die on a stamp (must be parallel to the polishing

surface!!!)

◮ Use very fine (0.04µm) abrasive paper ◮ Check progress regularly to prevent too deep polishing ◮ Can be done manually or with machines ◮ The planarity of the surface must be maintained

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Polishing

Advantages

◮ Material can be removed layer by layer (good for

multilayers)

◮ Can be done without machines

Disadvantages

◮ Time-consuming ◮ Planarity

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

What happens if planarity is destroyed

Skewed polished chip Image from: All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Image Acquisition

Necessary microscope depends on structure size of the die

◮ Optical microscope

◮ Relatively cheap ◮ Smallest possible resolution about 0.2 µm

◮ Confocal microscope

◮ Smallest possible resolution about 0.1 µm ◮ Tremendously higher depth of focus ◮ Colors images of different layers

◮ Electron microscope

◮ Expensive ◮ Smallest possible resolution about 0.1 nm Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Examples

Optical microscope vs. Electron microscope

Images of a die manufactured in a 130 nm process Images from: The State-of-the-Art in IC Reverse Engineering [TJ09] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Examples

Confocal microscope

Image of a chip made with confocal microscope Image from: Chip Reverse Engineering [NS08] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

How to continue?

◮ Acquire images of every chip layer

◮ Motorized frames available to semi automate the process ◮ Take overlapping images to simplify the following step ◮ Number of images depending on chip area and needed

magnification

◮ Huge dataset

Intel 8086, images from the visual 6502 project http://uxul.org/~noname/visual6502/8086/t/bf/5x/ Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Combination of the images

◮ Problem: combine a bunch of images to a single big one

◮ Problem also well known in panorama photography

◮ Solution: use well optimized panorama stitching tools

◮ Panotools/Hugin ◮ Autostitch ◮ Photoshop ◮ · · · Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Stitching process

◮ Load images

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Stitching process

◮ Load images ◮ Find matching points in the overlapping zones

◮ Can be automated, but problems with regular structures e.g.

• memories. . .

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Expose the die Deprocessing Image Acquisition Stitching process

Stitching process

◮ Load images ◮ Find matching points in the overlapping zones

◮ Can be automated, but problems with regular structures e.g.

• memories. . .

◮ Stitch everything together

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Recovery of the Transistor Logic I

Polysilicon Layer

P-Well N-Well Polysilicon Contact

Die shoot: http://www.degate.org, National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Recovery of the Transistor Logic II

Metal Layer 1

VDD GND Via

Die shoot: http://www.degate.org, National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Recovery of the Transistor Logic III

Metal Layer 2/3

Q A A B B Input A Input B Output Q

Die shoot: http://www.degate.org, National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Recovery of the Transistor Logic IV

What can we do now?

◮ Enough to recover the circuit diagram of the complete IC ◮ The only way for ”old” digital ICs which have been

designed on transistor level

◮ Has been done - MOS 6502 for example.

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Standard Cell Recognition

Newer designs use Standard Cells to simplify the design process

◮ Use image processing algorithms to identify complete cells

in the design.

◮ Identify each cell type in the used library ◮ Do all the transistor level stuff only once for each cells ◮ Cell librarys are process depended - so the same library can

be used for reverse engineering of every digital IC using the same process and library. Therefore: Standard Cells also simplify the reverse engineering!

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Example: Standard Cell detection

Images taken from [USE08]

◮ Detect edges ◮ Identify standard cell ◮ Feature detection algorithms to detect all instances

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Interconnections

Images taken from [MN08] and [LAK98]

◮ Wires can be detected by edge recognition algorithms ◮ Vias can be detected by correlation with a sample via ◮ Results of automatic detection not 100% accurate

◮ Interactive process used ◮ Depends heavily on image quality Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Software I

Degate and Chipworks Browser. Chipworks image taken from [Cry09].

◮ Degate by Martin Schobert (GPL) ◮ In-house software developed by reverse engineering

companies like ICWorks (Chipworks), Matrix (UBM TechInsights) and tools by Cellixsoft. [Sch11]

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Software II

◮ Only little information about the commercial tools available ◮ Interactive process used with help of algorithms to identify

circuit elements

◮ Annotation features

◮ Circuit diagram ◮ Layer images ◮ Netlist ◮ Signal tracing Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Debugging a living Chip

Images from [Sko05, p. 84]

Idea: read data during chip operation

◮ Small microprobes to read data from internal buses ◮ Might be used to extract encryption keys etc.

