Date: 14th Oct – MondayTime: 14:00-14:30Location: Ballroom A
Introduction to Failure Analysis Tools for IC Reverse Engineering and Editing for Fun and Profit
For many people are 0 and 1 just an imaginary values, but they actually has a physical interpretation. Whether it is charge in capacitor, trapped electron, or electrical potential, these values can be read directly despite of extensive software security measures. Although IC manufacturers want to prevent us looking into circuits by adding passive or active shields, a silicon chip is not a black box and understanding the block level and then transistor level is essential for security assessment. Once we understand how a circuit works, we can listen to specific signals and collect data. We can further change data in our advantage and bypass security checks, even change security keys by modifying values or by rerouting the circuit logic.
All major chip manufacturers invest a huge amount of money into reverse engineering laboratories. These labs are especially important in development and early production stage to early eradicate defects and result in high yield production later on. While searching for such failures, they have to reverse engineer their own chips in order to find a failure and fix the process, so the next time it won’t happen. For that purpose, there is a whole industry, you may never heard of, called “Failure Analysis”. It is full of high resolution, high sensitivity and highly priced equipment, specially build for reverse engineering and defect localization, so why not use it for security analysis? We can start by looking into a device by X-ray, use dangerous chemical, lasers, or CNC machines to open it, high resolution optical microscopes to analyze the structures, or even look through the silicon on directly on transistor level. High sensitivity IR cameras can show operating circuitry and by removing metal layers, we can reverse engineer the circuit and localize our point of interest. The Focused Ion Beam for example is an essential tool, which offers not only a micro-milling option, but by precise deposition or removal of conductive and non-conductive materials, we can cut and reroute traces, create test pads, or even edit circuit from the backside. With a usage of nanoprobes and SEM we can then do measurements, visualize various structures, and trace signals.
Not every piece of equipment needs to cost hundred-thousands of dollars, we can achieve a lot with just simple equipment and by applying some skill. By understanding of physics fundamentals and operation of some professional tools it’s possible to recreate functionality with much smaller budget. Wide second-hand market and advanced consumer electronics may offers many possibilities. Infrared backside imaging can give a great insight in structure without removing top metal layers. For example many commercially available cameras offer good enough performance in detecting IR light, which can be produced by cheap LEDs. For example by performing camera modifications, it is possible to detect low level infrared light emitted by flowing current through a transistor – visualizing activity and the changing states of running circuits.
IC delayering shows inner structures, interconnections and allows to recreate a whole design. There are two approaches for delayering, chemical and mechanical. Chemical delayering involves wide variety of very aggressive chemicals like HF and the result repeatability is not great for laboratory use. Mechanical delayering is more precise and safer, however it is time consuming and edge rounding cannot be fully avoided. As usual, it can be done with high precision polishing machine with laser alignment, or with a fine sandpaper, bare hands and some skills. IC structures seems complicated and overwhelming, but example of simple redrawing can show structures, like AND, NAND, OR, NOR or inverter and reverse engineering becomes much easier. By understanding the low level layout, important traces can be identified and accessed from upper layers, contacted by FIB and compromised by injecting false signals.
Failure Analysis is a whole industry which makes use of wide variety of physical phenomenon, sample preparation techniques, observation techniques and circuit editing tools to reverse engineer an IC. These tools and techniques are becoming cheaper, more accessible, and thus chip analysis, reverse engineering and hardware hacking easier.
Tomas Drab Hardware Security Researcher, Dark Matter LLC