integrated circuit surgery
play

Integrated-Circuit Surgery: getting to the heart of the problem with - PowerPoint PPT Presentation

Nov 25, 2023 •261 likes •571 views

Integrated-Circuit Surgery: getting to the heart of the problem with the smallest scalpel John Walker Hardware.io The Hague, Netherlands 1 September 2019 The need for secure hardware Software, Firmware and Hardware. All can contribute to

  1. Integrated-Circuit Surgery: getting to the heart of the problem with the smallest scalpel John Walker Hardware.io The Hague, Netherlands 1 September 2019

  2. The need for secure hardware ▪ Software, Firmware and Hardware. All can contribute to making a microchip secure ▪ Software, Firmware and Hardware. They can all equally contribute to making a secure microchip insecure ▪ This talk concentrates on hardware security and on the physical aspects of that security ▪ A chip can be hacked given enough time, effort and resources. The defender is tasked with ensuring that the expenditure of time, effort and resources is greater than any gain from a successful attack Hardware.io The Hague, Netherlands 2 September 2019

  3. Different forms of secure hardware: Hard versus hardened ▪ The typical microprocessor is hard ▪ A secure chip is hardened but might because it is complex not be complex ▪ Small geometry down to 7nm ▪ Limited number of features ▪ Billions of elements ▪ Secure shields ▪ Complex data flow, but designed for ▪ Security is the first priority speed and efficiency with security down Hardware.io the list The Hague, Netherlands 3 September 2019

  4. What does hardened mean? ▪ Software and Firmware are designed to prevent known attack paths. Internal firewalling, error checking and obfuscation are used to stop attacks ▪ Features such as true random number generators are used ▪ Test and analysis functions such as JTAG are either not present, disabled or cryptographically secured ▪ A secure chip is normally protected against probing attacks using a shield or system of shield. 4

  5. Physical attacks ▪ Probing ▪ Rewiring ▪ Focused ion beam ▪ Changing the chip behaviour to do what you want 5

  6. Focused Ion Beam Workstation ▪ First it is a microscope – An ion microscope with 5nm resolution – An electron microscope with sub- nanometer resolution – An infra-red microscope to look through silicon ▪ Second it is a digging tool – The Ga ion beam can sputter away material with significantly sub-micron resolution – It can selectively remove different materials (aluminium, copper, dielectric) ▪ Third it can add new circuit to your chip – Deposit new conductive tracks and probe points using metal deposition ▪ Changing the chip behaviour to do what you want 6

  7. Stages in an attack 1. Are you testing security, breaching security or researching security? 2. Find out what is there first – Read available documentation (maybe not much) – Reverse engineer the chip 3. Identify the potential weaknesses and try to exploit them 4. Change the chip behaviour to do what you want 7

  8. Reverse Engineering ▪ Reverse engineer to make a 3 dimensional map of a chip – Many chips die, but their sacrifice guarantees them a place in heaven ▪ Strip back layer-by-layer – Wet chemical etching – Mechanical grinding and lapping – Reactive ion etching ▪ Capture an image of each layer, including all gates, interconnects and vias ▪ Identify the functions of blocks, cells/gates and structures – Identify how the above are interconnected – Identify weak points 8

  9. Strip back layers 9

  10. Active security shields ▪ Prevention of probing attacks ▪ Top one or two layers are shield ▪ Multiple active circuits – If any circuit is cut (open-circuit) then the chip is disabled – If any two adjacent circuits touch (short-circuit) then the chip is disabled ▪ The chip only recognises fault when it is powered up Hardware.io The Hague, Netherlands September 2019

  11. Limited area attacks Used to remove the active shield from above a single point for probing. Hardware.io The Hague, Netherlands September 2019

  12. Bridge shield lines A loop in the active circuit can be short-circuited without affecting the circuit. Hardware.io The Hague, Netherlands September 2019

  13. Expose shield area to be removed The loop can be exposed. It is then possible to remove the loop material without a breach being detected. Hardware.io The Hague, Netherlands September 2019

  14. Remove shield ▪ Is this useful? ▪ Only a small area removed ▪ Difficult to align to tracks under shield ▪ Easy to short-circuit your FIB edit to the bridge created on the shield Hardware.io The Hague, Netherlands September 2019

  15. First find the contacts Use backscattered electrons to look for tungsten plugs ▪ First, find where the tracks contact the circuit below ▪ Use backscattered electrons to look for tungsten plugs Hardware.io The Hague, Netherlands September 2019

  16. Cut track at each end ▪ When the track is cut at each end, the track appears dark ▪ This is a voltage contrast effect Hardware.io The Hague, Netherlands September 2019

  17. Track ends are short-circuited When the track ends are short-circuited, the tracks can be removed or ignored

  18. Shields with parallel lines Use backscattered electrons to look for tungsten plugs ▪ First, find where the tracks contact the circuit below ▪ Use backscattered electrons to look for tungsten plugs

  19. Use voltage contrast to find connections ▪ First, try to map out the basic shield structure ▪ Expose the sixteen separate shield lines Open the ▪ Cut the lines close to the contacts below first field of circuits. Open once to expose, and a second time to cut them.

  20. ▪ Expose the circuit lines of the second column of contacts Open the second field to expose the shield tracks

  21. Cut the first track ▪ Cut one of the lines of the second column ▪ Note which line goes dark (voltage contrast) Use voltage contrast to find the correct wire to short to

  22. Restore the shield ▪ Connect the lines of the chosen track to bypass

  23. Continue to cut shield and restore ▪ Connect the other lines to bypass the whole circuit block

  24. Data gathering with internal probing ▪ Placing probe points on a bus ▪ Disable RNG and RNG checking ▪ Enable JTAG ▪ Read or set registers Hardware.io The Hague, Netherlands 24 September 2019

  25. An alternative route to the data: backside edit ▪ If the active shield is too hard to bypass ▪ If it is a flip-chip with ball bonds ▪ If the interesting tracks are really deep Hardware.io The Hague, Netherlands 25 September 2019

  26. Find your feature – IR microscopy ▪ Backside edit uses IR microscopy to find an area of interest ▪ IR resolution is about 1 μ m. Small tracks cannot be seen ▪ You need to have an accurate reverse engineered layout and nearby alignment points ▪ You should also know where the n-wells and other implanted areas are. Very hard for hackers without the GDS11 layout Hardware.io The Hague, Netherlands 26 September 2019

  27. Start digging Hardware.io The Hague, Netherlands 27 September 2019

  28. Keep digging Hardware.io The Hague, Netherlands 28 September 2019

  29. Stop digging ▪ N-wells become visible ▪ Stop digging immediately ▪ Align to layout points between active areas ▪ Cut tracks, join tracks or put down probe points (and hope you can reach them) Hardware.io The Hague, Netherlands 29 September 2019

  30. Congratulate yourself Hardware.io The Hague, Netherlands 30 September 2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mixed- -Signals Signals Mixed Integrated Circuit Testing Integrated Circuit Testing Salvador

Mixed- -Signals Signals Mixed Integrated Circuit Testing Integrated Circuit Testing Salvador

Mixed- -Signals Signals Mixed Integrated Circuit Testing Integrated Circuit Testing Salvador MIR TIMA Laboratory 46 Av. Flix Viallet 38031 Grenoble salvador.mir@imag.fr Montpellier, 27 th March 2007 1 Outline Introduction 1 Analog

456 views • 29 slides
Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW

Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW

Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW The'name'stands'for'Inter'3 Integrated'Circuit'Bus' (Developed'by'Philips'in'the'early'1980s)

393 views • 26 slides
Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin

Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin

Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin Onabajo Assistant Professor Analog and Mixed-Signal Integrated Circuits (AMSIC) Research Laboratory Dept. of Electrical and Computer Engineering

569 views • 28 slides
The Integrated 0-5 Pathway to Vascular Surgery Training RABIH A. CHAER MD, FACS University of

The Integrated 0-5 Pathway to Vascular Surgery Training RABIH A. CHAER MD, FACS University of

The Integrated 0-5 Pathway to Vascular Surgery Training RABIH A. CHAER MD, FACS University of Pittsburgh Medical Center Division of Vascular Surgery Educational Medical Student Breakfast. SVS, June 18 2011 Disclosures NONE Training in

531 views • 27 slides
Tracheoesophageal Prosthesis Insufflator Computer Integrated Surgery II, Project 13 Kevin Liu

Tracheoesophageal Prosthesis Insufflator Computer Integrated Surgery II, Project 13 Kevin Liu

Tracheoesophageal Prosthesis Insufflator Computer Integrated Surgery II, Project 13 Kevin Liu Johns Hopkins University April 11, 2013 Mentors: Dr. Russell H. Taylor, Dr. Jeremy Richmon Overview -- Summary -- Signficance -- Status of

610 views • 13 slides
Applications Integrated circuit design: Computer graphics (hidden line removal):

Applications Integrated circuit design: Computer graphics (hidden line removal):

G EOMETRIC I NTERSECTION Determining if there are intersections between graphical objects Finding all intersecting pairs Geometric Intersection 1 Applications Integrated circuit design: Computer graphics (hidden line

194 views • 15 slides
EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic

EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic

EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic Engineering UniMAP A. Harun 1 Course content Reliability and availability concept Robust design principle Time and failure dependent

786 views • 32 slides
Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing

Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing

Introduction Attack Model k -Security Layout Randomization Summary Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation Frank Imeson ECE, University of Waterloo USENIX Security 13

540 views • 43 slides
I 2 C bus (Inter-Integrated Circuit) Designed for low-cost, medium data rate applications.

I 2 C bus (Inter-Integrated Circuit) Designed for low-cost, medium data rate applications.

I 2 C bus (Inter-Integrated Circuit) Designed for low-cost, medium data rate applications. (Phillips Semiconductor, 1980s) Tutorial: http://www.esacademy.com/faq/i2c/ Characteristics: serial, byte-oriented; multiple-master;

904 views • 31 slides
Design and Modeling of a 0.4mW/Ch Multi-Channel Integrated Circuit for Infrared Gas Recognition

Design and Modeling of a 0.4mW/Ch Multi-Channel Integrated Circuit for Infrared Gas Recognition

DCIS 2010 Intro Channel Preamp Blind-Lock ADC Modeling Results Conclusions 1/26 Design and Modeling of a 0.4mW/Ch Multi-Channel Integrated Circuit for Infrared Gas Recognition S. Sutula, C. Ferrer and F. Serra-Graells

543 views • 26 slides
Seventh Circuit Suggests That Longer Assumption/Rejection Deadline Should Govern Integrated

Seventh Circuit Suggests That Longer Assumption/Rejection Deadline Should Govern Integrated

Seventh Circuit Suggests That Longer Assumption/Rejection Deadline Should Govern Integrated Franchise and Commercial Lease Agreements Brad B. Erens Mark G. Douglas It is broadly accepted that the abbreviated deadline for a bankruptcy trustee or

115 views • 8 slides
Highly integrated power electronic converters using active devices embedded in printed-circuit

Highly integrated power electronic converters using active devices embedded in printed-circuit

Highly integrated power electronic converters using active devices embedded in printed-circuit board Chenjiang Y U 1 , Cyril B UTTAY 2 , ric L ABOUR 1 , Vincent B LEY 3 , Cline C OMBETTES 3 1 GEEPS (LGEP), Paris, France 2 Laboratoire

555 views • 44 slides
Graph Sparsification Approaches to Scalable Integrated Circuit Modeling and Simulations Zhuo Feng

Graph Sparsification Approaches to Scalable Integrated Circuit Modeling and Simulations Zhuo Feng

Design Automation Group Graph Sparsification Approaches to Scalable Integrated Circuit Modeling and Simulations Zhuo Feng Acknowledgements: My PhD students Xueqian Zhao (MTU) and Lengfei Han (MTU) ICSICT, Oct, 2014 1 Scalable SPICE-Accurate

701 views • 45 slides
United States Court of Appeals for the Federal Circuit ______________________ CREATIVE INTEGRATED

United States Court of Appeals for the Federal Circuit ______________________ CREATIVE INTEGRATED

N OTE : This disposition is nonprecedential. United States Court of Appeals for the Federal Circuit ______________________ CREATIVE INTEGRATED SYSTEMS, INC., Plaintiff-Appellant, v. NINTENDO OF AMERICA, INC., NINTENDO CO., LTD., MACRONIX

414 views • 20 slides
Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation

Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation

Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation Engagement December 2017-January 2018 From and To Proposed site Our Present Sites Lichfield Street Surgery Sycamore House Surgery The Limes Surgery

899 views • 15 slides
Integrated Circuit Design Project 2 Mid-term Review Presentation Yongfu Li & Yong Lian

