Backside optical analysis hardware/software running on ICs

Presented at REcon 2012, June 14, 2012, 2 p.m. (60 minutes)

Reverse-engineering ICs can be very capital intensive. Traditionally,this process consists of many steps including depackaging, imaging,rebonding and probing. This becomes increasingly difficult as featuresizes shrink and as chips implement additional countermeasures. Thiswork demonstrates how ICs can be reverse-engineered via backside opticalanalysis.

Many of today’s techniques for reverse-engineering integrated circuits(ICs) are actually techniques borrowed from the failure analysiscommunity. Traditionally such methods for reverse-engineering ICsrequire a substantial amount of experience in operating severalexpensive pieces of test equipment. Without this knowledge and equipmentit is becoming increasingly difficult for anyone who wants to beginreverse-engineering ICs to get their foot in the door. Moreover, thetraditional analysis methods are a very lengthy process consisting ofmultiple steps including depackaging, imaging, rebonding and probing. Asfeature sizes continue to shrink and as vendors implement additionaldefenses and layers of obfuscation, such as active meshes, attackershave to continue to improve on their techniques to keep pace with thevendors.This work demonstrates how ICs can be reverse-engineered viasemi-invasive backside optical analysis. Because it is a form ofbackside analysis it completely bypasses any defenses implemented in theupper layers of the IC. The sample preparation process is substantiallysimplified and can be essentially eliminated for newer ICs. By executingspecific code on the chip, important functional groups of the IC can bequickly and easily identified. Moreover, the spatial resolution of theemission images reveals the exact location of critical registers. Sincememory accesses also result in characteristic emission patterns,commonly used static variables such as encryption keys can be recoveredat runtime. Hardware accelerated implementations no longer have to beprobed, since the registers can be read out optically. When combinedwith invasive frontside methods this technique can greatly reduce theamount of effort that must go into identifying vulnerable areas of theIC.


Presenters:

Links:

Similar Presentations: