ADVANCED IC REVERSE ENGINEERING TECHNIQUES: IN DEPTH ANALYSIS OF A MODERN SMART CARD. Olivier THOMAS Blackhat USA 2015

Similar documents
Reviving smart card analysis

Local Heating Attacks on Flash Memory Devices. Dr Sergei Skorobogatov

PUF Physical Unclonable Functions

Low- Cost Chip Microprobing

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Smart Card Security How Can We Be So Sure?

Software Hardware Binding with Quiddikey

Data remanence in Flash Memory Devices

CHASE Survey on 6 Most Important Topics in Hardware Security

Broadcasting encryption or systematic #FAIL? Phil

MXMedia CipherStream. Preliminary Assessment. Copyright 2012 Farncombe 1.0. Author: T F

Reverse engineering hardware for software reversers: studying an encrypted external HDD

Parts of a Computer. Preparation. Objectives. Standards. Materials Micron Technology Foundation, Inc. All Rights Reserved

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

MULTIPLE CHOICE FREE RESPONSE QUESTIONS

Digital Systems Based on Principles and Applications of Electrical Engineering/Rizzoni (McGraw Hill

ZigBee Technology Overview

Testing of Digital System-on- Chip (SoC)

Pervasive Computing und. Informationssicherheit

Hardware Trojans Detection Methods Julien FRANCQ

What is a Smart Card?

CryptoFirewall Technology Introduction

Secure egovernment Where convenience meets security.

To design digital counter circuits using JK-Flip-Flop. To implement counter using 74LS193 IC.

Introduction to Digital System Design

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

CHAPTER 11: Flip Flops

Modeling Sequential Elements with Verilog. Prof. Chien-Nan Liu TEL: ext: Sequential Circuit

UNIVERSITY OF CALIFORNIA, DAVIS Department of Electrical and Computer Engineering. EEC180B Lab 7: MISP Processor Design Spring 1995

Module 2. Embedded Processors and Memory. Version 2 EE IIT, Kharagpur 1

NAND Flash FAQ. Eureka Technology. apn5_87. NAND Flash FAQ

Sample Project List. Software Reverse Engineering

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

Design Principles for Tamper-Resistant Smartcard Processors

The SA601: The First System-On-Chip for Guitar Effects By Thomas Irrgang, Analog Devices, Inc. & Roger K. Smith, Source Audio LLC

ETEC 2301 Programmable Logic Devices. Chapter 10 Counters. Shawnee State University Department of Industrial and Engineering Technologies

Desktop Publishing 5N0785 Learning Outcome 2 Monaghan Institute Level 5 Module

COMBINATIONAL and SEQUENTIAL LOGIC CIRCUITS Hardware implementation and software design

Chapter 2 Logic Gates and Introduction to Computer Architecture

Horst Görtz Institute for IT-Security

Homework # 2. Solutions. 4.1 What are the differences among sequential access, direct access, and random access?

Chapter 4 Register Transfer and Microoperations. Section 4.1 Register Transfer Language

DVCrypt Conditional Access System

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Hardware Security Modules for Protecting Embedded Systems

Digital Video Broadcasting Conditional Access Architecture

Security in ST : From Company to Products

Programming Logic controllers

ZIMBABWE SCHOOL EXAMINATIONS COUNCIL. COMPUTER STUDIES 7014/01 PAPER 1 Multiple Choice SPECIMEN PAPER

On Security Evaluation Testing

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-17: Memory organisation, and types of memory

Design of a High Speed Communications Link Using Field Programmable Gate Arrays

ES_LPC4357/53/37/33. Errata sheet LPC4357/53/37/33. Document information

Embedded Java & Secure Element for high security in IoT systems

System Security Solutions for the connected world.

Gage Applied Technologies

Physical Attacks on Tamper Resistance: Progress and Lessons

Chapter 2 Basic Structure of Computers. Jin-Fu Li Department of Electrical Engineering National Central University Jungli, Taiwan

Supporting Document Mandatory Technical Document. Application of Attack Potential to Smartcards. March Version 2.7 Revision 1 CCDB

NIST Mobile Forensics Workshop and Webcast. Mobile Device Forensics: A Z

Lab Experiment 1: The LPC 2148 Education Board

Experiment # 9. Clock generator circuits & Counters. Eng. Waleed Y. Mousa

Advances in Smartcard Security

What is a System on a Chip?

W.A.R.N. Passive Biometric ID Card Solution

Handout 17. by Dr Sheikh Sharif Iqbal. Memory Unit and Read Only Memories

Writing Assignment #2 due Today (5:00pm) - Post on your CSC101 webpage - Ask if you have questions! Lab #2 Today. Quiz #1 Tomorrow (Lectures 1-7)

Attacks on Pay-TV Access Control Systems. Markus G. Kuhn Computer Laboratory

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

W a d i a D i g i t a l

On a New Way to Read Data from Memory

Test Driven Development of Embedded Systems Using Existing Software Test Infrastructure

PFP Technology White Paper

ontroller LSI with Built-in High- Performance Graphic Functions for Automotive Applications

Dashlane Security Whitepaper

Electronics Merit Badge Class 3. 1/30/2014 Electronics Merit Badge Class 3 1

Management Challenge. Managing Hardware Assets. Central Processing Unit. What is a Computer System?

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

An On-chip Security Monitoring Solution For System Clock For Low Cost Devices

M68EVB908QL4 Development Board for Motorola MC68HC908QL4

Monitoring Conditional Access Systems

Ingar Fredriksen AVR Applications Manager. Tromsø August 12, 2005

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

EE 42/100 Lecture 24: Latches and Flip Flops. Rev B 4/21/2010 (2:04 PM) Prof. Ali M. Niknejad

Decimal Number (base 10) Binary Number (base 2)

Nanoscale Resolution Options for Optical Localization Techniques. C. Boit TU Berlin Chair of Semiconductor Devices

LLRF. Digital RF Stabilization System

Lecture 1. Introduction to Embedded Computer Systems

Chapter 7 Information System Security and Control

Lecture-3 MEMORY: Development of Memory:

The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

EXERCISES OF FUNDAMENTALS OF COMPUTER TECHNOLOGY UNIT 5. MEMORY SYSTEM

MICROPROCESSOR AND MICROCOMPUTER BASICS

Design Verification & Testing Design for Testability and Scan

Secure Embedded Systems eine Voraussetzung für Cyber Physical Systems und das Internet der Dinge

The Value of Physical Memory for Incident Response

Multiple Choice Questions(Computer)

Transcription:

ADVANCED IC REVERSE ENGINEERING TECHNIQUES: IN DEPTH ANALYSIS OF A MODERN SMART CARD Olivier THOMAS <olivier@texplained.com> Blackhat USA 2015

About Texplained Texplained [Technology Explained] refers to the skill of making sense out of any IC in a black box situation Invasive attacks Invasive attacks are left out of evaluation and certification mainly because of the extensive resources needed Whereas Invasive attacks are a major threat as: Piracy and counterfeiting have merged Hackers groups are getting professional Texplained focuses on performing invasive analysis using the technologies developed in house to perform complicated analysis in a short amount of time Expertise in Texplained comes from 10 years of active R&D experience for an independent security research laboratory focused on demanding pay-tv security 2

Overview Approach Results Background Conclusion 3

Overview Background 4

Background Secure Microcontrollers This talk will focus on secure microcontrollers. A secure microcontroller is an Integrated Circuit (IC) with an integrated CPU, program memory and storage for sensitive data. Secure microcontrollers are available in different form-factors: Smartcards, biometric passports and ID cards SMD packages for TPMs, usd, UMMC Members of a particular product family will share device characteristics. 5

Background Evaluation When it comes to invasive attacks, one can argue that the attack is time and ressource consuming. BUT equipment can be rented and / or service labs can provide support There is no clearly defined process to study one IC in a reasonable time Invasive Attacks are under evaluated 6

Background Pay Tv Pay Tv has been the first market to suffer from heavy piracy Satellite Broadcaster Customer Smartcard 7

Background Pay Tv The problem A clone of a PayTV subscriber card will have the same level of access as the genuine subscriber card. Pirates can buy a single subscription with access to all the paid content and then produce copies of this card. Pirate Card ca. 1995 8

Evolution Pay Tv actors always pushed to get the best security possible at a time ~1995 No shield No scrambling Unencrypted ~2000 Passive shield Bus scrambling Encrypted ~2005 Internal Oscillator Active shield Bus scrambling Encrypted Attack Sensors Hardware redundancy Custom hardware function 9

Threat globalisation Piracy is not the only threat anymore Supply chain security is of concern for fabless manufacturers (backdoors) IP theft could be a critical issue Counterfeiting has become a bigger market Mass selling products are the new targets Consumables (Ink cartridges for printers, ) Accessories (game console controllers, ) Internet Of Things will create a global security need 10

Overview Approach 11

Approach Research Project about new analysis methods - work in progress Time and ressource limited project (one person - one month). The Target : State Of The Art Secure Smart Card shield (mesh) memory encryption internal oscillator... Analysis methods professional deprocessing high resolution imagery (Scanning Electron Microscope) Labless analysis through custom tools 12

Process Choices IC Material Mixed deprocessing Secure IC SEM imagery Assisted 13

DeProcessing Card Material Mixed deprocessing Chip is Aluminium based This means : Lines are made of Aluminium Vias are made of Tungsten Therefore, it is possible to : remove lines keep the vias 14

Imagery Secure IC SEM imagery Optical pictures are not usable SEM brings high resolution Optical Picture SEM Picture 15

Imagery Secure IC SEM imagery 5 layers have been imaged (4 interconnect layers + active layer 1500 pictures per layer Metal 4 Poly Metal 1 Metal 2 Metal 3 16

Analysis Secure IC Assisted SEM pictures are distorted Issue for correlating and stitching large scans Issue for aligning layers Tracing signal inside the core is mandatory for secure ICs Thousands of gates to reverse and link together 17

Analysis CHIP PICTURES FEATURE EXTRACTION ANALYSIS Extract lines, vias and standard cells Correlate images and features together Stitch images and features together align layers together DISPLAY 18

Feature Extraction Feature extraction Source Picture Extracted Lines and Vias 19

Feature Extraction Feature extraction Metal 1 Poly Extracted Standard Cells 20

Overview Results 21

Results 2 blocs of RAM ROM Flash Analog blocs Core Backside Picture 22

Results Core will be analyzed Lines and Vias are extracted Extracted Interconnect 23

Results Standard Cell Library is reconstructed NAND Gate Extracted Standard Cells 24

Reading The Flash Flash is easy to spot : Charge pump used to erase it relies on big capacitors Charge pump can be disabled to prevent a flash erase in case of security interrupt. Flash Memory 25

Reading The Flash Flash output buffers are directly visible from the backside Output lines get separated in 2 groups that travel along the flash to the core. Flash Output Buffer Flash Memory 26

Reading The Flash Only one of the flash output could be traced to the core. Position of the other output is approximative. Flash output going inside the core 27

Reading The Flash Tracing the known flash output leads to 2 multiplexers. Flash output x MUX MUX Flash output going inside the core 28

Reading The Flash Tracing the selection signal of the multiplexer shows that the bus must be multiplexed. Selection Flash output x MUX MUX MUX MUX Traced signals and their connected standard cells 29

Reading The Flash Tracing back from the multiplexers confirms the position of the other flash outputs. It also shows that bytes can be handled in different orders (endianness ) Flash output b10 Flash output b00 Flash output b11 Flash output b01 MUX MUX MUX MUX Selection 6 flash outputs 30

Reading The Flash Next step is finding the Instruction Register 2 data paths. Flash Outputs MUX?? FF MUX ARES net tracing visualization. MUX FF 31

Reading The Flash Flash Outputs First group of Flip-Flops found. MUX It could be the Instruction Register?? FF Following bloc would be the Instruction Decoder then. MUX MUX FF Group bits inside the presumed Instruction Decoder Compare with the instruction set Instruction Registers Match between the 2 : IR found Flash bus schematic 32

