Since these advanced techniques typically originate from national labs or other state funded actors, your adversary will be using advanced failure analysis equipment to gain a detailed picture of the inner workings of your security chip. It is important to understand that bringing a state-of-the-art 10 billion transistor SoC to market in a leading-edge technology node necessitates the use of leading-edge failure analysis equipment to help debug a chip on its path to mass production. Your adversary will have access to this failure analysis equipment and can repurpose it to gain more insight into what a security chip is doing.

In this article:

• • Laser Voltage Probing
  • Focused Ion Beam (FIB) Editing
  • Reverse Engineering
  • NVM Extraction
  • Rambus Anti-Tamper Technology

Laser Voltage Probing

Laser voltage probing is conceptually similar to both the fault injection and infrared analysis we described earlier in this three-part blog series.

With laser voltage probing, a specific point in a circuit can be measured in a contactless way by zapping that specific node (in the circuit) with an infrared laser. An attacker can subsequently measure the difference in refraction . Even a slight difference in diffraction can alert the adversaries as to whether the data is transitioning from a one to a zero, from zero to a one, or if the voltage is not transitioning it at all. This is an effective technique for reading out the contents of memory buses, the output of physically unclonable functions (PUFs), the output of embedded non-volatile macros, and even some particularly important nodes inside of security core itself.

Laser voltage probing countermeasures are similar to methods we’ve described previously in this three-part blog series. For example, randomness can be used to split the data into multiple components and offset the time at which those components are traversing on a bus. This makes it difficult for the adversary to precisely time their laser voltage probes to extract the data. Randomness – both spatial and temporal (data) – is the most effective countermeasure for laser voltage probe. Since this method involves infrared lasers injected on a node, the previously described techniques of back side metallization can also be a very effective deterrent to this type of attack.

Focused Ion Beam (FIB) Editing

Most companies that have built a chip over the last 30 years probably engaged in some “FIBing.” This is because focused ion beam editing is a very standard debug technique that reaches into the chip to disconnect some signals and reconnect certain logic gates. FIBing is an effective failure analysis tool because it is essentially an additional processing step that can be applied to a chip after fabrication.

It is almost impossible to prevent a chip from being FIB analyzed. This is because FIB is just another processing step that is applied to the chip after is manufactured. However, this step can be exploited by an adversary to reconnect wires within your chip and deactivate any alarm (generated in the chip). In fact, additional pads can be dropped down onto the chip – and the chip can be repackaged by an adversary to grant access to internal nodes that otherwise would not have been exposed externally before.

The unfortunate reality is that countermeasures for FIB attacks are very difficult to effectively implement. Our Rambus security team is currently researching the use of tamper evidence physical unclonable functions, or PUFs. This will enable the metallization of the chip itself to be fingerprinted when the chip is manufactured. The fingerprint remains a wholly internal portion of a secret key. If an adversary were to FIB into the chip and modify this metallization, the secret key value would be inevitably corrupted, rendering the attacks unsuccessful.

Reverse Engineering

Reverse engineering enables an adversary to destructively decompose a chip, layer by layer, taking very precise scanning electron micrographs that enables an attacker to reconstruct the actual logical netlist. Oftentimes this is done to recover proprietary functions that might be realized within the chip, or to recover read-only memory that has been compiled into a standard cell library circuit within the chip.

Countermeasures for reverse engineering attacks are fairly well known. The basic concept is to corrupt the automatic reverse engineering process by building lookalike or camouflage gates into the netlist. This way, when an adversary takes very careful pictures of what they believe to be a NAND gate, for example, they will discover that it is not actually a functioning NAND gate (because camouflage technology was used to modify the logical operation of that gate). Although it might look identical to a standard cell gate, it performs a different logical operation. So, when your adversary has finished extracting your 100,000 or one million gate circuit, the netlist they will have is incorrect. Because of the camouflage logic, they have no idea which one of the gates is incorrect. This can greatly delay your adversary’s attempt to recovery a proprietary netlist that is hidden on-chip.

Another way of protecting against a reverse engineering attack is a concept known as logic locking. This is similar conceptually to FPGAs which load a bit stream into the circuit – although the circuit does not perform a correct operation until the correct bit stream is loaded. Logic locking is similar, with a large digital signal (perhaps a 256-bit wide signal), loaded to a proprietary function that will not operate correctly until the right signal is applied. This means that if an adversary manages to recover your netlist from the chip, they still need to recover the very small 256-bit file that controls the correct operation of the chip. This method can help mitigate against the more straightforward approaches of reverse engineering attacks.

NVM Extraction

NVM extraction targets the contents of non-volatile memory. Most of the time, secrets inside of a security chip are hidden in a combination of proprietary netlist and NVM contents. An adversary must therefore recover both to make sense of your secret data. Unfortunately, every embedded non-volatile macro has an attack surface on it, and your adversary will be familiar with that type of macro and what type of attacks can be used against it.

For example, if your NVM macro only has a very narrow data bus, a type of power analysis known as template attacks can be used to recover the data. In addition, if your NVM macro allows secret data to be read and written during a manufacturing state, then your adversary will go after the manufacturing state and try to trick a chip that has already been provisioned with secret data into thinking that it is in the manufacturing state where the data can be read out.

There are even more sophisticated attacks that use scanning electron microscopes to sense the contents of any type of charged based memory, such as EEPROM or embedded flash. Finally, more advanced techniques use the laser voltage probing or FIB attacks we described earlier to monitor the actual data bus of the chip – and perhaps to even take control of the command address portions of the chip to walk the data out of the chip after it has been repackaged.

Countermeasures for this type of attack include a lot of brute force approaches, such as very wide data buses that are much more difficult to repackage and analyze, as well as the previously described countermeasures for both laser voltage probing and FIB attacks.

Rambus Anti-Tamper Technology

Thus far, we have described a number of anti-tamper countermeasures in our three-part blog series. It should be noted that all of our fixed function cores such as AES, SHA and the Public-Key Accelerators include all of the algorithmic countermeasures for wherever algorithm countermeasures are effective, such as in power supply analysis and fault injection countermeasures.

Moreover, our root of trust cores, which are more sophisticated processor-based systems coupled with fixed function cores, include more countermeasures because there are dispatches that can be controlled by the processing elements to, for example, activate ‘first to fail’ logic cores. This ensures these cores are active during execution of the fixed function cores – and makes sure they can randomly stage secure cryptographic events to the cores to thwart timing attacks.

Our anti-counterfeiting line of products include the most countermeasures because these products exist in a chip level form. For these products, we can include some of the more advanced protections against glitch, environmental attacks, and even some more advanced attacks like laser voltage probing and FIB editing of the security chip.

The slide below presents a visual summary of the countermeasures that we have in our security products.

As you can see, the fixed function cores include algorithmic countermeasures for wherever they are appropriate, such as inside channel glitch injection and fault injection protection. Our root-of-trust cores have a wider selection of countermeasures that can be included because of the more sophisticated execution environment. In addition, our anti-counterfeiting solution, (represent by the ACF column), summarizes an inclusion of countermeasures for these attacks. Lastly, our standalone camouflage technology is used to protect against netlist recovery and reverse engineering attacks.

Read more in this series:
Understanding Anti-Tamper Technology: Part 1
Understanding Anti-Tamper Technology: Part 2

Sophisticated attackers – who might be working at the university level – can research the security model of your chip. Specifically, they can analyze your chip security using techniques such as side-channel attacks, clocking attacks, fault injections, and infrared emission analysis. Let’s take a closer look at these techniques below.

In this article:

• • Side-channel Attacks
  • Clocking Attacks
  • Fault Injection
  • Infrared Emission Analysis

Side-channel Attacks

A side-channel attack describes a scenario where your adversary monitors the environment of your chip while it is performing a secure calculation. Attackers are looking for very small amounts of information leakage that is inevitably emitted from the chip while it is performing a secure calculation.

This information leakage could be power supply or electromagnetic noise caused by the circuit performing a secure calculation (the significance of power supply analysis was discovered by Rambus security researchers about 15 years ago). With this type of attack, a trace of a power supply is captured when a chip performs a secure calculation; for example, an encrypt or decrypt operation. An attacker that uses an extremely detailed statistical analysis of the power supply trace can discern parts of the secret key used in the calculation.

Countermeasures for these types of side-channels can be executed algorithmically within the cryptographic cores themselves. Interestingly, the degree of protection can be customized by the user.
Meaning, if a key is only going to be used 10,000 times before it is refreshed, a core that has 20,000 trace resistance would be sufficient. In other instances, a key is used more than a million times or even 10 million times. So, sometimes the degree of protection for power supply channel protection can be dialed in to accommodate the system and how often the keys are being used.

Clocking Attacks

Clocking attacks are quite similar to the environmental attacks we previously discussed in part one of our three-part blog series. In this type of attack, an adversary will take control of the clock going into the chip, or the clock being used by the chip, for purposes of performing the secure algorithm and secure computation. As with an environmental attack, every one of these digital circuits within the chip has been designed with a certain expectation of clock frequency and the range of clock frequency, the voltage, as well as the temperature. If an adversary can drive the clock beyond those extremes, aberrant behavior can be induced in the chip. This gives an adversary a foothold into attacking the chip and forcing it to reveal its secret data.

