Practical Partial Hardware Reverse Engineering Analysis by Courbon, Franck
Noname manuscript No.
(will be inserted by the editor)
Practical partial hardware reverse engineering analysis
For local fault injection and authenticity verification
Franck Courbon
Received: date / Accepted: date
Abstract Reverse engineering typically requires expen-
sive equipment, skilled technicians, time, a cross section
of the component to be sliced out, and a dedicated re-
construction software. In this paper, we present a low-
cost alternative, combining fast frontside sample prepa-
ration, electron microscopy imaging, error-free standard
cell recognition, as well as within and between-die Stan-
dard Cell Statistical Analysis (SCSA). Step-by-step, we
depict the process to access the transistor’s drain/source
area; to acquire the full area of a single chip layer; to
adapt pattern recognition for standard cells and to an-
alyze the standard cell width, local / global location
and occurrences number. The inner workings of each
step are accompagnied by results on 45-65nm FCBGA
devices enabling to locate specific areas (e.g. registers,
hardware accelerator). We particularly point out the
importance of such design information extraction for
local fault injection and hardware assurance. The pri-
mary goal is to analyze how much design information
of a complex integrated circuit can be retrieved with
minimal costs and without outsourcing.
Keywords Standard cell · partial reverse engi-
neering · pattern recognition · statistical analysis ·
countermeasures
Introduction
Hardware-based vulnerabilities of Integrated Circuits
(ICs) running security applications allow an attacker to
retrieve sensitive data or bypass security mechanisms.
Department of Computer Science and Technology
William Gates building, 15 JJ Thomson Avenue
University of Cambridge, CB30FD Cambridge, UK
Tel.: +44 1223 763837
E-mail: franck.courbon@cl.cam.ac.uk
Table 1 Hardware Reverse Engineering techniques compar-
ison.
RE technique Cost/Time/Exp. Applied on
Standard [1] ++ Full volume possible
FIB/SEM [5] +++ Hundreds µm3
Xray [4] ++++ Few doxens µm3
Drain/Source – Full single layer surface
Reverse engineering [1], a specific kind of attack, is seen
as an expansive approach compared to side-channel or
even fault attack approaches. However, products in-
clude more and more countermeasures regarding side-
channel and fault attacks at the development stage,
thus reducing such attack schemes. On the other hand,
reverse engineering, due to time and cost constraints,
is not typically considered a standard solution. Indeed,
typical reverse engineering involves perfectly accessing
each layer of a circuit, acquiring images and processing
them. It requires skills, expertise, expensive equipment,
high precision and time [2]. Reverse engineering is uti-
lized for circuit integrity verification or IP infringement
detection, and can be performed by analytical laborato-
ries. X-ray based reverse engineering (non destructive)
is widely under investigation, but currently requires
highly sophisticated equipment and has only been ap-
plied to a very small subset (some µm3) of an IC [3] [4].
While some interesting FIB/SEM techniques [5] have so
far been applied to parts of a circuit, they are quite de-
manding in terms of knowledge, time and equipment,
as illustrated in Table 1. There are also ongoing multi-
electron beam source and X-ray detector investigations
to allow local X-ray analysis without synchrotron [6].
To counteract the difficulty of the standard reverse
engineering process, we propose to retrieve sensitive in-
formation of a component (e.g., registers location, and
2 Franck Courbon
hardware accelerator) by only analyzing where the tran-
sistors’ drain/source are located. Having such informa-
tion is enough to reduce the area of interest for a sub-
sequent localized attack (e.g., electromagnetic or laser
attack); check the authenticity of the circuit (e.g., hard-
ware trojan detection); or understand the underlying
hardware layer after a side-channel technique such as
photon-emission analysis.
Our goal is not to reverse engineer a complete chip
but instead to gain partial design information for par-
ticular purposes. They lie in the area of malicious cir-
cuit modification detection but also in combined at-
tacks where such technique would decrease the number
of samples and attack time needed. Thus, a complete
attack could be applied thanks to some extracted spa-
tial information combined with standard side-channel
(e.g. power) extracted temporal information. Also, ex-
tracted spatial information can be analyzed once chip
sub-functions have been roughly localized with a more
global technique.
Most of the drawbacks of hardware reverse engineer-
ing disappear (cost, time, manual corrective action),
and we retrieve the standard cells function or a specific
group of standard cells by location (absolute, and cell-
to-cell), occurrences number, and width/shape analysis,
which we refer to as Standard Cell Statistical Analysis
(SCSA). The methodology herein is depicted from sam-
ple acquisition to a few recognition examples.