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Chip manipulations I

Laser Cutter

◮ Cut wires, break security circuits ◮ Different laser wavelength for different features - UV for

passivation layer, green for metal, IR for second metal

Images from [Sko05, p. 86] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Recovery of the Transistor Logic Standard Cell Recognition Interconnections Software Non destructive Methods

Chip manipulations II

Focused Ion Beam - FIB

◮ Ultimate tool for silicon debugging ◮ Create new wires and test points ◮ Hole drilling ◮ Useable for small processes beyond optical resolution

Images from [Sko05, p. 87] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Case Study: MOS 6502

◮ Was really common (used in Super Nintendo, Ninendo

NES, all Commodore, Apple-1, ...)

◮ MOS Technology which originally produced the 6502 was

bought 1976 by Commodore which went bankrupt in 1994

◮ Elegant design, not as powerful as others but used

considerably fewer transistors in comparison Reverse engineering done by the visual6502 Project [Vis]

◮ Get an accurate transister level model, even valid for illegal

• pcodes

◮ A lot of emulators available (check if they are bug-free) ◮ It’s fun!

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Examples of the die shots

Die shots of the 6502: left the substrate and right the top layers. Images from http://visual6502.org/images/6502/index.html Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Recovered layers netlists I

Layers constructed from the recovered netlists (from right to left): diffusion, polysilicon with vias, metal layers for power and ground and clock phases Images from http://visual6502.org/images/6502/index.html Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Recovered layers netlists II

Layers constructed from the recovered netlists: left all metal layers and right the whole chip with all vectors Images from http://visual6502.org/images/6502/index.html Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

What do they use the vector data for?

Simulators

◮ Written in JavaScript and C ◮ Every signal is traceable ◮ Wires with potential are highlighted ◮ Even illegal opcodes do what they would do on the original ◮ Can be used to find bugs in all the other emulators ◮ For the future:

◮ Netlist in VHDL ◮ X-ray pcb ◮ Investigate other versions Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Screenshot of the online-simulator

Screenshot of the visual6502 simulation tool Can be found at http://visual6502.org/JSSim/expert.html Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Case Study: Mifare Classic

◮ RFID system built and sold by NXP ◮ Manufacturer promised encryption without publishing the

algorithm

◮ No peer review on the algorithm ◮ Kerckhoffs’s principle: Encryption security should only be

founded on the keeping the key secret

◮ Used as access control system, e.g. in military facilities

◮ High security requirements

◮ Used in transportation systems London (Oyster-card),

Australia (SmartRider-card), resekortet standard (SL, SJ, Sk˚ anetrafiken...)

◮ Over one billion sold units

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Chip-Hardware

◮ Very small (area 1mm2) ◮ 6 layers ◮ 70 different types of gates used ◮ Crypto functions 400 2-NAND-GE (smallest known AES

block cipher requires 3400 GE) Memory content was not known, therefore protocol analysis (examining the communication) was necessary to recover the whole function.

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Procedure I

Pictures from the whole procedure. Images from All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Procedure II

Pictures from the whole procedure. Images from All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Procedure III

1

Pictures from the whole procedure. Images from All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Procedure IV

Pictures from the whole procedure. Images from All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Chip Image

Image of the decapsulated chip Image from All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion MOS 6502 Mifare Classic

Results

Through the analysis the team was able to find significant vulnerabilities in the Mifare Classic chips.

◮ The crypto algorithm turned out to be weak ◮ Only 48-bit keys were used → brute-force attack possible ◮ Insecure random number generator

◮ Codebook can be calculated ◮ Same seed everytime the card was powerd on ◮ Number only depends on time between power on and

readout - completely controllable by the reader.

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion

Conclusion

Findings

◮ Logic can be recovered by just looking on it. ◮ Security in hardware is not safe because it is hardware ◮ For older processes it is even possible to do all steps at

home at your kitchen table

Advises

◮ Don’t build your own cryptographic algorithms, use well

examined standards

◮ There is no security by obscurity

Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Appendix Ressources Talk Video Recordings Webpages

Resources I

[Bla08] Blackhat DC 2008. Security Failures In Secure Devices, 2008. Available from: http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/ Presentation/bh-dc-08-tarnovsky.pdf. [Cry09] Cryptographic Hardware and Embedded Systems. The State-of-the-Art in IC Reverse Engineering at Chipworks, 2009. Available from: http://www.iacr.org/workshops/ches/ches2009/presentations/12_ Invited_Talk_III/CHES2009_torrance.pdf. [Kum00]

• J. Kumagai.

