Anti-tamper sensors are an essential tool among several defenses used to protect against these security threats. By continuously monitoring for abnormal environmental or electrical conditions, anti-tamper sensors help ensure that when a device is touched, opened, glitched, or zapped, your security stack knows and reacts to protect your system.

The Modern Tamper Landscape

Today’s adversaries use voltage glitching to skip instructions, clock manipulation to desynchronize logic, and electromagnetic fault injection (EMFI) to flip bits at precise moments. They may also use strong magnets or environmental shifts to blind sensors or disrupt measurements, especially in metering and industrial systems.

Why does this matter? Because hardware secrets (keys, certificates) underpin secure boot, encrypted communications, and software trust. Physical compromise of just one device can open a backdoor to a much larger network if unique per device protections and real-time tamper responses aren’t in place.

The Top Customer Pain Points

From conversations with SoC designers, several recurring challenges emerge:

1. Evolving attack techniques
   Digital-only countermeasures often miss analog domain faults like voltage, clock, and EMFI attacks. Teams need diverse, low latency sensors that can spot subtle, nanosecond scale anomalies before damage is done.
2. Integration across process nodes and foundries
   Analog IP is traditionally process specific, making portability painful when supply constraints or costs push a design to another process node or foundry. Reengineering slows releases and consumes scarce analog engineering talent.
3. Tuning and false positives and negatives
   Tamper sensors must be sensitive without being noisy. Poor thresholding or inadequate environmental compensation can trigger needless shutdowns, or worse, miss an actual attack. Getting that balance right demands robust IP and good system architecture
4. Compliance pressure
   Regulations and certifications (e.g., FIPS 140-3 Level 3 and 4, Common Criteria High Assurance Levels, SESIP L3, ISO 21434) add requirements for key protection,  tamper responses, and secure boot. Meeting them while hitting power, area, and schedule targets is hard.

What a “Good” system Looks Like: Principles of Anti-tamper by Design

A resilient anti-tamper strategy embraces sensor diversity, secure event handling, and automated responses:

• Multi‑modal sensing (voltage, clock, temperature, magnetic/EMFI) to detect a broad spectrum of physical attacks.
• Secure response paths anchored in a hardware Root of Trust (RoT)—so detected events can trigger policy-driven actions like key zeroization, boot lockdown, or secure telemetry, even if an application code is compromised.
• Per device uniqueness (unique keys, secure provisioning) to contain the blast radius if one unit falls into the wrong hands.

This is where Agile Analog and Rambus complement each other.

Agile Analog: Deep Tamper Detection + Prevention in the Analog Domain

Agile Analog’s agileSecure portfolio brings a comprehensive, customizable set of tamper detection IP to protect SoCs on advanced process nodes:

• agileVGLITCH – Voltage Glitch Detector: Detects nanosecond scale supply anomalies used in instruction skipping and bypass attacks.
• agileCAM – Clock Attack Monitor: Catches clock frequency shifts, holds, and glitches with programmable thresholds.
• agileTSENSE_D – Digital Temperature Sensor: Monitors abnormal thermal profiles indicative of physical interference or environmental manipulation.
• agileEMSensor – EMFI Detector: Detects electromagnetic fault injection, one of the hardest physical attack vectors to counter with digital logic alone.

Beyond tamper detection, Agile Analog’s agileSecure also offers tamper prevention IP—internally biased LDOs, bandgap references, oscillators, power-on reset and power-OK blocks—to isolate and harden critical circuits against external manipulation.

Why customers choose Agile Analog

• Process portability and time-to-market: Their digitally wrapped, process agnostic, fully verified approach helps teams seamlessly integrate analog IP blocks like digital IP, reducing re-spins across nodes/foundries and speeding SoC schedules.
• Standards alignment: Deployments are increasingly aligned with FIPS 140‑3 and Common Criteria requirements—critical for regulated markets.
• Proven on advanced process nodes: Recent deliveries include TSMC N4P engagements with a tier1 U.S. customer, underscoring maturity on cutting-edge processes.

Rambus: Hardware Root of Trust, Anti-tamper, and QuantumSafe Security

While Agile Analog monitors and hardens the physical attack surface, Rambus provides the secure control plane that decides what to do when tampering is detected.

The CryptoManager Security IP family spans Root of Trust (RoT), Hub, and Core offerings, delivering progressively higher levels of functionality and integration:

• Hardware RoT with secure boot, secure storage, and policy driven tamper responses—available from compact state machines to programmable secure coprocessors.
• Quantum‑Safe boot flow and crypto accelerators to protect against future quantum compute threats while meeting today’s performance needs.
• DPA/FIA countermeasures to resist power analysis and fault injection at the cryptographic core, complementing analog tamper detection located next to critical circuitry.
• Inline memory encryption and protocol engines (MACsec/IPsec/TLS) to protect data in use and in motion, completing a holistic data‑centric security posture.

With support for FIPS, SESIP, PSA Certified, and ISO 21434, CryptoManager solutions help teams accelerate certification and ship faster into regulated markets like automotive and data centers.

Mapping Pain Points to the Joint Solution

Implementation Checklist: Getting It Right the First Time

1. Threat model by device class. Map likely physical attacks (serviceable vs. sealed units, field vs. factory) and decide which sensors you need (voltage, clock, temp, EMFI) for layered coverage.
2. Place sensors near assets. Position voltage and clock monitors on relevant domains and route signals securely to the RoT—short paths, shielded where practical.
3. Calibrate and test. Use built-in programmability to tune thresholds across PVT corners. Run fault injection tests (voltage glitches, clock glitches, EMFI) pre and post silicon to validate coverage and false positive rates.
4. Provision uniquely, attest continuously. Unique keys and attestation to prevent a single device compromise from scaling to a fleet.
5. Plan for updates. As attacks evolve, update RoT policies and, where applicable, firmware to refine responses without re-spinning silicon.

Real‑World Momentum

Agile Analog has announced deliveries of its agileSecure anti-tamper suite—including EMFI sensing—to tier1 customers on TSMC N4P, reflecting demand for robust analog security IP on advanced process nodes. As well as tamper detection IP, the portfolio also includes tamper prevention IP (LDOs, bandgaps, POR/POK) to harden critical circuits against manipulation. In parallel, Rambus introduced its nextgen CryptoManager Security IP with a three-tier architecture, QuantumSafe boot, and a broad certification roadmap—aimed squarely at data center, AI, automotive, and high assurance SoCs.

The Bottom Line

Anti-tamper sensors are non-negotiable in a world where physical attacks are mainstream. But sensors alone aren’t enough. You need a secure control plane that can decide and act, anchored in hardware, with the independent analysis that certifications bring and countermeasures to withstand both today’s and tomorrow’s threats.

• Agile Analog delivers highly configurable analog tamper detection and tamper prevention IP — portable across processes, tuned for advanced nodes, and designed to spot the faults attackers rely on.
• Rambus provides the Root of Trust and cryptographic backbone—with anti-tamper hardening, QuantumSafe readiness, and a proven path to compliance.

Together, they offer a defense in depth blueprint that addresses customer pain points comprehensively: better detection, simpler integration, fewer false positives, and smoother certification. If your roadmap includes secure SoCs for AI, automotive, industrial, or payments, pairing  Agile Analog’s agileSecure with Rambus CryptoManager is a pragmatic way to raise the bar.

What is an anti-tamper protection?

As Best notes, anti-tamper tends to be one of the industry’s “catchall phrases” encompassing any countermeasure on a security chip. However, a more precise definition states that anti-tamper protection is any collection of countermeasures which serve to thwart an adversary’s attempt to monitor or affect the correct operation of a chip or a security core within a chip.

More resources on anti tamper protection:

• Read» Understanding Anti-Tamper Technology: Part 1
• Watch» Anti-Tampering Technologies: On-demand webinar

Categories of tampering attacks

According to Best, the semiconductor industry should consider a hierarchy of anti-tamper countermeasures that parallel the type, effort, and expense of tampering attacks. Starting at the lowest effort and building up, the categories of attacks the industry should safeguard against include:

• Non-invasive: Typically passive, the attacker monitors the operation of the chip but does not attempt to modify its normal operation.
• Semi-invasive: An attacker induces electrical failures within the chip and monitors the resulting effects.
• Fully-invasive: Often destructive attacks where an attacker bypasses shields and modifies signal connectivity.
• Reverse engineering: Destructive analysis of the chip aimed at obtaining the non-volatile memory (NVM) contents or recovering netlist algorithms.

“The approach an adversary takes depends on their goals, level of sophistication, and budget,” Best states. “In nearly every case, however, attackers are at the very least attempting to learn the secret keys stored on the chip.”

One of the benefits of analyzing the threat in this hierarchical manner is that it can help with planning the anti-tamper protection and defenses for a chip appropriate to the motivation and funding of the attacker.

“For instance, if a chip is going into a military platform that could fall into the hands of a state-actor adversary, then it should be hardened against the full range of tampering attacks,” he adds.

Non-Invasive Attacks

Non-invasive attacks include protocol/software attacks, side-channel attacks, glitch injection and environmental attacks.

“In protocol and software attacks, the adversary manipulates the normal inputs into the chip to effect insecure behavior. In side-channel attacks, an adversary gleans the keys when they are inadvertently leaked via EM emissions or power supply fluctuations,” Best elaborates. “Differential Power Analysis (DPA) is a prime example of a side-channel attack. [Meanwhile], glitching is a ham-handed noise injection onto a secure chip’s power supply [to] cause an internal bit flip that might put the chip in an unsecured state. [Lastly], environmental attacks attempt to take the chip outside its tolerated range of operation with conditions such as under voltage or freezing temperatures with the same goal of a bit flip leading to a security failure.”

As Best observes, countermeasures for non-invasive attacks are as varied as the attacks themselves. For protocol and software attacks, for example, there are best-known practices when it comes to how a chip accepts inputs that simply must be followed. As for side-channel attacks, in most cases they can be algorithmically prevented.

“For instance, a single linear operation can be split into several operations, each masked by a random value so any leakage looks like random noise. Guarding against glitch attacks can be done with fully-internal circuits that regulate core logic so that it is immune to external power supply noise,” he explains. “Thwarting environmental attacks, one can add sensors and alarms that trigger on out of bounds conditions, and ‘canary’ circuits that fail first and signal secure processes to halt. This prevents a secure computation from competing incorrectly and leaking its key.”

Semi-Invasive Attacks

Semi-invasive attacks, says Best, include overclocking, fault injection (FI) and back side IR emission. Similar to environmental attacks, overclocking pushes a circuit outside its operational envelope to cause a failure in a security process.

“FI is the ‘scalpel’ counterpart to glitching’s ‘sledgehammer.’ An IR laser or EM probe is used to make a very targeted attack. Back side IR emission entails imaging the back side of the chip in the IR spectrum to read out the contents of transistor-based memory such as registers and SRAM,” he adds.

Protecting against this set of semi-invasive attacks builds on the foundation of safeguards already mentioned. More specifically, employing wholly-internal clock generators can be used to protect from overclocking, while algorithmic protections can help prevent FI attacks.

“And since FI IR laser attacks are done through the back of the chip, back side metallization can protect from both FI and back side IR emission attacks, or at least increase their level of effort to that of fully invasive attacks.”

Fully-Invasive Attacks

As Best points out, fully-invasive attacks use repurposed state-of-the-art failure analysis technologies to achieve their adversarial aims. This category of attack includes laser voltage probing (LVP) and focused ion beam (FIB) attacks. LVP, says Best, can be thought of as ‘contactless probing’ with an adversary able to measure any signal, such as the those on the data bus connecting non-volatile memory (key storage) and a security processor. FIB can disable alarms, escalate privileges, and induce key leaks by ‘editing’ circuits.

According to Best, fully-invasive attacks are the most difficult to guard against, as it is akin to protecting a circuit from being debugged.

“Back side metallization can help mitigate the effectiveness of LVP. In addition, a high-bitrate random number generator (RNG) can be used to ‘split’ any important data into two ‘shares’ such that an LVP attack against either share would only see random noise. With hybrid packaging techniques, some advanced forms of ‘tamper evident PUFs’ that combine with front and back side metal shields can be used as a FIB countermeasure,” he adds.

Reverse Engineering

Lastly, reverse engineering is a no-holds-barred attack to understand a chip’s design and operation. Indeed, the attacker removes the chip from its package and takes a high-resolution picture of the topmost layer with a scanning electron microscope (SEM).

“The chip’s top layer is then removed via plasma etching or similar process, exposing the underlying layer which is then SEM imaged,” Best explains. “[This] process is repeated until all layers, including the P and N implants that form the transistor structures, have been imaged. The aggregated images are analyzed against known circuits to produce a functional model resulting in a full netlist and a hierarchical RTL of the design.”

Circuit camouflage technology, says Best, complicates the reverse engineering process with the integration of multiple “lookalike cells” into a chip’s design. These cells are either optically indistinguishable from the standard cells used throughout the design, or they may appear like nothing the reverse engineer has ever seen.

“Camouflaged cells can also be enabled to perform logic functions that are different than what would be expected by visual analysis,” he elaborates. “Together, these approaches introduce errors into the reverse-engineering process, resulting in an incorrect netlist recovered from the silicon.”

Conclusion

When it comes to anti-tamper protection, Best emphasizes, it is critical to identify the opponent and include at least one degree of additional countermeasure that is beyond their skill or budget.

“Whether hacker, counterfeiter, or well-funded state actor, their motivation and resources will vary, as will the attack types they can bring to bear. The job of the security designer is to build in enough countermeasures to keep secrets just out of an attacker’s reach. Security experts at companies like Rambus can help designers find that right mix for securing their chips against an environment of escalating risks,” he concludes.

Keep on reading» Hardware Root of Trust: Everything you need to know

Since these advanced techniques typically originate from national labs or other state funded actors, your adversary will be using advanced failure analysis equipment to gain a detailed picture of the inner workings of your security chip. It is important to understand that bringing a state-of-the-art 10 billion transistor SoC to market in a leading-edge technology node necessitates the use of leading-edge failure analysis equipment to help debug a chip on its path to mass production. Your adversary will have access to this failure analysis equipment and can repurpose it to gain more insight into what a security chip is doing.

In this article:

• • Laser Voltage Probing
  • Focused Ion Beam (FIB) Editing
  • Reverse Engineering
  • NVM Extraction
  • Rambus Anti-Tamper Technology

Laser Voltage Probing

Laser voltage probing is conceptually similar to both the fault injection and infrared analysis we described earlier in this three-part blog series.

With laser voltage probing, a specific point in a circuit can be measured in a contactless way by zapping that specific node (in the circuit) with an infrared laser. An attacker can subsequently measure the difference in refraction . Even a slight difference in diffraction can alert the adversaries as to whether the data is transitioning from a one to a zero, from zero to a one, or if the voltage is not transitioning it at all. This is an effective technique for reading out the contents of memory buses, the output of physically unclonable functions (PUFs), the output of embedded non-volatile macros, and even some particularly important nodes inside of security core itself.

Laser voltage probing countermeasures are similar to methods we’ve described previously in this three-part blog series. For example, randomness can be used to split the data into multiple components and offset the time at which those components are traversing on a bus. This makes it difficult for the adversary to precisely time their laser voltage probes to extract the data. Randomness – both spatial and temporal (data) – is the most effective countermeasure for laser voltage probe. Since this method involves infrared lasers injected on a node, the previously described techniques of back side metallization can also be a very effective deterrent to this type of attack.

Focused Ion Beam (FIB) Editing

Most companies that have built a chip over the last 30 years probably engaged in some “FIBing.” This is because focused ion beam editing is a very standard debug technique that reaches into the chip to disconnect some signals and reconnect certain logic gates. FIBing is an effective failure analysis tool because it is essentially an additional processing step that can be applied to a chip after fabrication.

It is almost impossible to prevent a chip from being FIB analyzed. This is because FIB is just another processing step that is applied to the chip after is manufactured. However, this step can be exploited by an adversary to reconnect wires within your chip and deactivate any alarm (generated in the chip). In fact, additional pads can be dropped down onto the chip – and the chip can be repackaged by an adversary to grant access to internal nodes that otherwise would not have been exposed externally before.

The unfortunate reality is that countermeasures for FIB attacks are very difficult to effectively implement. Our Rambus security team is currently researching the use of tamper evidence physical unclonable functions, or PUFs. This will enable the metallization of the chip itself to be fingerprinted when the chip is manufactured. The fingerprint remains a wholly internal portion of a secret key. If an adversary were to FIB into the chip and modify this metallization, the secret key value would be inevitably corrupted, rendering the attacks unsuccessful.

Reverse Engineering

Reverse engineering enables an adversary to destructively decompose a chip, layer by layer, taking very precise scanning electron micrographs that enables an attacker to reconstruct the actual logical netlist. Oftentimes this is done to recover proprietary functions that might be realized within the chip, or to recover read-only memory that has been compiled into a standard cell library circuit within the chip.

Countermeasures for reverse engineering attacks are fairly well known. The basic concept is to corrupt the automatic reverse engineering process by building lookalike or camouflage gates into the netlist. This way, when an adversary takes very careful pictures of what they believe to be a NAND gate, for example, they will discover that it is not actually a functioning NAND gate (because camouflage technology was used to modify the logical operation of that gate). Although it might look identical to a standard cell gate, it performs a different logical operation. So, when your adversary has finished extracting your 100,000 or one million gate circuit, the netlist they will have is incorrect. Because of the camouflage logic, they have no idea which one of the gates is incorrect. This can greatly delay your adversary’s attempt to recovery a proprietary netlist that is hidden on-chip.

Another way of protecting against a reverse engineering attack is a concept known as logic locking. This is similar conceptually to FPGAs which load a bit stream into the circuit – although the circuit does not perform a correct operation until the correct bit stream is loaded. Logic locking is similar, with a large digital signal (perhaps a 256-bit wide signal), loaded to a proprietary function that will not operate correctly until the right signal is applied. This means that if an adversary manages to recover your netlist from the chip, they still need to recover the very small 256-bit file that controls the correct operation of the chip. This method can help mitigate against the more straightforward approaches of reverse engineering attacks.

NVM Extraction

NVM extraction targets the contents of non-volatile memory. Most of the time, secrets inside of a security chip are hidden in a combination of proprietary netlist and NVM contents. An adversary must therefore recover both to make sense of your secret data. Unfortunately, every embedded non-volatile macro has an attack surface on it, and your adversary will be familiar with that type of macro and what type of attacks can be used against it.

For example, if your NVM macro only has a very narrow data bus, a type of power analysis known as template attacks can be used to recover the data. In addition, if your NVM macro allows secret data to be read and written during a manufacturing state, then your adversary will go after the manufacturing state and try to trick a chip that has already been provisioned with secret data into thinking that it is in the manufacturing state where the data can be read out.

There are even more sophisticated attacks that use scanning electron microscopes to sense the contents of any type of charged based memory, such as EEPROM or embedded flash. Finally, more advanced techniques use the laser voltage probing or FIB attacks we described earlier to monitor the actual data bus of the chip – and perhaps to even take control of the command address portions of the chip to walk the data out of the chip after it has been repackaged.

Countermeasures for this type of attack include a lot of brute force approaches, such as very wide data buses that are much more difficult to repackage and analyze, as well as the previously described countermeasures for both laser voltage probing and FIB attacks.

Rambus Anti-Tamper Technology

Thus far, we have described a number of anti-tamper countermeasures in our three-part blog series. It should be noted that all of our fixed function cores such as AES, SHA and the Public-Key Accelerators include all of the algorithmic countermeasures for wherever algorithm countermeasures are effective, such as in power supply analysis and fault injection countermeasures.

Moreover, our root of trust cores, which are more sophisticated processor-based systems coupled with fixed function cores, include more countermeasures because there are dispatches that can be controlled by the processing elements to, for example, activate ‘first to fail’ logic cores. This ensures these cores are active during execution of the fixed function cores – and makes sure they can randomly stage secure cryptographic events to the cores to thwart timing attacks.

Our anti-counterfeiting line of products include the most countermeasures because these products exist in a chip level form. For these products, we can include some of the more advanced protections against glitch, environmental attacks, and even some more advanced attacks like laser voltage probing and FIB editing of the security chip.

