Cost effective techniques for chip delayering and in-situ depackaging

Invasive or semi-invasive attacks require, of course, because of their nature, the removal of metal layers or at least the package de-capsulation of the chip. For many people - not expert in those sample preparation techniques - the simple access to the die surface and the observation of the chip structure after metal layers removal are the first obstacles to conduct an attack. In another direction, the development of embedded secure devices, sometime with very dense and complex assembly process, adds a new difficulty for an attacker to get a physical access to the silicon without intensive use of advanced soldering capabilities. This paper will deal with those two challenges: the first one is to provide an in-situ depackaging solution with limited ressources and then, the second one consists in finding the minimum mandatory tools required to perform chip delayering before metal layers imaging - or reverse engineering

Static Fault Attacks on Hardware DES Registers

In the late nineties, Eli Biham and Adi Shamir published the first paper on Differential Fault Analysis on symmetric key algorithms. More specifically they introduced a fault model where a key bit located in non-volatile memory is forced to $0/1$ with a fault injection. In their scenario the fault was permanent, and could lead the attacker to full key recovery with low complexity. In this paper, another fault model is considered: forcing a key bit to $0/1$ in the register of a hardware block implementing Data Encryption Standard. Due to the specific location of the fault, the key modification is not permanent in the life of the embedded device, and this leads to apply a powerful safe-error like attack. This paper reports a practical validation of the fault model on two actual circuits, and discusses limitations and efficient countermeasures against this threat

Remote Side-Channel Attacks on Heterogeneous SoC

International audienceThanks to their performance and flexibility, FPGAs are increasingly adopted for hardware acceleration on various platforms such as system on chip and cloud datacenters. Their use for commercial and industrial purposes raises concern about potential hardware security threats. By getting access to the FPGA fabric, an attacker could implement malicious logic to perform remote hardware attacks. Recently, several papers demonstrated that FPGA can be used to eavesdrop or disturb the activity of resources located within and outside the chip. In a complex SoC that contains a processor and a FPGA within the same die, we experimentally demonstrate that FPGA-based voltage sensors can eavesdrop computations running on the CPU and that advanced side-channel attacks can be conducted remotely to retrieve the secret key of a symmetric crypto-algorithm

Memory address scrambling revealed using fault attacks

International audienceToday's trend in the smart card industry is to move from ROM+EEPROM chips to Flash-only products. Recent publications have illustrated the vulnerability of Floating Gate memories to UV and heat radiation. In this paper, we explain how, by using low cost means, such a vulnerability can be used to modify specific data within an EEPROM memory even in the presence of a given type of counter-measure. Using simple means, we devise a fault injection tool that consistently causes predictable modifications of the targeted memories' contents by flipping `1's to `0's. By mastering the location of those modifications, we illustrate how we can reverse-engineer a simple address scrambling mechanism in a white box analysis of a given EEPROM. Such an approach can be used to test the security of Floating Gate memories used in security devices like smart cards. We also explain how to prevent such attacks and we propose some counter-measures that can be either implemented on the hardware level by chip designers or on the software level in the Operating System interacting with those memories

Increasing the efficiency of laser fault injections using fast gate level reverse engineering

International audienceLaser fault injections have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient sources, optics and control circuits. In this paper, we show a methodology to improve the test coverage and to speed up analysis based on laser fault injections by only targeting standard cells of interest. We describe how to identify interesting spatial positions thanks to the use of some chemicals along with an automated Scanning Electron Microscope image acquisition, alignment and processing. Using the latter information, fault injections with a high success rate have been obtained against a hardware implemented AES module using a laser beam. With such tools and methodology, we show that attacks become much faster

Combining image processing and laser fault injections for characterizing a hardware AES

International audienceNowadays, the security level of secure integrated circuits makes simple attacks less efficient. The combination of invasive approaches and fault attacks can be seen as more and more pertinent to retrieve secrets from integrated circuits. This article includes a practical methodology and its application. We first describe how to retrieve the physical areas of interest for the attack. Then, we perform a deep fault injection characterization of the area of found. For the former, a methodology based on circuit preparation, Scanning Electron Microscopy (SEM) acquisitions, image registration and processing is given allowing to perform a controlled and localized laser fault attack with a state of the art injection platform. The laser fault injection presented here allows the attacker to perform a "bit-set", a "bit-reset" or a full register "reset". Controlling the value stored in a flip-flop is critical for security. To illustrate this methodology, an encryption algorithm is targeted. We see that efficient method that takes advantage of the comparison between faulty and correct cipher texts, such as Differential Fault Analysis (DFA) or "Safe Error", are particularly relevant with the proposed methodology. The overall methodology can efficiently be used to speed up an attack and to improve the test coverage

SEMBA: a SEM Based Acquisition technique for fast invasive Hardware Trojan detection

International audienceIn this paper, we present how SEMBA, a fast invasive technique for white team Hardware Trojan detection, has been used to differentiate between a maliciously infected integrated circuit and a genuine one. Our methodology is based on the observation of the component’s hardware structure and includes the use of wet etching, Scanning Electron Microscopy and Multiple Image Alignment. Once the Integrated Circuits’ image have been fully reconstructed, image processing allows to detect the presence of the Hardware Trojan (HT). SEMBA is a fully automated approach with a 100% success rate, detecting any ‘transistor-size’ HTs and requiring ‘affordable’ resources and time