Utilizing such an approach, locating specific cells
can be done regardless of the device technology node
and package. For instance, it can reduce attack rating
for the identification and exploitation phase, and can be
used in conjunction with laser fault attacks [8] to by-
pass security mechanisms [7]. Multi-spot (bypass/fault
capability) and high power (through the substrate capa-
bility) platforms are commercially available, increasing
security threat (redundancy and software check can be
defeated). While technology node approaches 7nm, the
size of the implemented transistor/single standard cell
is larger, and laser energy (pulse duration/power) can
be reduced enough to only perturb a single standard
cell below the peak of the Gaussian shape beam.
In the past, Nohl [9] reversed a ciphering circuit
made of 400 NAND Gate Equivalent (GE) from optical
images using normalized cross correlation. Also, Cour-
bon [10] retrieved the location of a single type of stan-
dard cell (a flip-flop cell) on a 0.5mm2 area device man-
ufactured in a 130nm process. To the best of our knowl-
edge, we are the first to develop, and explain step by
step, a low cost full area (single layer) standard cells ex-
traction methodology on a 45nm device (Mgates), while
analyzing IC design requirements, methodology limits
and countermeasures. The aforementionned methodol-
ogy takes its sample preparation roots in the failure
analysis world, its image processing roots in the cell
(biology) analysis world.
The paper is organized as follows: we start by talk-
ing about IC design and geometries, before introducing
the multi-field steps to localize standard cells in Sec-
tion 1. Then, we introduce the device under investiga-
tion in Section 2, and put into practice the methodology
in Section 3. Finally, we investigate partial reverse engi-
neering applications in Section 4, present ways on how
to extend this work in Section 5.
1 From integrated circuit design to standard
cell physical extraction
1.1 IC design
An IC designer uses a certain number of off-the-shelf
macros (IP royalty fees apply) combined with a cer-
tain number of standard cells (from a chosen Process
Design Kit (PDK)); a ratio that primarily depends on
project cost and design (i.e., timing) constraints. For
instance, ARM cores hard macros are widely present
at the moment in embedded devices, such as mobile
phones and smart cards. There are similarities between
products, as standard cells and hard-macros are re-used
across a large variety of devices. Herein, we analyze
standard cells and hard macros XY localizations. In the
era of specialization (i.e., dedicated ASIC for machine
learning/server) and open source hardware (based on
RISC V Instruction Set Architecture (ISA)), investi-
gating hardware implementation is paramount.
1.2 IC geometries
Integrated circuit area (length and width expressed in
mm) is wider compared to the thickness of each metal
layer (few hundreds nm), hence the planarity problem
when delayering. Adding to the high density of tran-
sistors per mm2, this leads to long imaging time. The
smallest feature (for not advanced process) is generally
the transistor gate width, corresponding to the tech-
nology node. A transistor controls how much current
flows through from source to drain, depending on the
voltage applied on the gate. Such capability is used to
obtain various boolean functions (or to create a cur-
rent amplifier). Drain and source are created by local
doping (Boron, Phosphorus) of the semiconductor sub-
strate which is Silicon based. From bottom to top, fol-
lowing the substrate, we find poly-silicon that forms
the transistors’ gates (separated by a dielectric Si02
down to 32nm, then replaced by Hafnium-based (higher
Practical partial hardware reverse engineering analysis 3
permittivity) dielectric). Typically, a first Metal layer
is then used to interconnect transistors, thus forming
standard cells (NAND, OR, FLIP-FLOP). Then, non
basic functions, such as a 32-bit counter, are formed by
interconnecting multiple standard cells together, while
power/clock are routed in top Metal layers. Metal lay-
ers are separated by a dielectric (SiO2 (glass)), and vias
allow vertical connections between the subsequent lay-
ers.
1.3 Sample preparation
ICs running secure applications come in various for-
mats – Smart Card, System-on-Chip (SoC), Package-
on-Package (PoP) (the die thickness being 130µm for
smart cards and PoPs due to fitting requirements). How-
ever, we reckon that it is possible to extract the die of
any circuit at almost no cost: a combination of sharp
cutting tools, acids (i.e., HNO3), hot plates and pro-
tection equipments [11]. Once the die is extracted, it is
possible to easily reach the transistors’ active region us-
ing HF acid. This has very interesting features in terms
of cost, full area application, speed, and required skills,
while the technique allows several samples to be pre-
pared at once. There is no need of cross-sectioning, and
the technique is independent of the technology node. In
this paper, we show how easily one can reach such layer
of a circuit, manufactured with a 45nm process and
packaged in a Flip-Chip Ball Grid Array (FCBGA).
1.4 Sample imaging
Scanning Electron Microscopy (SEM) is a standard for
imaging deep sub-micron integrated circuits as optical
microscopy has a smaller depth of focus and is limited
by light diffraction (coating techniques can limit the
impact of the latter but requires an extra step and thus
variable). Detector type, aperture size, probe current,
accelerating voltage, magnification, scanning speed and
image resolution can be easily tuned. Despite being less
prompt to contrast changes compared to optical mi-
croscopy, it is worth ensuring that the prepared inte-
grated circuit remains as flat as possible after attach-
ing it with carbon tape, given the large area to be ac-
quired. The SEM only gives a grayscale intensity for
each pixel (a certain secondary or backscattered elec-
trons detector count), and the image is thus saved in
a single channel format (saving memory space). There
are many parameters to set (mainly accelerating volt-
age, probe current and time per pixel), impacting ac-
quisition time and signal-to-noise ratio. Here, we partic-
ularly point out practical features and considerations,
pros and cons of SEM imaging with respect to our ap-
plication.
1.5 Images alignment
Newer SEMs include proprietary tools (e.g., ZEISS AT-
LAS, FEI MAPS) dedicated to large-area acquisition;
it is thus easy to scan a specified area with a specific
magnification, image rotation, time per pixel (dwell),
and image overlap and then have the tool performing
the alignment task. Another option (if a SEM without
large-area acquisition dedicated software is used) is to
directly use SEM APIs to write an acquisition recipe,
and use offline tools for alignment. Herein, we demon-
strate the use of an offline artefact-free alignment tool.
1.6 Pattern recognition
There has been an attempt to automate or semi-automate
integrated circuit reverse engineering in the open source
community, Degate [12]. This software is quite interest-
ing as the user can load images and directly process
them. However, we found some limitations in terms of
pattern recognition rate, timing performance, adjust-
ing grid lines or loading large images. While we also
implement a normalized cross-correlation function [13]
as a kernel to recognize patterns, we specifically create
a lighter custom tool dedicated to single layer analysis,
fast and robust with respect to possible SEM images
(sample preparation and foundry). We propose an al-
gorithm taking into account the possible artefacts aris-
ing from previous methodology steps. A single missing
pattern could ruin our statistics, and therefore we en-
sure that no false recognition is obtained with standard
pattern recognition algorithms. We are thus able to au-
tomatically collect labelled data (error-free) and create
a standard cell (single layer) library. This library can be
used as it is or be the starting point for multi-samples
analysis using machine learning techniques to spead up
analysis.
1.7 Statistical analysis
At the layer of interest, various repetitive shapes are
visualized. They correspond to basic functions such as
INV, AND, OR, MUX, DEC, half adder, DFF, latch,
and so on. Having only drain and source remaining on
our images, we can not directly retrieve the function
of a standard cell (as poly and M1 layers are miss-
ing). Whatever the device type, the number of these
4 Franck Courbon
base functions is very low (few tens only). Addition-
ally, base functions are split [14] into different instances
as the number of inputs, the presence of signal such
as reset/clock, the drive strength, and different voltage
domains (for a SoC) differ. Those instances are each
optimally designed depending on speed, power, area re-
quirements and foundry capabilities. The chip designer
uses such instances from the design kit to implement
all his/her functions (or directly use other IPs), result-
ing in a chip with about 200kGE (Gate Equivalent) for
a smart card digital logic, versus a SoC with several
tens/hundreds millions standard cell occurrences for
the logic only.In this paper, the goal is to give a first ap-
proach on recognizing cells based on absolute/relative
location, number of occurrences, width and shape of
pattern within a single chip and between chips.
2 Device under investigation
The circuit used for demonstration in this paper is a
9.3*10.4mm SoC manufactured in a 45nm technology
node and packaged in a FCBGA, the standard for re-
ducing size and increasing speed of a device compared
to wire bonding. Within this case study, the main part
of interest, the digital logic, is expected to include sev-
eral millions of standard cells. For information, the typ-
ical layer stack (starting from bottom to top) of such
devices is the following:
– Silicon substrate (650-850µm)
– Doped areas (transistors’ drain and source)
– Poly-Silicon (transistors’ gate)
– Stack of 7+ Metal layers and dielectrics (ascending
about 0.2 to 0.9µm)





3 Step by step practical implementation
3.1 Frontside sample preparation
Under a fume cupboard, we first heat up the complete
device on a 400◦C (command) hot plate for a few min-
utes. Placing a sharp knife under the die, we subse-
quently detach the die from its package. At this stage,
the die comes with Copper balls – we use the same sharp
knife to scratch the surface to remove all of them. We
perform this until we reach the Polyimide layer (Kap-
ton). Due to the hardness of the Kapton material, we do
not scratch inferior layers. We can perform some SEM
imaging at this stage to visualize the top metal layer
(Fig. 1).
Fig. 1 At polyimide layer optical & SEM image at 600X.
If this layer is satisfactory for your reverse engi-
neering application (chip identification, integrity ver-
ification), a quick manual polishing (not done in either
Fig. 1 images) removes Copper residues, while backscat-
tered electrons SEM imaging prevents the visualization
of surface scratches (SEM image in Fig. 1).
The Kapton film (polyimide) is now the top layer;
it is detached, and dielectric/metal layers are etched
away using a 50% Hydrofluoric acid (HF) bath (less
than 10min). After the metal layers have been removed,
only drain and source implants remain. Samples are
first rinsed with acetone, before an ultrasonic bath with
deionized water only is used. This perfectly cleans the
die surface in less than 10 minutes. Last but not least,
a nitrogen gun is used to avoid any water residues. The
sample is, at this stage, ready for imaging. One can
note the possibility to obtain the technology node (from
45nm) with a high magnification SEM image, Fig. 2.
Fig. 2 At drain/source layer: optical & SEM image at 63kX
To sum up the whole sample preparation process, its
main benefits are its speed (less than 40 minutes), cost
per sample (few $), whole sample surface application
(about 100 mm2), technology node independence (45-
65-90-130nm in this paper), effectiveness (100% success
rate) and accessibility (no required skills).
Practical partial hardware reverse engineering analysis 5
3.2 Frontside image acquisition
Regarding the sub-polyimide surface, imaging layer ICs’
features are quite large at the top metal layers. How-
ever, using an optical microscope requires a nicely pol-
ished surface. Also, the lack of imaging depth of field
is problematic for large areas. In fact, SEM remains
the most interesting tool for direct imaging (without
required signal processing), and this layer needs far less
scans due to the top layer geometries. Unless a shield
is present, the top metal layer can thus be directly im-
aged.
In this work, we perform SEM image acquisition at
the source/drain layer. We choose a Horizontal Field
Width (200µm) for this sample covering the standard
cell fixed height (across the device) by 29 pixels. This
choice gives enough pixels to then correctly characterize
an inverter (the standard cell with the smallest width).
The accelerating voltage is set low to improve image
resolution (5keV). The scanning speed choice is based
on a signal-to-noise ratio (SNR) trade-off. This trade-off
depends on the subsequent image processing capabili-
ties. We use a standard 3072*2048 image resolution and
a 1µs dwell time (time per pixel) without multiple im-
age integration. Our overnight scan is a 87*52 images
matrix (about 4,500 images), requiring 8.5hours of au-
tomatic acquisition. With our practical approach, we
noted the following observation:
– Astigmatism can be set at the center of the device.
– Three focus points (for interpolation) can be taken
at 3 chip sides.
– Contrast/luminosity is a tricky parameter, different
secondary electrons re-emission rates (no coating,
not uniform in SEM chamber) can be problematic.
Multi-chip acquisition is possible (weekend acqusi-
tion for instance), including the possibilty to set a focus
points for each integrated circuit. The only drawback
is the impossibility to set a certain contrast/brightness
per chip (against SEM chamber artefact/samples dif-
ferent electron emission rates), Fig. 3.
Also, using a multi-beam SEM (up to 91 simultane-
ous beams) would have decreased the acquisition time
to less than 10 minutes. We used a proprietary SEM
manufacturer software (additional) to acquire the full
area that added a 10% overlay between each image. It
individually saves images, but also provides a globally
aligned image.
3.3 Image alignment
The proprietary SEM tool provides a reconstructed whole
chip image (142k*159k pixels). Artefacts are present
Fig. 3 Left: Multi-chip acquisition, right: logic area select
at the images’ junctions (example given with top im-
age on Fig. 4), which negatively impact the subsequent
methodology step (pattern recognition).
Fig. 4 Alignment example: SEM manufacturer tool (top)
and offline non propreitary technique (bottom)
As images are also individually saved, we thus move
to an offline alternative for alignment. The same set of
images has been aligned with this second approach (ex-
ample image with bottom image on Fig. 4). We are able
to align all images together, making compatible large
image acquisition and pattern recognition. It only takes
several minutes, and is completely automated (matrix
dimension detection, overlap calculation). Image align-
ment is still an area of research (mainly for speed con-
cerns) but 2D image alignment problematics have been
resolved time ago in other fields such as biology where
electron microscopy is also used or standard optical ac-
quisition.
3.4 Image processing
3.4.1 Standard Cell Statistical Analysis flow
Pattern recognition is then performed on obtained im-
ages. The former is specifically tuned for our task. After
automatically checking for preparation/imaging arte-
facts, pattern are found on the chip along power lines
and ranked per size. Standard correlation techniques
with multiple iterations loops (with decreasing correla-
tion coefficient) are used to avoid false detection. In-
formation about pattern location, size and occurences
6 Franck Courbon
are saved. Then, co-location information combined with
computer architecture and technology/tool specific con-
straints allow making hypothesis on the retrieved stan-
dard cells. The main aim is to ensure that no false pos-
itives are obtained with the tool allowing on one side to
have non false positive for statistical purposes but also
to obtain a dictionnary of error-free patterns.
3.4.2 Enhanced pattern recognition robustness via
artefacts correction
It is important to understand what could go wrong in
the previous preparation steps, in order to adapt the
pattern recognition tool accordingly:
– If any Tungsten remains on the surface, it will be ad-
jacent to a NMOS/PMOS area, and therefore only
affects the background of the image. Such artefact
can thus be easily spotted (based on edge detection).
– Large stains can be present on a circuit (non clean-
room environment), but can be detected as nothing
should be located over the substrate polarization
contact (or, in other words, no crossing element be-
tween two transistors of the same type).
– Part of a shape can be missing (over etching, as seen
in Figure 5); therefore the tool checks the presence
of NMOS and PMOS components (we can not have
one without the other). If missing, an analysis of
the specified area is performed and some filtering
enables the retrieval of the original missing shape
(as would still let a trace in the Silicon)
3.4.3 Enhanced statistical analysis via design rule
The following features, derivated from computer archi-
tecture standards, need to be taken into account to en-
sure pattern recognition efficiency and reduce timing
impact:
– A small pattern can be part of a larger pattern. One
approach is to recognize larger patterns first.
– Patterns are present along power rails; therefore,
possible rotations of the pattern are limited. For in-
stance, the PMOS side (usually larger than NMOS)
will be located on the positive rail side. Also, the
highest correlation points will only be located at
the same extremity of the patterns.
– The size of the complete layer has quite a large print,
e.g., for this 10*10mm die results in a 22.7GB image
(even if grayscale encoded only on 8bits (1Byte)).
We need a clever manipulation of the image (RAM
constraint).
– The logic only can be acquired (or another part can
be acquired with less resolution; SEMs do not pro-
vide this function yet).
– While substrate polarization contacts may not be
present in all circuits, background can always be re-
trieved by analysing intensity values across the pat-
tern height. For instance, a pattern is found at a
location if the intensity (gradient) is not continu-
ous (a change of intensity is found between NMOS
drain/source and Si. and then between Si. and PMOS
drain/source).
Fig. 5 shows a typical case where a standard cell
with a different current drive strength (fan-out) (com-
pared to the selected standard cell) has not been recog-
nized. There are also two standard cells with a partly
missing transistor side that are recognized. We expect
this behaviour with the aforementioned parameters. We
want to be independent of possible within-cells imaging
fluctuations or missing substrate polarization contacts.
Fig. 5 A close up on a pattern recognition example.
Combining the number of occurrences (local or full
area) of a pattern, their global position, their relative
position to each other and their shape, it is possible to
classify patterns and make a strong hypothesis on their
function. Typically, assumptions can be first made on
the pattern width - pattern 1 and 3 are made of 4 to 8
transistors while pattern 2 is made of 20+ transistors.
The main difficulties are to recognize the full standard
cell and not a subset of it, and slight differences be-
tween gates due to the presence of an extra input (e.g.
reset/clock/signal) or a different fan-out (larger current
to drive) as highlighted on Fig. 6.
3.5 Single chip information extraction
In this section, we applied the methodology flow on a
subset of the fully scanned IC. The image is 11840*7536
Practical partial hardware reverse engineering analysis 7
Fig. 6 Differences over similar 20+ transistors standard
cells.
pixels that corresponds to 0.40% (1/250) of the IC (ana-
log + digital + memory parts). The original SEM im-
age is fully covered with standard cells (and memory
blocs). From each initial pattern size and appearances,
we can derive the hypothetic number of transistors and
the number of inputs/outputs. Using standard image
processing, each pattern is associated with a certain
number of occurences, Fig. 7 and co-location informa-
tion regarding other pattern. The second image output
highlights the presence of a given FF/latch design oc-
curences in a restricted location. Globally, one can make
hypotheses on a shape’s function based on:
– The area analysis (e.g., a flip-flop is usually the
largest element).
– The number of transistors (e.g., a NAND cell has 4
transistors).
– Localization (e.g., a group of gates next to the mem-
ory could be used for deciphering).
– Co-localization (e.g., two groups of cells often linked)
– Occurrences (e.g., 32 spatially close occurrences for
a specific 32 bits register or counter (analyzing the
shape too), or 64 spatially close occurrences for a
XOR based ciphering circuit).
– Global number of occurrences in the chip.
Subsequently, an area with possible XOR gates, large
quantities of possible NAND gates and possible DFF
gates may be the hint for a crypto coprocessor location
(e.g. DES). The presence of ’rare’ occurences standard
cell in a limited area may indicate the presence of a
crypto coprocessor too. Post pattern recognition, it is
possible to display occurences of pattern that appear
everywhere before moving to an empty area to vizual-
ize recognized pattern.
For some circuits such as the processor under inves-
tigation, motherboards manufacturers require informa-
tion on the processor; a datasheet is thus made public.
Using the latter, one can thus assume a certain number
of 8/16/32 bits registers or a certain function being in a
certain area (based on registers description and ballout
definition respectively) or a certain number of expected
core registers or specific function registers (each FFs
will be next to the other, timing constraint) present in a
certain voltage domain (possible thick pwell). For some
circuits, it is a complete black box approach despite
knowing the general architecture of the device (e.g.,
ARM based) or accessing public documents (e.g., public
parts of certification results). Unfortunately, the com-
Fig. 7 Single round recognition of respective pattern (top
left to bottom right)
plexity of the circuit do not permit to continue further
statistics on the chip.
In the following, we discuss how practical it is to
use standard cell statistical analysis outputs (text, file
or graph format) for the two main aspects of this paper:
precise laser fault attacks and hardware trojan detec-
tion.
4 Single cell localization direct applications
4.1 Spatial information for laser setup
Despite the main sample of the study being a 45nm
technology node SoC, we note that a single standard
cell (several µm2) can be perturbed at once. Indeed,
the laser beam has a Gaussian shape, a spot diame-
ter of a µm and an easily controllable energy (duration
by power) reaching the area of interest [16]. This sin-
gle layer reverse engineering will help to place the laser
spot at the area we are interested in. Symmetrically
we can first launch a laser fault attack to then ana-
lyze the situation using the underlying hardware struc-
ture. However, if a secure device is attacked this way,
detectors might detect the intrusion leading to extra
consideration to be taken for the attack (e.g., remove
power before sensitive data erase). One can also think
about the potential of such an approach together with
photon counting techniques (spefically without timing
capabilities, e.g., only a CCD camera is used).
4.2 Spatial information for integrity checking
Another use case is a fabless chip designer/manufacturer
(or anyone with a design reference) that would like to
analyze the integrity of its components at wafer recep-
tion. The success rate of such technique is only de-
pendant on the sample preparation/pattern recognition
8 Franck Courbon
process as there is no triggering element. The Standard
Cell Statistical Analysis can be applied on a defective
device coming from a lot (or a defective die taken from
a wafer) to not affect cost and yield. The correlation is
made by comparing the list of standard cells physically
extracted using our methodology and a design output
file. Specifically, this could be done with the Design Ex-
change Format (DEF) file, where each gate instance is
listed with its XY position. A DEF file does not include
proprietary inner standard cell information, hypotheti-
cally more compliant.