Overclocking countermeasures are quite similar to those used to protect against environmental countermeasures. For example, the ‘first to fail’ circuits are typically effective here – if the ‘first to fail’ circuits are receiving the same clock signals as the circuits performing the secure computation. This can be a straightforward method of preventing an adversary from overclocking the chip in some undetectable manner. Another way this can be prevented is to have wholly internal clock generators on a chip. This eliminates external clock sources which an adversary, with some relative sophistication of signal generators, can exploit to take over your chip. If the clock generator itself is fully on chip, it significantly complicates the ability of an attacker to seize control of the clock and attack your chip.

Fault Injection

Fault injection is one of the most dangerous and effective attacks targeting secure chips. The concept of fault injection is similar to glitch injection. However, instead of trying to glitch the entire chip all at once, very precise lasers are aimed at the secure circuits within your chip. Or, precise electromagnetic probes are used to cause single bit flips at specific locations within your chip.

It should be noted that most of the well-known security algorithms, for example, AES, SHA and Elliptic Curve, are considered secure only if the algorithm completes correctly. If an adversary can cause the algorithm to fail during its normal computation, then portions of the secret key might now be present in some of the output data. With fault injection, your adversary is trying to intentionally cause a cryptographic circuit to fail and harvest the response. A subsequent statistical analysis that examines these incorrect responses can lead the adversary to information about the secrets you were trying to protect.

Typically, countermeasures for fault injection must be implemented algorithmically within the security core. So, there can be a great deal of error detection and redundancy included inside of a cryptographic core to ensure that a single bit flip will not cause the algorithm to proceed incorrectly or go undetected. In addition, there are some chip level countermeasures that can be included, as these types of fault injections are usually executed with spot lasers and infrared lasers that are dialed up to very precise spots and injected through the backside of a chip.

The backside of silicon tends to be transparent to infrared as there is no metallization to absorb any incoming lasers. This allows an adversary to raster a laser across the backside of your chip to find regions of sensitivity that, when tapped with the laser at just the right time, corrupt a secure calculation. At the chip level, there are some backside metallization techniques that can significantly complicate an adversary’s ability to inject laser-focused light into critical portions of your chip when the algorithm is executing.

Infrared Emission Analysis

Similar to the clocking attacks we described earlier, infrared emission analysis also includes elements of fault injection techniques. Using infrared emission analysis, an adversary can advance a cryptographic computation to the precise point such that a secret key or critical piece of data is sitting in unprotected SRAM somewhere on the chip.

When SRAM circuits hold ones and zeros, they radiate infrared energies in different ways, depending on if the bit is holding a zero or a one. So, if your adversary is capable of walking an algorithm to the exact point where data is insecure, and then has time to collect the infrared data from the chip while the clock is paused, they can read out the data that was sitting unprotected in the SRAM.

Infrared emission analysis countermeasures include a lot of randomization. For example, secret data can be randomly split into different shares and stored in various sections of SRAM. Random offsets during the calculation can prevent an adversary’s ability to synchronize these attacks, which would be required to extract secret data. Since this class of attacks relies on capturing infrared energy from the backside of the silicon (similar to how fault injection inserted infrared energy), back side metallization can be used to thwart an adversary’s ability to analyze your circuits in this way.

Read more in this series:
Understanding Anti-Tamper Technology: Part 1
Understanding Anti-Tamper Technology: Part 3

It is important to understand that the term “anti-tamper” means many different things to many different people. In this series, we use the term to describe a set of countermeasures that are designed to thwart an adversary’s attempt to monitor and/or affect the correct operations of a security chip. Put simply, anti-tamper is what makes a security chip. A chip that runs cryptographic algorithms and lacks anti-tamper protection is not really a security chip.

It should also be noted that anti-tamper protections can be inherited from one part of the chip to another. This means there are certain countermeasures that can be implemented at the chip level – and used to protect algorithms running in other parts of the chip. Sometimes anti-tamper protection is algorithmic within the circuit itself, or can be more system-wide, making it capable of protecting the entire chip simultaneously.

In this article:

• • Adversarial Capabilities
  • Brute Force Glitch Attacks
  • Environmental Attacks

Adversarial Capabilities

Your adversary’s capabilities include not just their technical sophistication, but how much money and time they have to break into your system. Some of the easier attacks can be executed by just about anyone including high school hackers or individuals testing the security of your system. More sophisticated adversaries can be found at universities and even at some national labs. These adversaries will probe your security with more advanced methods to extract secret information. The most challenging attacks will originate from national labs and state funded actors who have access to the most expensive and sophisticated cryptographic analysis attacks, semi-invasive attacks, and fully invasive attacks to weaken the security of your chip.