Integrated Circuit Design Project 2 Mid-term Review Presentation Yongfu Li & Yong Lian

Introduction to Mixed-Signal Integrated Circuit Design Project 2 Mid-term Review Presentation Yongfu Li & Yong Lian Dept. of Micro/Nano Electronics Shanghai Jiao Tong University Y. Li & Y. Lian Presentation Slide 1 Grading 40% (I)

269 views • 4 slides
Mechanical descaling by high pressure water jet assoc.prof. Michal Pohanka Workshop on Pickling

Mechanical descaling by high pressure water jet assoc.prof. Michal Pohanka Workshop on Pickling

Mechanical descaling by high pressure water jet assoc.prof. Michal Pohanka Workshop on Pickling Solutions Technology 13th of November 2019, Dsseldorf Introduction Brno University of Technology, Czech Republic Hydraulic descaling of

747 views • 30 slides
Nano-Science Activity at Atomic-scale Surface Science Research Center (ASSRC) in Yonsei

Nano-Science Activity at Atomic-scale Surface Science Research Center (ASSRC) in Yonsei

Nano-Science Activity at Atomic-scale Surface Science Research Center (ASSRC) in Yonsei University Presented by H. W. Yeom 2003. 10. 14 Overview of ASSRC Director : Prof. C. N. Whang Established in 1995 Funding - Korean Science and

197 views • 5 slides
San Diego Nanotechnology Infrastructure http://sdni.ucsd.edu Your Site Logo Here 1 San Diego

San Diego Nanotechnology Infrastructure http://sdni.ucsd.edu Your Site Logo Here 1 San Diego

San Diego Nanotechnology Infrastructure http://sdni.ucsd.edu Your Site Logo Here 1 San Diego Nanotechnology Infrastructure 1. SDNI is focused on the areas of NanoBioMedicine, NanoPhotonics , and NanoMagnetism . 2. Support and enable

364 views • 17 slides
LUMA METALL Presentation 1106 v1.0 The future isnt wireless! Fine Wire Products and

LUMA METALL Presentation 1106 v1.0 The future isnt wireless! Fine Wire Products and

LUMA METALL Presentation 1106 v1.0 The future isnt wireless! Fine Wire Products and Precious Metal Plating Technologies Our business idea: With a flexible and service-orientated organization develop, produce and provide global markets

456 views • 11 slides
SynBIGreen Synthe'c Biology Indonesia Go Green Synthe'c Biology

SynBIGreen Synthe'c Biology Indonesia Go Green Synthe'c Biology

SynBIGreen Synthe'c Biology Indonesia Go Green Synthe'c Biology Indonesia Go Green OVERVIEW BACKGROUND WETLAB PLASTIC WASTE MODELING Widely used in

436 views • 31 slides
SEM pollen analysis of Heliophila (Brassicaceae) Sharon Carter, University of Central Florida

SEM pollen analysis of Heliophila (Brassicaceae) Sharon Carter, University of Central Florida

SEM pollen analysis of Heliophila (Brassicaceae) Sharon Carter, University of Central Florida Orlando FL (c_sharon_ucf@knights.ucf.edu) Ihsan Al- Shehbaz, Missouri Botanical Gardens (ihsan.al-shehbaz@mobot.org) Introduction Brassicaceae

481 views • 18 slides
Ad Advan vanced ced Ti Tip Shap p Shape e An Analy alysis sis fo for Tu r Tung ngsten

Ad Advan vanced ced Ti Tip Shap p Shape e An Analy alysis sis fo for Tu r Tung ngsten

Ad Advan vanced ced Ti Tip Shap p Shape e An Analy alysis sis fo for Tu r Tung ngsten sten Mi Microemitt croemitters ers St Stud udent: ent: Ma Mazen n Ad Adel l Ma Mada dana nat t 1 Su Supe pervi rvisor: sor:

241 views • 23 slides
Microstructural I nvestigations of Cathode Barrier Layer Electrolyte I nterface in a SOFC

Microstructural I nvestigations of Cathode Barrier Layer Electrolyte I nterface in a SOFC

Microstructural I nvestigations of Cathode Barrier Layer Electrolyte I nterface in a SOFC Ruth Knibbe, Johan Hjelm, Jason Wang, Mohan Menon CGO Barrier Layer 1) Introduction motivation for investigation 2) Electron Microscopy

380 views • 14 slides

More recommend