Presentation is loading. Please wait.

Presentation is loading. Please wait.

USE-IT 2007, Toulouse France Valery Ray PBS&T FREUD Methods FIB Invasive Attacks and Countermeasures.

Published byMorgan Neal Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "USE-IT 2007, Toulouse France Valery Ray PBS&T FREUD Methods FIB Invasive Attacks and Countermeasures."— Presentation transcript:

1 USE-IT 2007, Toulouse France Valery Ray vray@partbeamsystech.com PBS&T FREUD Methods FIB Invasive Attacks and Countermeasures

2 6/13/2016 USE-IT 2007, Toulouse France 2 F R E U D ® Functional Reverse Engineering of Undocumented Devices ® Extraction of functionality and data without full reverse-engineering of manufacturing process

3 6/13/2016 USE-IT 2007, Toulouse France 3 Outline  Targeted Devices and Applications  Workflow of FIB process  Signal extraction and injection, RC issues  Limitations of existing FIB technology  Countermeasures to FIB methods

4 6/13/2016 USE-IT 2007, Toulouse France 4 Workflow of “FIB invasion”  Layout capture and location of nodes  Navigation and positioning  Bypassing protective shields, if needed  Making contacts, injecting and extracting data

5 6/13/2016 USE-IT 2007, Toulouse France 5 Layout Capture and Node Location Alignment Reference Data Nodes TargetedNode

6 6/13/2016 USE-IT 2007, Toulouse France 6 FIB Navigation to Nodes  Must be done by coordinates – lines are small and shield prevents direct navigation with optics;  Have to use sacrificial device for locating nodes, two devices for small-linewidth shielded ICs;  Two steps of localization – coarse and precise;

7 6/13/2016 USE-IT 2007, Toulouse France 7 Coarse Navigation on Sacrificial Device (s)  Scan tiles, stitch bitmap, locate nodes  Establish coordinate conversion by references  Convert bitmap coordinates to FIB stage position  Do laser mark under OM and locate the mark in FIB – obtain FIB coordinates

8 6/13/2016 USE-IT 2007, Toulouse France 8 References and Nodes in FIB Use alignment references for navigation and deprocess nodes to capture position

9 6/13/2016 USE-IT 2007, Toulouse France 9 Navigation with Local Alignment  Accuracy of FIB stage is limited – how to navigate on small-linewidth devices?  Shield is preventing optical navigation  Use reference points for coordinate navigation  Use protective shield as your local reference!

10 6/13/2016 USE-IT 2007, Toulouse France 10 Electrically Bypassing Shield  Bypass protective shield locally » Works on analog and digital shields » One or two lines may need bypassing per contact » Takes 30 to 120 min. of FIB time per contact  Bypass entire shield » Best for analog shields » Takes 30 to 120 min. of FIB time per device » Requires follow up by non-FIB techniques

11 6/13/2016 USE-IT 2007, Toulouse France 11 Shield Disabling  Disable shield control circuitry » Requires detailed analysis of layout » Simulate “OK” shield on input of circuitry » Simulate “OK” output (no interrupts, alarms, etc…)  Disable “NOK” actions » Requires detailed analysis of layout » Cut output of charge pump – disable flash erase! » Cut “security interrupt” nodes

12 6/13/2016 USE-IT 2007, Toulouse France 12 Making Contacts and Pads Create HAR vias to connect to the nodes and deposit contact pads for probing Clean overspray of metal depo

13 6/13/2016 USE-IT 2007, Toulouse France 13 Data Extraction  Connect contact pads to data acquisition equipment by microprobing  Ensure proper buffering of the connection lines – internal nodes can’t drive 100pF cable  Use ultra-low capacitance buffers for glitch recovery

14 6/13/2016 USE-IT 2007, Toulouse France 14 Signal injection  Injection of impulses into data bus can alter execution of embedded code  Basic application: disrupt end of loop command during ATR – data memory could be extracted  Suitable injection buffers are not available from OEMs of pattern generators – design and build your own!

15 6/13/2016 USE-IT 2007, Toulouse France 15 Limitations of existing FIB technology  Accuracy of navigation » Targeting multiple nodes on <150nm devices by coordinates is unreliable – use local reference.  Aspect ratio of contacts » Detection of endpoint on contacts deeper then 20:1 depth/width requires “aftermarket tune-up”  Linewidth (technology node) limitations » Making deep contacts smaller then 150 nm is a high art

16 6/13/2016 USE-IT 2007, Toulouse France 16 Countermeasures against FIB  FIB attacks are high-cost effort and can be made uneconomical for commercial hacking: » Planarize devices and use small linewidth » Thick copper metal shields difficult to cut » Use Liquid Crystal Polymer passivation » Use leakage-sensitive analog shields and double shield layers » Introduce “jitter” to shield position – prevent local referencing for navigation (easy with analog shields)

17 6/13/2016 USE-IT 2007, Toulouse France 17 Summary  FREUD by FIB methods can’t be prevented, but can be made uneconomical (>>100K/device)  Basic countermeasures are relatively inexpensive in manufacturing – planarize devices, use thick copper plate in addition to active shield  Advanced countermeasures become viable as cost of IC manufacturing is reduced: active double-shielding, LCP (Liquid Crystal Polymer) passivation

18 USE-IT 2007, Toulouse France www.partbeamsystech.com

Download ppt "USE-IT 2007, Toulouse France Valery Ray PBS&T FREUD Methods FIB Invasive Attacks and Countermeasures."

