Nanofocused X-Ray Beam To Reprogram Secure Circuits Stphanie Anceau, - - PowerPoint PPT Presentation

Stéphanie Anceau, Pierre Bleuet, Jessy Clédière, Laurent Maingault, Jean-luc Rainard, Rémi Tucoulou

Nanofocused X-Ray Beam To Reprogram Secure Circuits

| 2 CHES | Jessy Clédière | 2017

Let’s speak about X-rays

• Ionizing radiations are often mentioned in literature, but without real

practical results

• Lots of references in failure analysis and space systems literature
• A new method of perturbation?
• We propose using a nanofocused X-ray beam of a synchrotron

| 3 CHES | Jessy Clédière | 2017

…after doing some preliminary tests on more simple equipment How did we get to a synchrotron?

medical equipment material science equipment

| 4 CHES | Jessy Clédière | 2017

With some basic focusing…

ZIF support X-ray die lead exposed area PCB Device Under Test

…a hole in a lead sheet

| 5 CHES | Jessy Clédière | 2017

ATMEGA A fairly old circuit (350 nm) but useful to investigate new attacks

| 6 CHES | Jessy Clédière | 2017

ATMEGA layout

500 µm

logic RAM flash

E E P R O M

| 7 CHES | Jessy Clédière | 2017

ATMEGA + lead sheet and hole we fill flash memory with value 0x55

| 8 CHES | Jessy Clédière | 2017

First faults obtained after 210 seconds of exposure

red: “1” to “0” corruption

| 9 CHES | Jessy Clédière | 2017

40 seconds later…

| 10 CHES | Jessy Clédière | 2017

then 40 more…

| 11 CHES | Jessy Clédière | 2017

and finally

| 12 CHES | Jessy Clédière | 2017

What happened?

floating gate transistor access transistor

| 13 CHES | Jessy Clédière | 2017

Data is stored in the floating gates

charge in the floating gate:

• transistor is blocked
• value 1 is stored

no charge in the floating gate:

• transistor is

conductive

• value 0 is

stored

| 14 CHES | Jessy Clédière | 2017

Access to the floating gates

access transistors

• f the active line

are conductive

| 15 CHES | Jessy Clédière | 2017

X-ray exposure : we discharge the floating gates

| 16 CHES | Jessy Clédière | 2017

Access to the data

| 17 CHES | Jessy Clédière | 2017

X-ray exposure continued : we semi-permanently switch on access transistors

| 18 CHES | Jessy Clédière | 2017

Column errors

| 19 CHES | Jessy Clédière | 2017

Column errors

| 20

• We empty floating gates of carriers

we could modify (1 to 0) flash and EEPROM

• We modify transistors semi-permanently

NMOS are made conductive (and PMOS blocked) it is reversible with a heat treatment (150°C, 1 hour) The last result applied to logic area of the circuit : we could reconfigure circuits : circuit edit

CHES | Jessy Clédière | 2017

Two major effects observed during these first tests

| 21

• These effects are described in the space systems literature and are

very interesting for our activity let’s focus X-rays down to the nano-scale to target a single transistor!

CHES | Jessy Clédière | 2017

Two major effects observed during these first tests (cont’d)

| 22 CHES | Jessy Clédière | 2017

Grenoble, France

Léti ITSEF European Synchrotron Radiation Facility (ESRF)

500 m

| 23 CHES | Jessy Clédière | 2017

Inside the donut

| 24 CHES | Jessy Clédière | 2017

Focusing to the nano scale: 60 nm X-ray spot

ATMEGA at the focal point of X-ray optic f l u

• r

e s c e n c e d e t e c t

• r

X-ray X-ray long focal length optic

| 25 CHES | Jessy Clédière | 2017

Fluorescence image by scanning the IC with the nano-beam

cross-section (SEM view) tungsten via SEM view tungsten fluorescence mapping

| 26 CHES | Jessy Clédière | 2017

Obtained results on ATMEGA

• Fluorescence mapping allows powerful and accurate positioning at

the transistor level

• Flash and EEPROM can be modified (1 to 0) at the bit level : code of

a circuit can be changed (good example in the proceedings)

• Single RAM cells can be semi-permanently stuck at 0 or 1 by

corrupting transistors

• Logic can be modified at the transistor level : circuit edit

this could be used to:

• change the behavior of the circuit
• remove hardware countermeasures…
• No need to open the package of the die

| 27 CHES | Jessy Clédière | 2017

RAM results on ATMEGA

SEM view fluorescence view superposition and results

5 µm

RAM address RAM cell stuck at 1 RAM cell stuck at 0

| 28 CHES | Jessy Clédière | 2017

Obtained results on state of the art technology node

• Fluorescence mapping still allows a powerful and accurate positioning

at the transistor level

• Flash / EEPROM can still be modified (1 to 0) at the bit level (110 nm

and 90 nm NOR flash)

• Single RAM cells can still be stuck at 0 or 1 (45 nm microcontroller)
• Still no need to open the package of the die

| 29 CHES | Jessy Clédière | 2017

Comparison

• Nanofocused X-rays could be compared to laser perturbation or to

Focused Ion Beam (invasive attack, circuit edit)

• Implementation is like a laser setup with no sample preparation

required (package opening, thinning…). But very small spot (60 nm or less): reverse engineering is required!

• Effects are like invasive attacks but totally non invasive!

FIB: modification of metal layers of the circuit X-rays: modification of the transistors of the circuit

| 30 CHES | Jessy Clédière | 2017

The cost of such a thing?

• Cost of a FIB access via service : 400 € / hour
• Cost of ESRF access via industrial channel : 3000 € for 8 hours

| 31 CHES | Jessy Clédière | 2017

Conclusion on nanofocused X-ray

• A new technique to attack circuits and to perform circuit-editing
• “Extreme” resolution with accurate positioning thanks to the use of

fluorescence mapping

• Tool with a difficult access, but not that expensive!
• Experiments are still ongoing.

Leti, technology research institute Commissariat à l’énergie atomique et aux énergies alternatives Minatec Campus | 17 rue des Martyrs | 38054 Grenoble Cedex | France www.leti-cea.com

Thanks