

## Practical Introduction to Hardware Security

**Lecture 4: Physical Attacks and Tamper Resistance** 

Instructors: Mehdi Tahoori, Dennis Gnad, Jonas Krautter

INSTITUTE OF COMPUTER ENGINEERING (ITEC) – CHAIR FOR DEPENDABLE NANO COMPUTING (CDNC)



## Taxonomy of Attack Classes

#### Non-Invasive Attack

- Lowest cost
- No knowledge of inner workings of target
- No physical tampering

#### Semi-Invasive Attack

- Intermediate cost
- Some knowledge of inner workings of target
- Minimal physical tampering required

#### Invasive Attack

- High cost
- Full picture of inner workings of target
- Best chance of compromising target

#### Classification of Threats

#### Skilled Outsider

- Exploit existing weaknesses
- Minimal equipment sophistication
- Black-box understanding of target system

#### Knowledgeable Insider

- Advanced education and technical expertise
- Moderate equipment sophistication
- Some functional knowledge of target system

#### Funded Organization

- Highest education and technical expertise available
- High equipment sophistication
- High-Complete functional knowledge of target

## Levels of Security

#### Level 1

- Bare minimum required protection
- Minimal defense against glitching and tampering

#### Level 2

- Some tamper proofing
- Some defense against glitch attacks

#### Level 3

- Passive system lock-outs
- Passive tamper proofing

#### Level 4

- Active system lock-outs
- Active tamper detection

## Cost of Breaking Protection

None: \$N/A
Open book to attacker

Low: \$1,000 Security through Obscurity

Med-Low: \$3,000
Regular Microcontroller

Med: \$30,000 Secure Microcontroller

Med-High: \$150,000 ASIC, Secure FPGA, Smartcard

High: \$1,000,000 Secure ASIC

## Design for Security

#### Cost of a security breach

- Loss of customers and reputation
- Fines from government
- Loss of bottom line

#### Value of secured data to attacker

- Commercial value
- Strategic value
- Profitability

#### Cost of security implementations

- Price increase
- Area and complexity increase
- Power consumption increase

## Classification of Physical Attacks

#### **Physical Attacks**

#### Invasive Attacks

- Microprobing
- Reverse Engineering

#### Non-Invasive Attacks

- Side-channel Attacks
- Brute Force Attacks
- Fault Injection Attacks
- Data
   Remanence

#### Semi-Invasive Attacks

- UV Attacks
- Optical Fault Injection
- Advanced Imaging Techniques
- Optical Side-Channel Attacks

#### Non-Invasive Attacks

- Do not require de-capsulation or de-layering of the device, so it is non-destructive
  - Will not leave tamper evidence, so the use cannot be aware of the attack
- Do not require any initial preparation of the device under test
  - They can be done by tapping on a wire or plugging the device in the test chip.
- Easily reproducible, so they are not expensive
- It can take a lot of time to find an attack on any particular device.

19 December 2019

#### Non-Invasive Attacks

#### **Passive**

- Side-Channel Attacks
  - Power Analysis Attacks
  - Timing Attacks
  - Electromagnetic Emission Attacks

#### **Active**

- Brute Force Attacks
- Glitch Attacks
- Under-voltage and over-voltage attacks
- Current Analysis

#### **Invasive Attacks**

#### Expensive to perform

- require expensive equipment, knowledgeable attackers and sometime significant amount of time
- almost unlimited capabilities to extract information from chips and understand their functionality
- leave tamper evidence of the attack or even destroy the device
- getting more demanding as the device complexity increases and the size shrinks (technology scales)
  - + At the same time, the quality of the imaging devices is increasing

#### **Invasive Attacks**

#### Tools

- IC soldering/desoldering station
- simple chemical lab and high-resolution optical microscope
- wire bonding machine, laser cutting system, microprobing station
- oscilloscope, logic analyzer, signal generator
- scanning electron microscope and focused ion beam workstation