The slide below presents a visual summary of the countermeasures that we have in our security products.

As you can see, the fixed function cores include algorithmic countermeasures for wherever they are appropriate, such as inside channel glitch injection and fault injection protection. Our root-of-trust cores have a wider selection of countermeasures that can be included because of the more sophisticated execution environment. In addition, our anti-counterfeiting solution, (represent by the ACF column), summarizes an inclusion of countermeasures for these attacks. Lastly, our standalone camouflage technology is used to protect against netlist recovery and reverse engineering attacks.

Read more in this series:
Understanding Anti-Tamper Technology: Part 1
Understanding Anti-Tamper Technology: Part 2

Sophisticated attackers – who might be working at the university level – can research the security model of your chip. Specifically, they can analyze your chip security using techniques such as side-channel attacks, clocking attacks, fault injections, and infrared emission analysis. Let’s take a closer look at these techniques below.

In this article:

• • Side-channel Attacks
  • Clocking Attacks
  • Fault Injection
  • Infrared Emission Analysis

Side-channel Attacks

A side-channel attack describes a scenario where your adversary monitors the environment of your chip while it is performing a secure calculation. Attackers are looking for very small amounts of information leakage that is inevitably emitted from the chip while it is performing a secure calculation.

This information leakage could be power supply or electromagnetic noise caused by the circuit performing a secure calculation (the significance of power supply analysis was discovered by Rambus security researchers about 15 years ago). With this type of attack, a trace of a power supply is captured when a chip performs a secure calculation; for example, an encrypt or decrypt operation. An attacker that uses an extremely detailed statistical analysis of the power supply trace can discern parts of the secret key used in the calculation.

Countermeasures for these types of side-channels can be executed algorithmically within the cryptographic cores themselves. Interestingly, the degree of protection can be customized by the user.
Meaning, if a key is only going to be used 10,000 times before it is refreshed, a core that has 20,000 trace resistance would be sufficient. In other instances, a key is used more than a million times or even 10 million times. So, sometimes the degree of protection for power supply channel protection can be dialed in to accommodate the system and how often the keys are being used.

Clocking Attacks

Clocking attacks are quite similar to the environmental attacks we previously discussed in part one of our three-part blog series. In this type of attack, an adversary will take control of the clock going into the chip, or the clock being used by the chip, for purposes of performing the secure algorithm and secure computation. As with an environmental attack, every one of these digital circuits within the chip has been designed with a certain expectation of clock frequency and the range of clock frequency, the voltage, as well as the temperature. If an adversary can drive the clock beyond those extremes, aberrant behavior can be induced in the chip. This gives an adversary a foothold into attacking the chip and forcing it to reveal its secret data.

Overclocking countermeasures are quite similar to those used to protect against environmental countermeasures. For example, the ‘first to fail’ circuits are typically effective here – if the ‘first to fail’ circuits are receiving the same clock signals as the circuits performing the secure computation. This can be a straightforward method of preventing an adversary from overclocking the chip in some undetectable manner. Another way this can be prevented is to have wholly internal clock generators on a chip. This eliminates external clock sources which an adversary, with some relative sophistication of signal generators, can exploit to take over your chip. If the clock generator itself is fully on chip, it significantly complicates the ability of an attacker to seize control of the clock and attack your chip.

Fault Injection

Fault injection is one of the most dangerous and effective attacks targeting secure chips. The concept of fault injection is similar to glitch injection. However, instead of trying to glitch the entire chip all at once, very precise lasers are aimed at the secure circuits within your chip. Or, precise electromagnetic probes are used to cause single bit flips at specific locations within your chip.

It should be noted that most of the well-known security algorithms, for example, AES, SHA and Elliptic Curve, are considered secure only if the algorithm completes correctly. If an adversary can cause the algorithm to fail during its normal computation, then portions of the secret key might now be present in some of the output data. With fault injection, your adversary is trying to intentionally cause a cryptographic circuit to fail and harvest the response. A subsequent statistical analysis that examines these incorrect responses can lead the adversary to information about the secrets you were trying to protect.

Typically, countermeasures for fault injection must be implemented algorithmically within the security core. So, there can be a great deal of error detection and redundancy included inside of a cryptographic core to ensure that a single bit flip will not cause the algorithm to proceed incorrectly or go undetected. In addition, there are some chip level countermeasures that can be included, as these types of fault injections are usually executed with spot lasers and infrared lasers that are dialed up to very precise spots and injected through the backside of a chip.

The backside of silicon tends to be transparent to infrared as there is no metallization to absorb any incoming lasers. This allows an adversary to raster a laser across the backside of your chip to find regions of sensitivity that, when tapped with the laser at just the right time, corrupt a secure calculation. At the chip level, there are some backside metallization techniques that can significantly complicate an adversary’s ability to inject laser-focused light into critical portions of your chip when the algorithm is executing.

Infrared Emission Analysis

Similar to the clocking attacks we described earlier, infrared emission analysis also includes elements of fault injection techniques. Using infrared emission analysis, an adversary can advance a cryptographic computation to the precise point such that a secret key or critical piece of data is sitting in unprotected SRAM somewhere on the chip.

When SRAM circuits hold ones and zeros, they radiate infrared energies in different ways, depending on if the bit is holding a zero or a one. So, if your adversary is capable of walking an algorithm to the exact point where data is insecure, and then has time to collect the infrared data from the chip while the clock is paused, they can read out the data that was sitting unprotected in the SRAM.

Infrared emission analysis countermeasures include a lot of randomization. For example, secret data can be randomly split into different shares and stored in various sections of SRAM. Random offsets during the calculation can prevent an adversary’s ability to synchronize these attacks, which would be required to extract secret data. Since this class of attacks relies on capturing infrared energy from the backside of the silicon (similar to how fault injection inserted infrared energy), back side metallization can be used to thwart an adversary’s ability to analyze your circuits in this way.

Read more in this series:
Understanding Anti-Tamper Technology: Part 1
Understanding Anti-Tamper Technology: Part 3

It is important to understand that the term “anti-tamper” means many different things to many different people. In this series, we use the term to describe a set of countermeasures that are designed to thwart an adversary’s attempt to monitor and/or affect the correct operations of a security chip. Put simply, anti-tamper is what makes a security chip. A chip that runs cryptographic algorithms and lacks anti-tamper protection is not really a security chip.

It should also be noted that anti-tamper protections can be inherited from one part of the chip to another. This means there are certain countermeasures that can be implemented at the chip level – and used to protect algorithms running in other parts of the chip. Sometimes anti-tamper protection is algorithmic within the circuit itself, or can be more system-wide, making it capable of protecting the entire chip simultaneously.

In this article:

• • Adversarial Capabilities
  • Brute Force Glitch Attacks
  • Environmental Attacks

Adversarial Capabilities

Your adversary’s capabilities include not just their technical sophistication, but how much money and time they have to break into your system. Some of the easier attacks can be executed by just about anyone including high school hackers or individuals testing the security of your system. More sophisticated adversaries can be found at universities and even at some national labs. These adversaries will probe your security with more advanced methods to extract secret information. The most challenging attacks will originate from national labs and state funded actors who have access to the most expensive and sophisticated cryptographic analysis attacks, semi-invasive attacks, and fully invasive attacks to weaken the security of your chip.

It is important to emphasize that a security chip needs to take all countermeasures into account. It does not make sense to protect against only the most sophisticated attacks while leaving yourself exposed to the simplest ones.

In the first of this three-part blog series, we will take a closer look at low-cost attacks. Most adversaries use low-cost attacks to test your security chip to gauge how resistant and well-designed it is. These include protocol and software attacks, brute force glitch attacks, and simple environmental attacks.

Protocol and Software Attacks

Protocol and software attacks target a chip’s protocol and the software that operates within the chip. This category covers a wide spectrum of actions your adversary will attempt, but in general, what they will try to do is use your chip in a way it was not intended. For example, if the adversary is going to attack the protocol, they might try to issue commands that are not supported by a normal protocol. They may record an actual, authentic transaction and try to replay it in the future to see if they can cause authentic behavior from inauthentic traffic. A man-in-the-middle attack, for example, is a way of breaking the security between two chips that think they are communicating in secret but are not. Attackers may also try to attempt to compromise the software environment. There are some very well-known attacks in this domain, such as buffer and overflow attacks, as well as malicious software injection.

As such, a silicon designer must assume that your adversary is going to attack your protocol. So, you need to define a small, tight set of valid commands. Essentially, you want to make it conceptually unfriendly for an adversary to work with. Another technique of mitigating these attacks – especially for a chip in a communications link – is mutual authentication. This ensures that both sides are verifying each other. As well, a random nonce used in the verification process is a good way to mitigate against replay attacks.

In addition, all software that executes inside of secure chip must be suspect, so an immutable hardware layer is the best design practice. Specifically, checking the highest privilege software to ensure that even the highest privileged software that is executing in the chip is executing correctly. Another good design technique is that all code running in the chip must be cryptographically signed, with permissions assigned based on signatures. This makes it almost impossible for an adversary to duplicate permissions and execute code at a level of authentication that they are not authorized to access.

Brute Force Glitch Attacks

Glitch injection is a brute force attack where an adversary creates a significant amount of noise in the system or on your chip to cause the chip to behave in an unusual way. This can be done by simply shorting or zapping the chip’s power supply, often just by taking a paperclip and shorting some of the power supplies to ground. It is impossible to predict where any errors might appear in your chip when this is done. However, your adversary is hoping is that these glitches or bit flips will appear within a lifecycle control circuit within the chip.

Tarnovsky, Chris. (2010, July 28). Semiconductor Security Awareness Today & Yesterday at Blackhat 2010. Retrieved from https://www.youtube.com/watch?v=WXX00tRKOlw

A lifecycle control is how a security chip distinguishes between its insecure manufacturing state and its highly secure in-field state. When a chip boots, when it is first powered up, an adversary will attempt to glitch it, trying to confuse the chip to believe it is ‘waking up’ for the first time in an insecure manufacturing state. In this state, nonvolatile memory contents can be unloaded directly, and scan chains might be re-enabled. Put simply, a maliciously induced insecure manufacturing state makes the chip highly vulnerable to attackers.

The countermeasures for glitch injections are usually chip-level protections. This means the entire chip is protected against glitching, for example, with on-chip regulators that create internal-only voltages used to power up the logic that controls lifecycle controls. Another aspect of glitch attacks on a chip is how they relate to fault injection, which is much more of a surgical attack. In contrast, glitch attacks target the entire chip at once and are considered very heavy handed.

Environmental Attacks

Every chip in a system is designed to operate within a range of voltages and temperatures. An adversary who takes control of a system can raise the voltage or lower the temperature – or lower the temperature and raise the voltage. This action forces the chip to operate in an environment it was not designed to operate in. This technique is similar to the glitch attack we described earlier. The intent of an environmental attack is to cause the chip to malfunction when it is booting, so the chip will ‘wake up’ in an insecure manufacturing state, rather than a secured in-field state.

The countermeasures for these attacks are quite similar to those used to protect against glitch injection attacks. Such countermeasures are usually provided at the chip level by various sensors and alarms that monitor the external voltages applied to the chip, as well as monitor the ambient operating temperature of the chip. Another counter measure for an environmental attack can be found in ‘first to fail’ circuits, which are built with the smallest design margin. After a secure computation is complete, you can check the output of these ‘first to fail’ circuits to verify that the ‘first to fail’ circuits operated correctly. This means the secure circuits with a more operational design margin have also completed correctly.

Read more in this series:
Understanding Anti-Tamper Technology: Part 2
Understanding Anti-Tamper Technology: Part 3

The categories of tampering attacks include:

• Non-invasive: usually passive, the attacker monitors the operation of the chip but does not try to modify its normal operation
• Semi-invasive: an attacker induces electrical failures within the chip and monitors the resulting effects
• Fully invasive: often destructive attacks where an attacker bypasses shields, modifies signal connectivity, etc.
• Reverse engineering: destructive analysis of the chip aimed at obtaining the non-volatile memory (NVM) contents or recovering netlist algorithms

One of the values of thinking about the threat in this hierarchical manner is that it aids in planning the anti-tamper defenses for a chip appropriate to the motivation and funding of the attacker. For instance, if a chip is going into a military platform that could fall into the hands of a state-actor adversary, then it should be hardened against the full range of tampering attacks.

Within this context, Scott details eleven categories of tampering attacks ranging from protocol and software attacks to NVM extraction attacks. For each category, he lays out the resources and skills adversaries employ and the countermeasures to counter these attacks. It’s a great road map for chip makers planning the anti-tamper safeguards they need to incorporate into their designs. You can listen to a replay of the full webinar here.

Paul Karazuba, Senior Director, Product Marketing, and Scott Best, Technical Director, for Rambus’ Cryptography Products Division, each wrote an article in major medical equipment publications to call attention to this problem and prescribed the best cures for ACF.

Karazuba’s article appeared in MD&DI, while Best’s article is in Medical Design Technology Magazine (Part 1| Part 2).  See links to articles at the bottom of this blog.

Medical equipment is one of the hardest hit sectors, according to these Rambus authors. Karazuba points out that “Counterfeit medical devices and equipment enter the legitimate healthcare supply chain in many instances because buyers are looking at their bottom line and seeking the best price.  This is an open invitation to counterfeiters to hit those lower price points with their fake goods.”

He adds that major concerns focus on patient safety relating to counterfeit medical equipment.  Those non-FDA qualified devices and equipment pose the greatest health risks to medical patients. Here, the spectrum is extensive going from inaccurate diagnosis on to injury and even death.  There’s also the associated potential OEM liability and brand issues that come into the picture.

According to Karazuba and Best, the best route for medical equipment OEMs to take against counterfeiting is to adopt a hardware prover chip solution together with verifier software, a secure manufacturing flow, and a challenge/response protocol between verifier and prover—all in one platform for the medical equipment OEM.

The authors call attention to the problem of differential power analysis  or DPA, which gives the adversary carte blanche for counterfeiting operations.  However, the Rambus ACF solution generates the response to a challenge in such a way that is immune from DPA attacks.

“At the secure manufacturing flow stage, the prover chip undergoes specific and controlled steps during the manufacturing process before it goes to the medical equipment OEM for installation,” Best explains.   He adds that this secure manufacturing flow is necessary to prevent theft of an authentic prover chip.  “This is the most cost-effective way for a counterfeiter to deliver compatible to the market,” Best says.

To learn more about Rambus ACF solutions, click here.

As we fast approach escar Europe in Berlin (November 7-8), our Rambus security team is reflecting on the continued and rapid evolution of the automotive space. For example, the trend towards autonomous vehicle adoption is rapidly growing, although mainstream acceptance and implementation will likely take longer to ramp.

While progress on the technical side is moving at a steady cadence, the path towards autonomous vehicles must be traveled carefully due to a range of safety and security concerns from consumers, legislators and major industry players. Addressing these concerns is critical to actualizing the vision of an autonomous automotive future. At Rambus, we believe the industry is taking a number of positive steps to do just that.