Attack Strategy For Reading The Flash Instruction register is made of Flip-Flops that have 2 interesting signals: clk / read signal that can be used to synchronize data as some clk cycles may be suppressed by embedded counter-measures Enable signal that disconnect the input from the Flip-Flop. Redundancy can be obtained by probing 2 data lines at a time (one needle will stay on its line for all the acquisition). 4 needles Linear Code Extraction 33

Comparison with old ICs Linear Code Extraction is still a valid attack scenario. Old chips had no protection against it. The target hides its bus logic inside a dense core This obfuscation does not help when the attacker can fully reverse the core. External Flash Buffers 34

Attack Strategy For Reading The Flash Performing the attack can be tricky depending on : shield technology Position of the interesting nets inside the chip (frontside or backside edit) Planarization Having all features extracted, a gds2 file has been created. It can be loaded in the FIB for assisted navigation. GDS2 active layer example Core GDS2 for FIB NAVIGATION 35

Reading The ROM Getting the «raw» bits is feasible. Is the ROM encrypted? Dopant etch Bits before wet chemical dopant etch Bits revealed by etching 36

Reading The ROM ROM Outputs ROM data bus goes to an encryption bloc Having Muxes and Flip-Flops on the same path may indicate that decryption operation can take several clk cycles. This path has not been completely reversed ROM can be read after studying the encryption without any Focused Ion Beam edit. MUX ROM Data Path FF 37

2 Blocs of RAM RAM 1 RAM 2 Both RAM are encrypted RAM and ROM are on the same clk domain FF FF Shared RAM with the crypto accelerator? MUX RAMs Data Path 38

Overview Conclusion 39

Timing : generation benchmark The first Linear Code Extractions did not require expensive equipments such as FIB and SEM. The main memory was not scrambled neither encrypted. Buffers were easily accessible. Extracting such a chip would require very little effort nowadays. Unprotected Bus 40

Timing : generation benchmark To avoid easy access to the logic, multiplexers and buffers have been hidden inside the core. Scrambling 8 bits processor 32 bits FLASH output going to the core Manual Tracing 41

Timing : generation benchmark Step by step 32 ROM Outputs Lines have to be traced inside the core The core contains a multiplexer for the 32-bit lines Identify the 8 output bits of the multiplexers 32:8 MUX 8 Instruction Registers Manual Tracing inside the core 42

Timing : generation benchmark Step by step 3 paths can be followed 2 of them can not be exploited 43

Timing : generation benchmark Step by step Multiplexers were hidden Data was not encrypted Finding the correct spot took some time : ~ 2 months. 44

Timing : generation benchmark Flash Outputs New methodology is already successful Time of this particular study is short Deprocessing and imagery can be performed in less than 2 weeks. Interconnects are extracted and the result checked in another 2 weeks. The tools used for that study were in a mode used when picture quality is low or when feature extraction has not been verified. Standard Cell Library has been extracted while tracing signals, leading to 22.000 extracted instances inside the core. Tracing RAM, ROM and Flash to the Instruction Register and verifying its location with an overview of the Instruction decoder took 1,5 week. MUX MUX MUX Instruction Registers?? FF FF Flash bus schematic 45

Conclusion The target IC has the characteristics of a secure chip. Shield Internal Oscillator Memory encryption Obfuscation of the different parts inside a single core Linear Code Extraction would be the best method to read the main memory ROM could be read by a deep Hardware Reverse Engineering 46

Conclusion Time necessary to perform the study was 2 weeks of feature extraction related work and an extra week and a half to find where and how to perform a Linear Code Extraction. This methods speeds up the regular process by a significant factor. It also opens doors for semi-invasive attacks where the position of important standard cells could be used to narrow down one study. Hardware custom implementation are questionable. 47

CONTACT Olivier Thomas Chief Executive Officer +33 6 64 80 06 87 olivier@texplained.com Clarisse Ginet Head of Business Development +33 6 35 54 12 04 clarisse@texplained.com www.texplained.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information