#### **Semi-Invasive Attacks**

- Relatively new type of attack, it fills the gap between non-invasive and invasive attacks
- Similar to the invasive attacks, they require depackaging of the device
- The attacker do not need to have expensive tools such as FIB.
- Such attacks are not entirely new
  - E.g., UV light is used to disable security fuses in EPROM for many years

## Semi-Invasive

#### UV Light Attacks

Used to disable security fuses in EPROM and one-time programmable (OTP) microcontrollers

#### Advanced Imaging Techniques

IR Light is used to observe the chip from rear side

Laser scanning techniques are used for hardware security analysis

## Optical Fault Injection

It is used to induce transient fault in a transistor by illuminating it with laser

#### Optical Side-Channel Analysis

Observation of photon emission from the transistor

#### **Invasive Attacks**



## Sample Preparation

It starts with partial or full decapsulation of the chip to expose the chip die

- Decapsulation is the process of the removal of the chip package
  - It can be done easily by anyone who has low level chemistry knowledge
  - Only need to do some practice on a dozen chips

## **Manual Decapsulation**

## Milling a hole on the Chip Package

 In this way the acid will affect only desired area on the chip surface



- Fuming Nitric Acid or mixture of Fuming Nitric Acid and concentrated Sulphuric Acid can be used
- The acid is applied with a pipette to the hole in the chip, it should be preheated to 50-70



- After 10-30
   second, the chip
   is sprayed with
   dry acetone
   several times
- Also, ultrasonic bath can be used to clean the chip die surface



## **Manual Decapsulation**









## **Manual Decapsulation**





#### Decapsulation can be done from the rear side of the chip

- Access to the chip die can be established without using any chemical
- It requires to mill down to the copper plate which can be then removed mechanically

## **Automated Decapsulation**

## For large quantities, automated decapsulation systems can be used.

- Very little skill and experience is required to operate it
- Cost around \$15,000
- Also, they consume ten times more acid than the manual decapsulation, so the disposal of the waste should be done in proper way



## **Example Decapsulation**

- The same partial decapsulation can be applied to smart card
- Not all of them may maintain their electrical integrity
- Generally, smart cards are decapsulated completely





19 December 2019

## **Sample Preparation**

- Deprocessing is the opposite process of the chip fabrication
- It has two main applications:
  - Removing passivation layer to expose metal layers for microprobing attack
  - Gaining access to the deep layers to observe internal structure of the chip
- Three basic deprocessing methods are used:
  - Wet chemical etching
  - Plasma etching, also known as dry etching
  - Mechanical polishing

## Deprocessing

#### Wet Chemical Etching

- Each layer is removed by specific chemicals
- Its downside is its uniformity in all directions
- Each type of material needs certain etchants to be used
- Nitrox wet etchant is one of the most effective etching agents for silicon nitride and silicon dioxide passivation layers which selectively removes the passivation layers of integrated circuits while preserving full device functionality.

## Deprocessing



**Top**: Motorola MC68HC705C9A microcontroller. The metal layer is removed exposing the polysilicon and the doping layers.

**Bottom**: Microchip PIC16F76 microcontroller. The top metal layer is removed exposing the second metal layer.

## **Deprocessing**

#### Plasma Etching

- Uses radicals created from gas inside a special chamber.
- Only the surfaces hit by the ions are removed
- Similarly, each type of material needs certain enchant

# 105 OB 1 11.0 ja 77-148-1401 EEE

#### Mechanical Polishing

- Performed with the use of abrasive materials
- Time-consuming and requires special machines



## Reverse Engineering

- RE is used for understanding the structure of the device and its functioning
- For ASIC, it means locations of all the transistors and interconnections
- All the layers of the chip are removed one by one in reverse order and photographed to determine the internal structure of the chip
- Eventually, by processing obtained information, circuit netlist can be created and used to simulate the device

### **Reverse Engineering**

- It is tedious and time-consuming process
- For the smartcards and microcontrollers, both structural and program-code reverse engineering is required.
  - First, security protection should be understood by partial reverse engineering
  - If memory bus encryption was used, the hardware responsible for this should be reverse engineered.
- For the CPLDs and FPGAs, even if the attacker obtained the configuration bitstream, he or she needs to spend a lot of time to simulate it

## Reverse Engineering: Imaging

#### Optical Imaging:

 For reverse engineering the silicon chips down to 0.18 µm feature size, an optical microscope with a digital camera can be used

#### Scanning Electron Microscopy (SEM):

For semiconductor chips fabricated with 0.13 µm or smaller technology, images are created using a SEM which has a resolution better than 10 nm.

## Layer by Layer Imaging



## Reverse Engineering



## **Invasive Attacks: Microprobing**

#### Microprobing

- Could be used for both Confidentiality and Integrity violations
  - eavesdropping on signals inside a chip (Confidentiality violation)
    - can be used for extraction of secret keys and memory contents
  - injection of test signals and observing the reaction (Integrity violation)
- laser cutter can be used to remove passivation and cut metal wires

## **Invasive Attacks: Microprobing**

#### Tools

- The most important tool is microprobing station. It consists of five elements
  - a microscope, stage, device test socket, micromanipulators and probe tips.



## **Invasive Attacks: Microprobing**

## Microprobing is applied to the internal CPU data bus

- Difficult to observe whole data bus all at once
- There are limited number of probes
- Two to four probes are used to observe data signals which are combined as a whole data trace later.

## Microprobing: Laser Cutting

- It is used to remove passivation layer to observe the metal layer
- Laser Cutting Systems consist of:
  - laser head mounted on camera port of a microscope
  - submicron-precision stage to move the sample
- Carefully dosed laser flashes remove patches of the passivation layer with micrometer precision



## Microprobing: Laser Cutting









## Microprobing: FIB Workstation

- The devices fabricated with lower technology node needs more sophisticated tools to establish contacts with the interconnect wires
- FIB stations can be used to create test point, imaging and repairing
- Also, FIB can mill holes and cut the wires



19 December 2019

#### **FIB Workstation**



Figure 68. The process of milling the hole using FIB

A hole that is milled by FIB workstation. You can create really tiny holes on the chip die with FIB



Figure 69. Cutting the wires using FIB

wire cutting with FIB. It can be used for chip modification attacks to disable the security circuitry.

### **FIB Workstation**





Figure 70. Test points created under FIB and optical image of these points

Test points created by FIB.
Without removing any layer, by creating test point over the chip surface, probing attacks can be performed.

An image created by FIB

# **Invasive Attacks: Chip Modification**

- It is used to disable security protection circuitry
  - By cutting one of the internal metal interconnection wires
  - By completely destroying the circuit associated with the security protection using a laser cutter
- For more sophisticated attacks FIB is used
  - Connecting the wire that transmits the security state to either the ground or the supply line.
- Chip modification always requires at least partial reverse engineering of the chip to find the point for possible attack.

# **Invasive Attacks: Chip Modification**





Figure 71. Cutting a single wire in the PIC12C508A microcontroller disables the security. 1000x magnification

Figure 72. Disabling the security in the PIC16F628 microcontroller by destroying the fuse control circuit with a laser cutter. 500× magnification

#### Countermeasures

- Bus Encryption
- Top-layer Sensor Meshes
- ASICs and custom ICs
- Internal Voltage and Clock Frequency Sensors
- Light Sensor

# **Countermeasures: Bus Encryption**

- The bus encryption is used to protect the sensitive information from probing
  - Basically, the memory content is encrypted and then sent to the CPU by data bus
  - Before the data used in CPU, it is decrypted



# Countermeasure: Bus Scrambling

## Typical probing areas

- Memory bus drivers
- Data bus itself where lines are organized in proper CPU bus width
- Bus order is always in order (0..7 or 7..0)



# Countermeasure: Bus Scrambling

- Data bus scrambling is used to confuse attackers
  - Order of the data bus is changed to make it difficult to observe bus signals