These include:

• Convening conferences to facilitate the sharing of valuable research and findings from the best and brightest minds, including the three annual escar events.
• Forming industry consortiums – such as FASTR – that develop solutions to challenging security problems.
• Creating academic, government and industry alliances like Mcity. These alliances foster collaborative environments and encourage the timely development of industry standards to address both near and long-term engineering and security issues.

Specific automotive security issues that are routinely discussed at conferences and beyond include altered over-the-air (OTA) firmware updates, unsecure vehicle-to-vehicle communication, the unauthorized collection of driver or passenger information, seizing control of critical systems such as brakes or accelerators, intercepting vehicle data and tampering with third-party dongles.

In addition to protecting vulnerable automotive systems from malicious attackers, manufacturers are constantly trying to find more effective ways of keeping stolen and counterfeit components out of the vehicle supply chain. Nevertheless, a wide range of grey market devices can still be found powering high-value modules such as in-vehicle infotainment systems and headlights, as well as in critical safety systems including airbag modules, braking modules and powertrain controls.

At Rambus, we are working to help address the above-mentioned security concerns with our partners and customers. As well, we routinely participate in automotive industry events throughout the year with a broad range of businesses, academic institutions and individuals. At escar Europe in Berlin (November 7-8), our team will be showcasing a number of automotive security solutions and engaging with our peers. Please stop by our booth at the Hotel nhow Berlin to say hello and learn more about our automotive product portfolio.

As ECN’s Paul Pickering notes, counterfeit semiconductor products may be empty packages, packages with the wrong die, or packages without bond wires.

“These are non-functional and easy to spot, but a more insidious approach is to take functioning parts and alter them in ways that are hard to detect,” he explained.

“Examples include new product codes; RoHS markings on noncompliant products; high-performance markings on low-performance products; or automotive- or military-grade designations on commercial-grade parts… Such components may pass initial inspection and sample testing. They may not fail until months or years after they’re installed, leading to an increased incidence of field failures, government-mandated recalls, loss of reputation, and even loss of life.”

Some of the risks associated with counterfeit automotive ICs were highlighted in 2014 when the FBI charged Marc Heera with selling a cloned version of the Hondata s300, a plug-in module for the engine computer that reads data from sensors in Honda cars. According to IEEE Spectrum, the Hondata s300 automatically adjusts the air-fuel mixture, idle speed, and other factors to improve performance. Moreover, the plug-in also allows users to monitor the engine via Bluetooth and make their own adjustments.

“The clones certainly looked like the genuine product, but in fact they contained circuit boards that had likely been built in China, according to designs Heera had obtained through reverse engineering,” Mark M. Tehranipoor, Ujjwal Guin and Swarup Bhunia wrote in an April 2017 IEEE Spectrum article. “Honda warned that cars using the counterfeits exhibited a number of problems, including random limits on engine rpm and, occasionally, failure to start. Devices that connect to an engine control unit (ECU) present particular safety concerns; researchers have demonstrated that, through ECU access, they could hijack a car’s brakes and steering.”

According to Joe Gullo, the senior director for partnerships at Rambus, ensuring the authenticity of automotive systems is absolutely critical to maintaining a safe environment for vehicle drivers and passengers.

“This is precisely why security cores such as Rambus’ CryptoFirewall offers automotive OEMs a commercially-available, proven design to determine vehicle system authenticity,” he told Rambus Press.

More specifically, Rambus’ CryptoFirewall solution for the automotive sector consists of a security chip embedded in a module, along with verifier firmware integrated into the processor on an in-vehicle network.

“The firmware challenges the security chip and, based on the response, determines the authenticity of the module,” he added. “This can be done across any interface protocol, such as CAN or Ethernet, allowing for simple integration into any vehicle architecture.”

“In the past, most issues involving power—notably current leakage, physical effects such as electromigration, electrostatic discharge, RC delay and reduced battery life from inefficient designs—were dealt with by large, sophisticated engineering teams at leading-edge process nodes,” Sperling explained.

“When they couldn’t solve those problems the foundries stepped in and adjusted their processes. But with 55nm now considered a mainstream process for the Internet of Things, and most designs now using multiple cores and power domains—sometimes as many as 100 power domains per design—everyone is being forced to grapple with incredibly complex power techniques.”

To make matters worse, says Sperling, the manufacturing side is already dealing with its own power-related problems, which includes shrinking gate oxides between ever-thinner wires, increasing dynamic power density at 16/14nm and beyond, as well as a massive industry effort to create next-generation processes capable of handling increasingly complex designs.

According to Steven Woo, VP of enterprise solutions technology at Rambus, one particular issue that continues to grow in importance is power integrity.

“A good analogy is what happens if you turn on all the water inside a building,” Woo told Semiconductor Engineering. “You lose pressure everywhere. For a chip, if you turn on every subsystems, that’s devastating. You may not have enough voltage to turn on everything, and power integrity goes down.”

Not surprisingly, power-related security concerns may also prompt a reassessment of how future chips and electronics are designed.

“Security requires power to operate, but the flip side is that power is noisy. When you activate circuits you can monitor that noise,” he added. “There’s a growing problem with differential power analysis. What it really comes down to is that you’re trying to give confidence for some period of time, so now you have to determine what is a useful lifetime and how long you’re going to guard it.”

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.