4.3 Extending Scanning Electron Microscopy use
To complete investigations done at FPGA level [17], it
is thus interesting today to look for low cost approaches
enabling to retrieve such layers over the complete area
of a circuit. It can start with a frontside wet etching
adaptation (change in HF formula for instance) to a
backside information extraction with combined polish-
ing/wet etching methods. Various imaging parameters
(laser/ebeam) can actually be set to obtain intesting
beam/matter interaction. In Fig. 8, we show in practice
that it is possible to look though a thinned Si. substrate
using backscattered electrons.
Fig. 8 Backside imaging of a 45nm SoC active region
through a thin remaining Si. layer using secondary (left) and
backscattered detectors (right)
In Fig 9, we show in practice the capability to visu-
alize various layers of a component backside prepared.
The preparation is a mix of polishing (standard pol-
ishing) and wet etching (Choline hydroxide) resulting
in a fast and low technique. Long wet etching is also a
possibility if edges are kept intacts (protection needed).
The sample preparation can also be modified to reveal
dopant level or type (e.g., KOH).
Part of our approach and obtained data can be used
as a starting point for machine learning based (convolu-
tional neural networks) fast pattern recognition, as our
data is labelled with no false positives. In this paper, we
choose a frontside destructive approach. It would be ob-
viously more interesting to perform standard cells anal-
ysis from the backside of the device in a non-invasive
way. Laser Scanning Microscopy has been used in the
Fig. 9 0.35 µm circuit imaging using a backscattered elec-
trons (BSE) detector
past and would be an interesting method to compare
with (thinning required, setup, cells distinction (fan-
out)).
5 Perspectives and Opening
5.1 Chip to chip analysis, different process analysis
So far, we depict the different steps for standard cell
statistical analysis with few examples on a 45nm chip.
The low-cost and quick data extraction enable to per-
form reverse engineering at a different scale than pre-
viously seen in the litterature. The idea is to compare
multi-chip analysis to extract design information from
new function implementation to countermeasure anal-
ysis. The best approach would be to begin with smaller
and better known integrated circuit (less standard cells,
more design information available, single core, single
voltage, physically accessible chip on board). Fig. 10
displays 65nm devices, anterior version of the main prod-
uct (45nm) used in this article. The general idea is to
be able to retrieve direct information from an already
analyzed integrated circuit.
Fig. 10 Two different generation of a similar 65nm SoC at
active
Practical partial hardware reverse engineering analysis 9
5.2 Machine learning framework
Machine learning is ideally used for prediction and re-
quires some training data. It particularly makes sense to
use it for domain where time is the main critiria (speech
recognition). The first concern is to be able to reach
the same level of detection while drastically reducing
the recognition processing time. Retrieved shapes with
standard correlation technique are used as error-free
dictionnary to build up the machine learning model.
It would be interesting to evaluate such framework in
terms of error rate but also for denoising microscopy im-
ages. The later could resolve low resolution images and
further reduce methodology time (scanning). It would
be interesing to propose and share a SEM image bench-
mark or an online tool where test images can be loaded
and analyzed according to a specificly trained model.
5.3 Countermeasures
The partial reverse engineering main interest is its pos-
sible application on multiple circuits giving thus more
data to be compared with even in a black box approach
to assess countermeasures/extract design information.
When designing a circuit for secure applications, coun-
termeasures against reverse engineering first appeared
in the set of required features, and so before fault attack
countermeasures. Actually, it exists proprietary coun-
termeasures at active/poly/via/metal1 layers to hide
functionality of a component from non through vias to
dummy cells and programmable logic using local oxide
breakdown [18] and used by pay-TV, telecommunca-
tions and smart card industries [19]. Most countermea-
sures techniques are based on principles such as logic-
locking [20] and netlist/physical obfuscation (doping,
dummy via/cell, oxide breakdown, electric charge) [21].
The idea behind our technique is to analyze how
standard cells distribution participate to design infor-
mation extraction (and for authencity verification too).
In future work, it will be interesting to characterise IC
camouflaging protection with our tool for multiple rea-
sons. IC camouflaging is typically not applied on the
entire die. Also, it would be interesting to combine
in practice aforementioned statistics and local attacks.
Common Criteria (CC) attack classification would be
affected if less samples, expertise and time are required.
Last but not least, after applying our methodol-
ogy on different components, we actually found a single
sample (90nm, smart card industry) that is quite dif-
ferent, having regular patterns (Fig. 11). We found out
that this device is metal only programmable [22]. This
would be a countermeasure by design to drain/source
based reverse engineering; it would, however, be inter-
esting to characterize design capability (low power, high
gate density) and robustness against other types of at-
tacks (e.g., side channel).