# **Bus Scrambling**

#### data bus with conventional chip layout



data bus with static scrambling



data bus with chip-specific scrambling



data bus with session-specific scrambling



or portion of a session

### Countermeasures: Sensors

- Different kind of sensors can be used to detect attack attempt
  - Voltage and frequency sensors for glitching attacks
  - Light sensor can be helpful against decapsulation of the device

- Special purpose sensors can be created to detect probing
  - Ring oscillator based detector (Probing Attempt Detector)

## **Sensors: Probing Attempt Detector (PAD)**

- Exploits the fact that probing will change the capacitance in the bus line.
  - Place ring oscillators on the bus lines
  - When the probe touches the one or more bus lines, frequency of the ring oscillator changes
    - Because of the added capacitance
  - PAD observes the bus lines continuously, when they have significant difference, it sets a flag that there is a probing attempt on one of the lines

### **Semi-Invasive Attacks**

Sample Preparation

Decapsulation

**Imaging** 

Backside imaging techniques

Perform the Attacks

UV light attacks

Active photon probing

Optical Fault injection attacks

## Semi-Invasive Attacks: Sample Preparation

- Decapsulation of the chip to prepare it for attacks.
- For the modern chips, backside decapsulation is used
  - There is no need to use chemicals







# **Semi-Invasive Attacks: Imaging**

- Down to 0.8 µm technology, it was possible to identify all the major elements of microcontrollers – ROM, EEPROM, SRAM, CPU
- Difficult to distinguish for newer technologies
- Can be observed with infrared light from rear side
- Backside imaging also is useful to extract the Mask ROM content

# **Semi-Invasive Attacks: Imaging**





Figure 78. Transmitted light setup and image of the MSP430F112 microcontroller. 50x magnification





Figure Combon 2019 optical image and reflected light backside image of the Mask ROM inside MC68HC705 P6A microcontroller built with 1.0 μm technology. 500× magnification

## Reading the Logic State of CMOS Transistors

Red low power laser beams ionize active areas

Power off imaging identifies active areas

Power on imaging distinguishes between closed and

opened transistor channels





| Po | wer on. SRAM content |
|----|----------------------|
| 11 | 00                   |
| 11 | 10                   |
| 11 | 11                   |
| 11 | 11                   |

19 December 2019

## Semi-Invasive: Optical Fault Injection Attacks

 Illumination of a target transistor causes it to conduct, thereby inducing a transient fault

- Such attacks
  - Practical
  - Do not require expensive laser equipment
  - Any individual bit of SRAM in microcontroller can be set or reset

#### Fault injection attacks: Changing SRAM contents



Figure 91. SRAM memory array with maximum magnification (1500×)



Figure 92. Allocation of data bits in SRAM memory array

## Non-volatile memory contents modification

- EPROM, EEPROM and Flash memory cells are even more sensitive to fault injection attacks.
- They can be changed by light
- This attacks can be used to disable security fuses
  - The light should be focused down to the security fuse
- These attacks do not work on modern chips built in smaller sizes

#### References

- Semi-invasive attacks A new approach to hardware security analysis, Sergei P. Skorobogatov
- Physical Attacks and Tamper Resistance Sergei Skorobogatov
- Hardware Engines for Bus Encryption: a Survey of Existing Techniques R. Elbaz, L. Torres, G. Sassatelli, P. Guillemin, C. Anguille and C. Buatois, J. B. Rigaud
- Wet and Dry Etching Avinash P. Nayak Logeeswaran VJ and M. Saif Islam
- Security Failures in Secure Devices, Christopher
   Tarnovsky Black Hat, DC

#### References

- www.flylogic.net/blog
- http://www.siliconzoo.org/
- Smart Card Handbook, by Wolgang Ranki, Wolfgang Effing
- Detection of Probing Attempts in Secure ICs, Salvador Manich, Markus S. Wamser and Georg Sigl