It is important to emphasize that a security chip needs to take all countermeasures into account. It does not make sense to protect against only the most sophisticated attacks while leaving yourself exposed to the simplest ones.

In the first of this three-part blog series, we will take a closer look at low-cost attacks. Most adversaries use low-cost attacks to test your security chip to gauge how resistant and well-designed it is. These include protocol and software attacks, brute force glitch attacks, and simple environmental attacks.

Protocol and Software Attacks

Protocol and software attacks target a chip’s protocol and the software that operates within the chip. This category covers a wide spectrum of actions your adversary will attempt, but in general, what they will try to do is use your chip in a way it was not intended. For example, if the adversary is going to attack the protocol, they might try to issue commands that are not supported by a normal protocol. They may record an actual, authentic transaction and try to replay it in the future to see if they can cause authentic behavior from inauthentic traffic. A man-in-the-middle attack, for example, is a way of breaking the security between two chips that think they are communicating in secret but are not. Attackers may also try to attempt to compromise the software environment. There are some very well-known attacks in this domain, such as buffer and overflow attacks, as well as malicious software injection.

As such, a silicon designer must assume that your adversary is going to attack your protocol. So, you need to define a small, tight set of valid commands. Essentially, you want to make it conceptually unfriendly for an adversary to work with. Another technique of mitigating these attacks – especially for a chip in a communications link – is mutual authentication. This ensures that both sides are verifying each other. As well, a random nonce used in the verification process is a good way to mitigate against replay attacks.

In addition, all software that executes inside of secure chip must be suspect, so an immutable hardware layer is the best design practice. Specifically, checking the highest privilege software to ensure that even the highest privileged software that is executing in the chip is executing correctly. Another good design technique is that all code running in the chip must be cryptographically signed, with permissions assigned based on signatures. This makes it almost impossible for an adversary to duplicate permissions and execute code at a level of authentication that they are not authorized to access.

Brute Force Glitch Attacks

Glitch injection is a brute force attack where an adversary creates a significant amount of noise in the system or on your chip to cause the chip to behave in an unusual way. This can be done by simply shorting or zapping the chip’s power supply, often just by taking a paperclip and shorting some of the power supplies to ground. It is impossible to predict where any errors might appear in your chip when this is done. However, your adversary is hoping is that these glitches or bit flips will appear within a lifecycle control circuit within the chip.

Tarnovsky, Chris. (2010, July 28). Semiconductor Security Awareness Today & Yesterday at Blackhat 2010. Retrieved from https://www.youtube.com/watch?v=WXX00tRKOlw

A lifecycle control is how a security chip distinguishes between its insecure manufacturing state and its highly secure in-field state. When a chip boots, when it is first powered up, an adversary will attempt to glitch it, trying to confuse the chip to believe it is ‘waking up’ for the first time in an insecure manufacturing state. In this state, nonvolatile memory contents can be unloaded directly, and scan chains might be re-enabled. Put simply, a maliciously induced insecure manufacturing state makes the chip highly vulnerable to attackers.

The countermeasures for glitch injections are usually chip-level protections. This means the entire chip is protected against glitching, for example, with on-chip regulators that create internal-only voltages used to power up the logic that controls lifecycle controls. Another aspect of glitch attacks on a chip is how they relate to fault injection, which is much more of a surgical attack. In contrast, glitch attacks target the entire chip at once and are considered very heavy handed.

Environmental Attacks

Every chip in a system is designed to operate within a range of voltages and temperatures. An adversary who takes control of a system can raise the voltage or lower the temperature – or lower the temperature and raise the voltage. This action forces the chip to operate in an environment it was not designed to operate in. This technique is similar to the glitch attack we described earlier. The intent of an environmental attack is to cause the chip to malfunction when it is booting, so the chip will ‘wake up’ in an insecure manufacturing state, rather than a secured in-field state.

The countermeasures for these attacks are quite similar to those used to protect against glitch injection attacks. Such countermeasures are usually provided at the chip level by various sensors and alarms that monitor the external voltages applied to the chip, as well as monitor the ambient operating temperature of the chip. Another counter measure for an environmental attack can be found in ‘first to fail’ circuits, which are built with the smallest design margin. After a secure computation is complete, you can check the output of these ‘first to fail’ circuits to verify that the ‘first to fail’ circuits operated correctly. This means the secure circuits with a more operational design margin have also completed correctly.

Read more in this series:
Understanding Anti-Tamper Technology: Part 2
Understanding Anti-Tamper Technology: Part 3