Breaking and entering through the silicon

As the surplus market of failure analysis equipment continues to grow, the cost of performing invasive IC analysis continues to diminish. Hardware vendors in high-security applications utilize security by obscurity to implement layers of protection on their devices. High-security applications must assume that the attacker is skillful, well-equipped and well-funded. Modern security ICs are designed to make readout of decrypted data and changes to security configuration of the device impossible. Countermeasures such as meshes and attack sensors thwart many state of the art attacks. Because of the perceived difficulty and lack of publicly known attacks, the IC backside has largely been ignored by the security community. However, the backside is currently the weakest link in modern ICs because no devices currently on the market are protected against fully-invasive attacks through the IC backside. Fully-invasive backside attacks circumvent all known countermeasures utilized by modern implementations. In this work, we demonstrate the first two practical fully-invasive attacks against the IC backside. Our first attack is fully-invasive backside microprobing. Using this attack we were able to capture decrypted data directly from the data bus of the target IC's CPU core. We also present a fully invasive backside circuit edit. With this attack we were able to set security and configuration fuses of the device to arbitrary values.

[1]  David Naccache,et al.  3D Hardware Canaries , 2012, CHES.

[2]  Mark Anderson Backside Circuit Edit on Full-Thickness Silicon Devices , 2015 .

[3]  Rudolf Schlangen,et al.  Physical analysis, trimming and editing of nanoscale IC function with backside FIB processing , 2009, Microelectron. Reliab..

[4]  Yuval Ishai,et al.  Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[5]  Jean-Pierre Seifert,et al.  Invasive PUF Analysis , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[6]  Yael Tauman Kalai,et al.  Program Obfuscation with Leaky Hardware , 2011, IACR Cryptol. ePrint Arch..

[7]  Boris Skoric,et al.  Read-Proof Hardware from Protective Coatings , 2006, CHES.

[8]  Yael Tauman Kalai,et al.  Cryptography with Tamperable and Leaky Memory , 2011, CRYPTO.

[9]  Jean-Pierre Seifert,et al.  Simple photonic emission analysis of AES , 2013, Journal of Cryptographic Engineering.

[10]  Jean-Pierre Seifert,et al.  Simple Photonic Emission Analysis of AES - Photonic Side Channel Analysis for the Rest of Us , 2012, CHES.

[11]  M. Kuhn,et al.  The Advanced Computing Systems Association Design Principles for Tamper-resistant Smartcard Processors Design Principles for Tamper-resistant Smartcard Processors , 2022 .

[12]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[13]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[14]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[15]  Jean-Pierre Seifert,et al.  Cloning Physically Unclonable Functions , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[16]  Jasper G. J. van Woudenberg,et al.  Practical Optical Fault Injection on Secure Microcontrollers , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[18]  Jean-Pierre Seifert,et al.  Functional integrated circuit analysis , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[19]  Sergei P. Skorobogatov Optically Enhanced Position-Locked Power Analysis , 2006, CHES.

[20]  Ashish Tiwari,et al.  WordRev: Finding word-level structures in a sea of bit-level gates , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[21]  Yael Tauman Kalai,et al.  Securing Circuits against Constant-Rate Tampering , 2012, CRYPTO.

[22]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[23]  Christian Boit,et al.  Microelectronic Failure Analysis: Desk Reference , 1999 .

[24]  H. Grubin The physics of semiconductor devices , 1979, IEEE Journal of Quantum Electronics.

[25]  Rudolf Schlangen,et al.  Physical Techniques for Chip-Backside IC Debug in Nanotechnologies , 2008, IEEE Design & Test of Computers.

[26]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[27]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .