Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
Protecting circuits from reverse engineering and unauthorized entry
Material posted: Publication date: 27-03-2019
Reverse-engineering chips — headache manufacturers since the early years of microelectronics. All Soviet electronics, at some time was built on it, and now with much bigger scope in the same deal in China, and not only in it. Actually, reverse engineering is absolutely legal in the United States, the European Union and many other places, for the purpose of (quoting American law) “teaching, analyzing, or evaluating the concepts or techniques embodied in the mask work or circuitry”.

The most frequent legal use of reverse engineering, patent and licensing courts. Industrial espionage is also common, especially given the fact that the electric circuitry (especially the analog) are often key intellectual property and rarely are patented — in order to avoid the disclosure of IP or patent courts as the charging party. Of course, being in a situation where you need to protect your intellectual property, not patenta it, the developers and manufacturers are trying to come up with ways to prevent copying of their products.

More not less (if not more) important to protect circuits from reverse engineering — security of information stored in memory. This information can be as the firmware of the FPGA (that is, again, intellectual property of the developer), and, for example, the pin code of a Bank card or key encryption secure flash drive. The more valuable information we trust the world around them, the more important to protect this information at all levels of the manufacturing it systems and hardwarei level is no exception.
First things first: the important thing to understand. Speaking about how reverse engineering and copy protection data, it is necessary to understand that absolutely stable methods of protection does not exist, and all that really make the process so long and/or expensive to become economically feasible.

Many years ago, the work to reverse-engineer or microelectronic pirate was much easier than it is now. For example, look at this picture (thanks BarsMonster for our happy childhood and good pictures): with a basic understanding of the technology to recover it from the electrical diagram in a matter of hours.

image
Figure 2. The topology of the operational amplifier OPA134PA. Source zeptobars.com

Here, by the way, is an example of reverse-engineering the TL431 chip made by Ken Shirriff the photos BarsMonster. And here is Russian translation. The blog of Ken a lot cool if you are into Amateur reverse engining.

And here (caution traffic!) — report from reverse engineering of the chip Zilog Z80-CTC, made in 1979, almost immediately after the release of the chip. Now is a unique historical document, and then it was information that had huge commercial value and received (judging by the multiple references to military standards) is probably in the certification process of the chip for special applications.

But we live in 2019, and not in 1979, and now triversity fresh complete diagram microprocessor Intel — it is many months or years even with a good level of automation of the process (not to mention the fact that even to shoot at an acceptable resolution topology design rules 14-10-7 nm is a very difficult task). What Intel? Compare the amount of work on reverse engineering or analysis of the amplifier with the pictures above and processor “Baikal-T1” made by a very popular and relatively affordable 28 nm process. Complete reverse-engineering of such large products need rarely, more interesting to look at some specific and relatively small blocks. For example, to see whether they violate your patent, or compare your solution with the products of competitors and try to understand why it is better or worse. Or to find out independently the developers of the chip have implemented a particular functionality, or borrowed your IP block.

image
Figure 3. The topology processor "Baikal-T1". Source zeptobars.com

Here we come to the next important part in the history of reverse engineering. In ancient times, the entire chip from start to finish was developed within a company, sometimes even with the power of a very small team or brilliant single type of Bob Widlar. In modern microchips, is full of IP blocks, the sale and purchase which is a huge market, which, of course, and the control of copyright, and industrial espionage, and piracy. So look at the problem of protecting against unauthorized copying is possible and necessary not only from the point of view of the developer of the final product, but also from the point of view of the developer of IP for which the product developer can also be a pirate.

In the case of hacking to obtain data of the offender is usually uninteresting internal structure of the chip, and a partial reverse-engineering is done (if ever done) in order to find vulnerabilities and exploit this vulnerability using a direct connection and other methods. The task of the developer against burglary is to prevent the use of potentially vulnerable and, if necessary, destroy sensitive data when the attempted break-in.

ACTORS

For starters, let's see, who and from that it can protect the chip design. In the chain from idea to application involved the following entities that have different types of access to information about the contents of the chip.

  1. The developer's IP block. Has all the information, all the necessary files, measurement methods, etc., etc.
  2. The developer of the chip. In the case of Soft IP has the Verilog/VHDL code block, in the case of Hard IP can have both a topology and a black box. In the case of block any programmable or software parts has access to them too.
  3. Factory. Has access to the GDSII file of a topology, but does not have access to software-dependent part of the chip (for example, to the firmware PROM).
  4. Compuservice and test production. Has access to crystal, as well as testing methodologies and maps firmware one-time programmable memory. Them rarely someone deliberately protected, but they should be in the list, because that won't work against them a part of suitable methods for protection from factory.
  5. Competitor/attacker. Has access only to the finished product and user documentation.

In the simplest case, the developer of the chip (2) want to be protected from copying by a competitor (5) or make the chip is protected against unauthorized reading memory. In a slightly more complicated — the developer of the IP (1) wants to ensure compliance by the developer of the chip (2) of the license agreement. Another is that the developer of the chip (2) do not trust the factory (3) and suspects that she may drive the counterfeit on the night shift.

About what is IP in an integrated circuit's I wrote some time ago, so in this article I will not repeat. There is a little bit about how the developers IP to protect their intellectual property. If very briefly, for the protection of topology is commonly practiced part of the factory as a third party, and the actual topology of the buyer is not getting the IP, and to protect code in Verilog using techniques of obfuscation, similar to the techniques of obfuscation any other code.

TOOLS

What tools for analysis of circuits exist? The first level is slightly acid to first open the casing of the chip, and then remove the layers one by one, and a normal optical microscope with a camera. Is inexpensive to work with them, and for the analysis of simple circuits made by not the most new technologies, that is enough.

For larger schemes there are special CAD software that allows in one way or another to automate data recovery from topology — providing reverse-engineer the interface more convenient to work than just drawing lines in a graphics editor. Automation also simplifies the fact that all modern digital circuits are built from libraries, and after reverse engineering items in the library to collect scheme is a matter of time (or processing power).

Next level, inaccessible to fans, but present in specialized laboratories is the scanning electron microscope (SEM). It is a light beam uses a focused beam of electrons. The resolution of SEM can reach to 1 nm or even lower, which is sufficient for analysis of any modern integrated circuits.
FIB is an analogue of SEM, only instead of using a beam of electrons a beam of heavier ions. Actually, the FIB is a Focused Ion Beam. The main difference from FIB SEM — c it can be used not only to analyze the chip, but also to modify it, for example, to make incisions (in order to view the cross section of the chip or to remove a piece) or sprayed material (in order to create a connection where there is none). FIB is widely used by developers and chip manufacturers for test samples, because the correction of a mistake with it, though, and takes a long time, but still much faster and cheaper restart the pilot batch. To reverse-engineer it is also a unique way to get to those parts of the crystal, which according to the developer shall not be available. And designing a tamper-proof chip, it must also be borne in mind.


Figure 4. The cut chips made by using FIB. Source — SERESSA-2015 (beware, a lot of traffic in the pdf link).


Figure 5. Made using FIB modification of ICS, changing a few connections.

Another indispensable tool to reverse-engineer a set of lasers. Fans of powerful lasers available, which you can use to open circuits in plastic housings and access to the crystal. For professional lasers, depending on wavelength, can be transparent parts of the design of the chip and the other opaque. This allows the laser to be used, for example, for precise opening of passivation and insulation, so you can conveniently join a metal line without the risk of short-circuiting it with the neighbors. Other settings will allow you to cut metal or to burn the individual transistors. The third is to induce the current in the transistors of the switching cells of the cache memory or a logical line. The last option is commonly used as an inexpensive imitation of the effect of heavy charged particles, but in principle the introduction of faults into a running chip can be useful for compromised information. For example, it can be interesting to rewrite some flag in the register file or to slightly tweak the operation of the random number generator.


Figure 6. Appearance laser to study the effects of single failures on the chip. Source — SERESSA-2015.


Figure 7. An example obtained with a laser map of the sensitivity of the chip to a single disruption and failure. Source — SERESSA-2015.

In advanced laboratories, reverse engineering, and you can find many other interesting tools; for example, the digital signal is up to several tens of MHz can be monitored in real time by the corresponding line of a small piece of lithium niobate and highlight it again laser.

CASE 1: UNRELIABLE FACTORY

What could be reasons not to trust the factory where you produce your crystals? In an ideal world of course you will not communicate with the factory, which is not trusted, but sometimes, commercial considerations forced to take risks. To minimize possible in two main ways:

  1. The so-called split fabrication or, simply, production in two factories. But not in parallel (as is usually done to minimize the risk of shortage in case of unexpected delays in the production), and some operations in one factory and part on another. It's pretty uncomfortable for all participants in the process (and certainly not every factory would agree to this), but it will force the unreliable factory at least reversity the remaining part of the chip design and draw the missing mask. (which, ideally, should make the game not worth the candle). The main disadvantage of this approach is that the upper layers of the chip is a metallization, which is reverse-ingeniaritza is quite simple. Split fabrication, however, can be really effective when used in combination with some technological know-how in metals, which is unreliable, the factory is unable to reproduce. For example, if the second your chosen factory is able to do in the upper layer of metallization nonvolatile memory (MRAM, memristor or something similar), without which the whole design loses its meaning.
  2. If any technological know-how you have, a simple and reliable way is to make a chip is meaningless without subsequent programming. Programmable blocks can be done independently from the configuration memory and block-based embedded FPGA (such IP available on the market). The configuration memory as a way of protection allows you to be confident that the factory can not just go and make your chip around you. But because of the configuration memory can be read, isn't it? Yes, but the presence of configuration memory forcing unreliable factory is a simple way of increasing the volume of production to do the same reverse-engineering as all other criminals.

Separately, I note that both methods protect against untrusted factories help against unauthorized copying but does not protect from popular in narrow circles “bookmarks”. Moreover, a little further I will tell about how to make “bookmarks” in the topology itself.

CASE 2: MEMORY PROTECTION

The presence in the chip of the programmable blocks and the configuration memory is almost indispensable attribute of any modern design, both digital and analog. With the decrease in design rules increases the variation from crystal to crystal, and the digital tuning is the easiest and most reliable way to overcome it. And digital circuits (e.g. microcontrollers) typically store the data directly on the chip, and can have a layered structure memory, the different parts which have different levels of access and protection. So the idea seems logical at first, to be used to enhance security and burglar resistance up to a tool that we already have, and secondly, the idea is to carefully think about what type of memory to use.

Firmware metal connections (Mask ROM). Usually the presence or absence of a contact between two metal lines, a little less — as the presence or absence of a transistor between them. The oak used in the base matrix crystals (BMC) — not only in the defense of the ancient as you might think, but in a completely modern solutions, for example in auxiliary chips inside the Xeon CPU. In addition, by using such a memory made of a family of chips (mostly microcontrollers), because flashing the memory on the production by changing one mask cheaper than across-the firmware of each of the produced crystal on the plate or in the housing. Mask ROM is read very easily by means of a microscope and careful etching. At home it can be overcome.


Figure 8. Firmware ROM metal interconnects on a counterfeit FTDI chip FT232RL. Source zeptobars.com

Here also it should be noted that flash memory can not only layer contact between metals, but also in the presence and absence of metal (easy to read optical), the presence or absence of doping (easy to read optical) or, for example, the threshold voltage of the transistor, a controllable doping level (difficult to read optical). So basically, the mask ROM is not lost if you really want to hide its contents.

Memory to burn through the jumper (Fuse ROM). Allows for single entry (including the entry by the user on the finished device) and an unlimited number of readings is very simple to manufacture and programming and is therefore popular for all sorts of configuration memory and firmware.


Figure 9. Two state of the Fuse ROM. Source semiengineering.com

As you can see, as the usual burn through the jumper (Fuse) is very easy to see in the microscope, that is, to protect against opening the crystal with its help you just can't. Well, among other things, burn through classic jumper is quite large (several square microns) and is therefore not suitable for large amounts of memory.

Flash memory and other options EPROM and EEPROMbased on floating gate transistor.


Figure 10. Recording circuit of flash memory. Source techreport.com

The principle of operation of this type of memory is quite simple: in the thick dielectric layer is a floating gate. This shutter can be placed an electric charge by tunneling, by submitting it to high voltage. And further, if high voltage is not feeding, the charge can be stored in the floating gate for very long.
What about security? The good news is that the state of the EEPROM cannot be seen with a microscope. Bad? There are several of them.

The first bad news is that the EEPROM is erased not only high voltage but also the influence of ultraviolet radiation (the old-timers will remember the chips with quartz glass). If you looked through a microscope at the topology, you may be able to cover the opaque material is all memory, except for those few bits that include the protection from reading, and after exposure, the chip is yours. The moral: using in my project EEPROM, cover it up with metal. Moreover, it is desirable not only shield against radiation but also some important lines to the shield it was impossible accurately to pit. However, here too lurks the ambush (she's the second bad news), because fundamentally the chip or its parts can be illuminated from below. It's not easy, because most likely will require extraction of the chip from the case and, for example, etching a bottom of the substrate, but possible. A similar popular technique for testing chips on single failures, because the metallization is opaque for UV and laser, and the silicon wafer is almost transparent, the question is how to focus the beam if you need a local impact.

As an alternative option, you can configure the bits on/off protection so that their Erasure of the included protection, and didn't turn it off.
Third the bad news is that there are sensors that count the electric charge in the floating gate or the remains thereof after the wipe. Moreover, in order to electrically count the memory, in the General case, the chip need not be powered, so there's no risk to include built-in mechanisms of destruction of information.

MRAM, though relatively rare, however, also deserves our attention. Its like flash can not be read optically. Even MRAM, of course, impossible to erase with ultraviolet light, but the magnetic field sensors with high enough resolution in order to bleed the upper metal and count the memory pobitno exist. The good news? A potential intruder is unlikely to find them quickly and inexpensively. Overall, MRAM is a good alternative to flash from a security point of view, but it is not much yet available and has only just gone into production in available for fabless companies technologies.

The most protected from reverse engineering memory today is antifuse ROM. As the name implies, it is a kind of antipode to burn through jumpers, and it has a high resistance in the unprogrammed state and programmed low. How is this achieved? With the breakdown of the gate dielectric of the transistor high voltage. The area breakdown is so small that it is not visible neither from above through a microscope or in accordance with the terms of the FIB, but she is well and reliably ensures that the resistance change is several orders of magnitude, which is sufficient for reliable reading of the memory state in a regular way. Such a memory cell, however, can be read by connecting directly to the gate and source of the storage transistor. Unbound cell behaves like a capacitor, stitched — as a resistor.


Figure 11. The cross section of the antifuse memory cell. Shows several areas of possible breakdown of the transistor. It may slightly complicate the scheme of reading.

Of course, there are other ways to learn the contents of the memory, in addition to visual inspection of the cells. The easiest way is by using FIB directly connect to the corresponding lines of the reading and submit them any control signals that you need to file to read information that is not available in the normal way. You can disable the protection from reading, physically cutting off the lines leading to the respective bits of memory. How to defend against it? A properly designed topology of your chip and possibly embedding some additional functions. Here is an example of how the company does Cypress:

It is possible to configure the nvSRAM to provide password protected access. In this configuration, instead of performing the normal power up recall sequence on power up, the part waits for the user to enter a 5-byte password followed by an End Password Entry soft sequence. The End Password Entry soft sequence is a specific seven address read sequence. If you enter the correct password, the part completes the boot up sequence and is ready for the normal nvSRAM operations. If you enter the incorrect password three times or you do not enter the right password within a specified period of time, the part locks up or fills the SRAM memory with random data, as the application requirement may be. The part can be configured to additionally destroy the functionality and cause physical damage to the chip.

Usually done so: the memory is covered from above with a grid of lines of land and power, and all the signal lines are positioned strictly under them. Thus it is necessary to ensure that the lines of force, on the one hand, do not overlap with each other (i.e. when cutting any one part of the chip had stopped working), and on the other hand, so that each of them served quite a lot of bits of memory, and the infeed of the ammeter in the power line could not allow to assess the state of memory consumption in read mode (which is different for different logic States in most types of memory). Such an arrangement of the upper layers of the chip, the attacker will be the most difficult to uncover part of the metallization to connect wherever he wants.

In grid land and feeds include additional protective lines, arranged in such a way that the gap on them (or a short to power or ground) when power is applied to the chip initialisere full erasing a secure memory (or, as we saw above, physical damage to the chip). Such protective lines located near the land lines and power, very much more difficult for hackers, because with FIB operations require appreciable by the standards of the current process space. In addition, because a conical shape is generated by the microscope of the cut than below the layer to which you want to connect, the more area you need to MOP up on him.

But in fact, very often the attacker might not need the exact value of the memory content, it may well be enough reduce the number of options to iterate over several orders of magnitude. For example, if the memory cell consumes during the reading of the logical unit X, and while reading a logical zero to 100*X, then reading this byte of memory will have different consumption depending on the content of the memory:

0 — 800*X
1,2,4, ..., 64, 128 — 701*X
3, 6, 7, ..., 160, 192 — 602*X
....
255 — 8*X

Total, if we don't touch the memory for the selection of the contained password we have 256 attempts. But if we know that consumption in the read — 701*X — only eight. Convenient, isn't it? The easiest way to do something with this problem is to store data in the form of a value and its inverse in the neighboring cell; then the consumption of any amount of memory in read mode will not depend on stored information. However, this requires twice more memory, but we do because safety is important, right?

CASE 3: WITHOUT MEMORY

What if your chip does not contain configuration memory, or contains only a few bits to hide the contents of which are pointless. Why? So much cheaper (not so much by reducing the cost of masks for lithography, but rather by the more simple process of housing are demonstrated and testing), but for most simple circuits the price — a serious competitive advantage.

By the way, about testing. The process of rejection of crystals on the plates and firmware configuration memory quite often given to outsource, especially small companies, because the corresponding equipment is not normally afford start-UPS, and quality to ensure the need. So, if a third-party production in the course of your test methods and has the firmware configuration memory, then you'd better fully trust these people. Or to have additional methods of protection against reverse engineering is not tied to the configuration memory.

So, what to do if the configuration memory is not an option for protection, or if its enough?

The main drawback of optical microscope and SEM — they are very difficult to distinguish between the types of doping of silicon. That is, the presence of alloying is seen, and the type — no. Therefore, the analysis of the topology and extraction of the schema type doping is recovered from context and the implied logic circuit (n-channel transistors connected to ground, p-channel to power supply, etc., etc.). Draw the topology of your chip so that it will not coincide with the intuitively most likely option, you can very cool to spoil blood to reverse-engineer. Especially if you use several different schemes, disguised as one and the same. With some skill it is possible not only to make the analysis of your circuit, but also to get produced (or at least simulated, but more fun if produced ) on the restored topology the device to do certain things, from shorting of the earth with the power to issue to all outputs of swear words. Deterministic behavior of the stolen design is wrong, by the way, can be useful not only in order to burn pirates of the oscilloscope, but in order for when you then come frustrated users of “your” chips, you could demonstrate to them that they bought a fake.


Figure 12. Cut three entities are indistinguishable in the microscope. Left — pMOSFET, medium — short, right — back biased diode (the gap).


Figure 13. The topology of the three digital library cells, indistinguishable in the microscope. The left inverter, medium — direct connection of input and output, right — logical units on the output.

Each of aceee in the image above looks almost like a regular inverter, but may actually be an inverter, a repeater or a generator of logical zero or logical units. Give our "inverter" only contacts to diffusion from the entrance and exit. However, abandoning them, we will receive quite indistinguishable from the regular scheme in exchange for the inability to realize the connection entry and exit (but can use for this purpose, two inverters). However, with the possibility of using the same cell to invert or not to invert the signal a struggle with the attacker is much more interesting, because nothing complicates attempts to deal with the problems of unfamiliar design, as the extra inverter somewhere in the circuit or clocking on/off.

Although I think it is. Well-built hands, the topology is usually a good idea to read. A great exampleis in the already mentioned blog Ken Shirriff.


Figure 14. An arithmetic logic unit (ALU) chip Intel 8008. You can see the individual bits.

On the topology of the ALU of the Intel 8008 perfectly visible eight identical circuits — the number of discharges. Realizing that it is ALU, you will be able to easily recover the circuit topology. If some elements of it is fake, it will complicate your work, but no more. And all because the topology fits well in a basic understanding of the interfaces between the component parts. In order to confuse the attacker so much that he gave up trying reverse engineering, it is necessary to make the topology unpredictable and non-repeating. The easiest way is not to do any blocks manually, and to generate using CAD netlist the entire chip as a whole. Avtotransservice, despite the enormous time savings in the creation of topology (compared to manual labor) do an excellent job of creating unintuitive placement of elements, and sometimes downright insane connections. And the larger the design, the topology of which was synthesized as a whole, the harder it is to reverse-inginerie.

But this is the easiest way. There are more interesting options. For example, to use a set of cells-the chameleons as a set of generators of logical zeros and ones for the inputs of the multiplexer, thus realizing an arbitrary logical function. Actually, the way the elements of the FPGA LUT (Look-Up Table).


Figure 15. Implementation trehubova LUT. Source.

Putting it in different places scheme several such LUT and brought to the inputs of "memory cells" are any signals that we will solve several problems:

  1. If our maneuver will remain unsolved, we can ask how it will behave in reverse ingeniously scheme. Options — any, limited only by your imagination.
  2. The use of arbitrary signals from other blocks as input for the cells, generating the logical zero and one, difficult to process the visual separation of the design into blocks.
  3. Even if the reverse-engineer will understand that we use this LUT is protected, he will have to sort through a lot of options to restore the functionality of the scheme on the topology, so that even a relatively small number of protected cells may make the reverse-engineering of excessively time-consuming. My favorite is to put on such a LUT state machine that controls the transitions of the chips from one working mode to another.

TEST SCHEME

Good engineers love to fully test their chips. And by “comprehensively” I mean something like is done in DC/DC Converter TI in the figure below. Dozens of small pads, to which you can connect before cutting the plate into individual crystals to check out all the options you want, as an important domestic lines, to make a decision about how good chip or not, and, if necessary, to find out the cause of problems.

image
Figure 16. The topology of the Texas Instruments TPS 62321. Source zeptobars.com

Especially important good coverage of test pads for test runs and prototyping, but for mass production they are often turned off (correction of one or two masks or burn through jumpers) to minimize impact on the behavior of the product. Now, where was I? Test contact pads is your great help for the attacker, because you not only indicate important points in design, but also provide convenient access to them. Love the jumper easily restored to FIB, and voila! Ideally, security requires the complete removal of the test contact pads from the serial chip. If this option is irrational (say, you and mass production requires testing at the wafer), it is necessary at least to ensure that the mechanism of disconnection of the test sites was beyond recovery, for example, was located directly under the platform and was drawn so that the gap can not be conveniently connect.

About the fact that all modern digital designs have a built-in JTAG testing, to directly view the status of any trigger on the crystal, I don't even want to start. Testprint — one of the key characteristics of any design, and this circumstance makes it extremely important to reliable and non-recoverable disable all the test interfaces before the chip leaves the manufacturer.

Even good engineers like to be placed on the periphery of the crystal test circuits for the following revisions. This is usually quite important schemes, otherwise why waste time and energy on the organization of their testing? “Important schema components of your intellectual property and are critical to the functioning of the chip? Carefully laid separately from the design? Thank you very much!” — I will tell you reverse engineer for such a Royal gift. If you don't want to test helped the attacker to examine and copy your design make sure that they don't get the crystals for mass production or were destroyed after testing on the plates in the process of cutting plates on crystals.

A LITTLE PRACTICE

In order to demonstrate how it works, example of opening the microcontroller PIC12C508A described in the thesis Sergei Skorobogatov, defended in 2004 at Cambridge. Translation abridged and enough free:

You need to open the case and locate on crystal protective memory, erasable by ultraviolet radiation. This is done quite easily using the viewing lines going to the programming pins of the chip. Then you cover the main memory is opaque to the UV material, and through five-ten minutes of exposure you will be able to read the memory of a full-time programmer. Another option — after finding the memory location of the copy protection, just cut the leading metal track that is on that chip for some reason is far from the other lines — so far as it is possible to cut not only a FIB, but just with a needle.


Figure 17. And here's the very unfortunate line. Indeed, it is in the middle of nowhere, not protected, can be cut.

CONCLUSION

Of course, it is impossible to grasp the immensity, because of technology and reverse engineering of the circuits, and protection is not standing still and are constantly improving. The theme of information security is one of the key when designing for the Internet of things, so developers pay her much attention, and such easy prey as fifteen or twenty years ago, reverse engineers can not be expected. However, you should always remember that poorly protected system is a potential losses, huge losses or even human life, and protection from unauthorized access and reverse engineering should be part of the system at all levels of functioning, including "iron".

Source: https://habr.com/ru/post/436998/


RELATED MATERIALS: Defence and security