Fig. 11 Similar product (90nm, 130nm) from two different
IC manufacturers.
Conclusion
An alternative to high cost reverse engineering is pre-
sented and applied on a commercial 45nm SoC. This is
a first step towards automatic partial design informa-
tion extraction. The methodology includes any pack-
age die extraction, drain/source layer access and SEM
imaging, pattern recognition and a new approach called
Standard Cells Statistical Analysis (SCSA). We partic-
ularly characterize each step of the methodology and
point out the low cost and time resources needed to
start partial reverse engineering investigations. Single
layer reverse engineering mainly addresses combined at-
tacks (such as EM observation/perturbation and laser
fault attacks) and malicious hardware modification de-
tection problematics.
References
1. Torrance Randy and James Dick, The state-of-the-art in
IC reverse engineering, CHES 2009.
2. Advanced IC reverse engineering techniques: in depth
analysis of a modern smart card, Blackhat 2015.
3. Bill Harrod, Rapid Analysis of Various Emerging Nano-
electronics (RAVEN), 2016.
4. Mirko Holler and Manuel Guizar-Sicairos and Esther H.
R. Tsai and Roberto Dinapoli and Elisabeth Mller and
Oliver Bunk and Jrg Raabe and Gabriel Aeppli, High-
resolution non-destructive three-dimensional imaging of in-
tegrated circuits, Nature volume 543, pages 402406, 2017.
5. E.L. Principe and Navid Asadizanjani and Domenic Forte
and Mark Tehranipoor and Robert Chivas and Michael Di-
Battista and Scott Silverman and Mike Marsh and Nicolas
Piche and John Mastovich, Steps Toward Automated De-
processing of Integrated Circuits, ISTFA 2017.
6. Nanoscale X-Ray Tomosynthesis for Rapid Assessment of
IC Dice, Richard Lanza, AIDA-2020 Meeting, 2018
7. A. Vasselle and H. Thiebeauld and Q. Maouhoub and A.
Morisset and S. Ermeneux, Laser-Induced Fault Injection
on Smartphone Bypassing the Secure Boot, FDTC 2017.
10 Franck Courbon
8. C. Champeix and N. Borrel and J. M. Dutertre and B.
Robisson and M. Lisart and A. Sarafianos, SEU sensitivity
and modeling using pico-second pulsed laser stimulation of
a D Flip-Flop in 40 nm CMOS technology, 2015 IEEE In-
ternational Symposium on Defect and Fault Tolerance in
VLSI and Nanotechnology Systems (DFTS).
9. Nohl, Karsten and Evans, David and Starbug, Starbug and
Pltz, Henryk, Reverse-engineering a cryptographic RFID
tag, Usenix 2008.
10. Franck Courbon and Philippe Loubet-Moundi and
Jacques J. A. Fournier and Assia Tria, Increasing the ef-
ficiency of laser fault injections using fast gate level re-
verse engineering, International Symposium on Hardware-
Oriented Security and Trust, HOST 2014.
11. Friedrich Beck, Integrated Circuit Failure Analysis: A
Guide to Preparation Techniques, 1998.
12. Martin Schobert, http://www.degate.org/, 2009.
13. Lewis JP, Fast normalized cross-correlation, 1995.
14. Faraday Technology Corporation, 90 nm Logic SP-RVT
(Low-K) Process.
15. Nima Hatami, Yann Gavet and Johan Debayle, Classi-
fication of Time-Series Images Using Deep Convolutional
Neural Networks, 2017.
16. Franck Courbon and Philippe Loubet-Moundi and
Jacques Fournier and Assia Tria, Adjusting laser injections
for fully controlled faults, 2014.
17. Jeyavijayan Rajendran, Michael Sam, Michael Sam,
Ramesh Karri, Security Analysis of Integrated Circuit Cam-
ouflaging, CCS 2013.
18. Ron Cocchi, Camouflage circuitry and programmable
cells to secure semiconductor designs during manufactur-
ing, 2015 National Aerospace and Electronics Conference
(NAECON).
19. Inside Secure accelerates strategy in Silicon IP business
with SypherMedia acquisition, 7th November 2017.
20. Muhammad Yasin, Ozgur Sinanoglu, Evolution of logic
locking, VLSI-SoC 2017.
21. R. S. Chakraborty and S. Bhunia, HARPOON: An
Obfuscation-Based SoC Design Methodology for Hardware
Protection
22. https://www.baysand.com/technology/mcsc-
foundation-technology