Similar presentations

Categories of I/O Devices

Categories of I/O Devices
Applications of PICs Advantages/disadvantages Digital and analogue control Loops, sub-routines, scanning, counting and feedback Interrupts Problems with.

Applications of PICs Advantages/disadvantages Digital and analogue control Loops, sub-routines, scanning, counting and feedback Interrupts Problems with.
Opening the Key to Hi-Tech Video Surveillance & Intelligent Video Analytics with Video Management Software Opening the Key to Hi-Tech Video Surveillance.

Opening the Key to Hi-Tech Video Surveillance & Intelligent Video Analytics with Video Management Software Opening the Key to Hi-Tech Video Surveillance.
Chapter 7 Operational-Amplifier and its Applications

Chapter 7 Operational-Amplifier and its Applications
Circuit Extraction 1 Outline –What is Circuit Extraction? –Why Circuit Extraction? –Circuit Extraction Algorithms Goal –Understand Extraction problem –Understand.

Circuit Extraction 1 Outline –What is Circuit Extraction? –Why Circuit Extraction? –Circuit Extraction Algorithms Goal –Understand Extraction problem –Understand.
EE141 © Digital Integrated Circuits 2nd Wires 1 The Wires Dr. Shiyan Hu Office: EERC 731 Adapted and modified from Digital Integrated Circuits: A Design.

EE141 © Digital Integrated Circuits 2nd Wires 1 The Wires Dr. Shiyan Hu Office: EERC 731 Adapted and modified from Digital Integrated Circuits: A Design.
Recent achievements and projects in Large MPGDs Rui de Oliveira 21/01/2009 RD51 WG1 workshop.

Recent achievements and projects in Large MPGDs Rui de Oliveira 21/01/2009 RD51 WG1 workshop.
G53SEC 1 Hardware Security The (slightly) more tactile side of security.

G53SEC 1 Hardware Security The (slightly) more tactile side of security.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Introduction The goal of this research is to study the fundamentals of microcontrollers and determine their possible functionality within the laser lab.

Introduction The goal of this research is to study the fundamentals of microcontrollers and determine their possible functionality within the laser lab.
Introduction to Network (c) Nouf Aljaffan1. 2 3.

Introduction to Network (c) Nouf Aljaffan
Valery Ray Particle Beam Systems & Technology, Methuen, USA Fluorocarbon Precursor for High Aspect Ratio Via Milling in Focused.

Valery Ray Particle Beam Systems & Technology, Methuen, USA Fluorocarbon Precursor for High Aspect Ratio Via Milling in Focused.
1 Steps for Production Code Generation Wind Turbine Pitch Controller 1. Generate test data and extract controller 2. Discretize Change integrator blocks.

1 Steps for Production Code Generation Wind Turbine Pitch Controller 1. Generate test data and extract controller 2. Discretize Change integrator blocks.
Effect of Pads 0.6  m chip June 2002 Final layout.

Effect of Pads 0.6  m chip June 2002 Final layout.
Utility Scale Arc Flash Analysis using CAPE System Simulator.

Utility Scale Arc Flash Analysis using CAPE System Simulator.
Optical Communications Green Book Outline Blue Book for Optical Communications Physical Layer Blue Book for Optical Communications Coding & Synchronization.

Optical Communications Green Book Outline Blue Book for Optical Communications Physical Layer Blue Book for Optical Communications Coding & Synchronization.
1 CCTV SYSTEMS CCTV MONITORS. 2 CCTV SYSTEMS A monitor simply allows remote viewing of cameras in a CCTV system from a control room or other location.

1 CCTV SYSTEMS CCTV MONITORS. 2 CCTV SYSTEMS A monitor simply allows remote viewing of cameras in a CCTV system from a control room or other location.
Engineering 1040: Mechanisms & Electric Circuits Fall 2011 Introduction to Embedded Systems.

Engineering 1040: Mechanisms & Electric Circuits Fall 2011 Introduction to Embedded Systems.
myDAQ Biomedical Instrumentation Board

myDAQ Biomedical Instrumentation Board
VELO upgrade electronics – HYBRIDS Tony Smith University of Liverpool.

VELO upgrade electronics – HYBRIDS Tony Smith University of Liverpool.

Similar presentations

Ads by Google