Chip detectives [reverse engineering]. Spectrum, IEEE, 37(11):43 –48, nov 2000. doi:10.1109/6.880953. [LAK98]

• D. Lagunovsky, S. Ablameyko, and M. Kutas.

Recognition of integrated circuit images in reverse engineering. In Pattern Recognition, 1998. Proceedings. Fourteenth International Conference on, volume 2, pages 1640 –1642 vol.2, aug 1998. doi:10.1109/ICPR.1998.712032. [MN08]

• G. Masalskis and R. Navickas.

Reverse engineering of cmos integrated circuits. ELEKTRONIKA IR ELEKTROTECHNIKA, (8):25–28, 2008. Available from: http://www.ktu.edu/lt/mokslas/zurnalai/elektros_z/z88/05_ISSN_ 1392-1215_Reverse%20Engineering%20of%20CMOS%20Integrated%20Circuits.pdf. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Appendix Ressources Talk Video Recordings Webpages

Resources II

[Sch10a] Martin Schobert. All chips reversed. Datenschleuder, 94:17–35, 2010. Available from: http://ds.ccc.de/pdfs/ds094.pdf. [Sch10b] Martin Schobert. Studienarbeit: Reverse-engineeing von logikgattern in integrierten schaltkreisen, 2010. [Sch11] Martin Schobert. Softwaregest¨ utztes reverse-engineering von logik-gattern in integrierten schaltkreisen. Diploma thesis, Humboldt-Universit¨ at Berlin, 2011. Available from: http://www.degate.org/documentation/diplomarbeit.pdf. [Sko05] Sergei P. Skorobogatov. Semi-invasive attacks – a new approach to hardware security analysis. Technical report, University of Cambridge, 2005. [TJ09] Randy Torrance and Dick James. The state-of-the-art in ic reverse engineering. In Christophe Clavier and Kris Gaj, editors, Cryptographic Hardware and Embedded Systems - CHES 2009, volume 5747 of Lecture Notes in Computer Science, pages 363–381. Springer Berlin / Heidelberg, 2009. 10.1007/978-3-642-04138-9 26. Available from: http://dx.doi.org/10.1007/978-3-642-04138-9_26. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Appendix Ressources Talk Video Recordings Webpages

Resources III

[USE08] USENIX. Reverse-Engineering a Cryptographic RFID Tag, 2008. [WFT+99] Lawrence W. Wagner, Steven Frank, Wilson Tan, John F. West, Thomas M. Moore, Cheryl Hartfield, Phug D. Ngo, Daniel L. Barton, Edward I. Cole, Christopher G. Talbot, Daniel Yim, Tim Haddock, Scott Boddicker, Robert K. Lowry, Keenan Evans, and David P. Vallet. Failure Analysis of Integrated Circuits: Tools and Techniques. Kluwer Academic Publisher, 1999. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Appendix Ressources Talk Video Recordings Webpages

Talk Video Recordings

If you have some spare time and are interested in this topic: have a look on the following recordings from several conferences:

[NP07] Karsten Nohl and Henryk Pl¨

• tz.

Mifare (little security, despite obscurity).

• 24th. Chaos Communication Congress, 2007.

Available from: http://www.youtube.com/watch?v=QJyxUvMGLr0. [NS08] Karsten Nohl and Starbug. Chip reverse engineering.

• 25th. Chaos Communication Congress, 2008.

Available from: http://www.youtube.com/watch?v=Pp4TPQVbxCQ. [NS09] Karsten Nohl and Starbug. Deep silicon analysis. Hacking at Random, 2009. Available from: http://www.youtube.com/watch?v=7MFpXHsKO4s. [Ste10] Michael Steil. Reverse engineering the mos 6502 cpu (en).

• 27th. Chaos Communication Congress, 2010.

Available from: http://www.youtube.com/watch?v=fWqBmmPQP40. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Appendix Ressources Talk Video Recordings Webpages

Webpages

Also heavily recommended are the following webpages:

[deg] degate - a tool to support the reverse engineering of standard cell based cirquits. Available from: http://www.degate.org/. [Vis] Visual6502 - javascript mos 6502 simulator at transistor level and huge collection of die shoots. Available from: http://www.visual6502.org/. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering