Training
OBJECTIVE
In the security industry it is common to assume that security implemented in hardware is in to analysis. In reality the hardware may be the most vulnerable component of a security system. Analyzing hardware requires some additional knowledge about circuits, the engineering and especially the manufacturing. However, the skills required for performing vulnerability and/or risk analysis of the underlying circuit are very similar to vulnerability analysis of software.
This training will provide security professionals the skills necessary for performing the vulnerability analysis of Integrated Circuits (ICs). Students who complete this course will be familiar with all important classes of low-level hardware attacks. Students will have an opportunity to study several real-world examples of devices with different classes of vulnerabilities. Students will then develop analysis strategies for the target devices and will apply these strategies for extracting the data from images of the device.
Topics Covered during the course:
- IC analysis
- Code Extraction
- ROM
- Flash
- Databus
- Focused Ion Beam Edits
- ROM Decryption
- Feature Extraction
- SEM Imaging
- Optical Imaging
- Sample Preparation
INTRODUCTION
- Recommended reading
- Background on Hardware Security
- Reverse-engineering mindset
- History of hardware hacking
- Smartcard security
- Overview of analysis techniques
- Previous and current threat models
- Common Criteria and certification
- Piracy and monetization scenarios
BACKGROUND: IC REVERSE-ENGINEERING BASICS
- What is a chip?
- CPU architecture basics
- Synthesized logic vs. licensed and/or IP blocks
Assignment 1: Identification of Functional Block
BACKGROUND: THE IC MANUFACTURING PROCESS
- Steps in IC manufacturing
- Lithography and photolithographic masks
- Device layers and their role
- Standard CMOS process
- CMOS Layout
- Packaging Techniques
- ASIC design cycle
- Costs associated with manufacturing
CONSTRAINTS FOR IC ANALYSIS
- Planirization
- Proprietary material makeup
- Black box analysis
- Overall device complexity
DIGITAL CIRCUITS
- Transistors
- Theory of operation
- Theory of malfunctions
- Combinatorial logic
- Register Transfer Logic
Assignment 2: Logical Functions
CMOS LAYOUT
- Basic gates
- Complex gates
- Finite State Machines
Assignment 3: Reconstructing the Cell Library
IC FAILURE ANALYSIS
- Deprocessing
- Wet-Chemical
- CMP
- Dry-Chemical (Plasma)
- Imaging
- Optical
- SEM
- Laser scanning
- Invasive tools
- EZ Laze
- FIB
- Microprobing
SECURITY ANALYSIS OF TARGETS
- What to look for and why?
- Countermeasures
- Sensors
- Erasing memories
- Shields
- FIB Bypass of a shield
- FIB edit of shields
- Introduction to ROM Extraction
- Optical readout
- Scripting for ROM reading with FiJi
- Memory architectures
- Addressing and data multiplexing
Assignment 4: ROM Extraction
SECURITY ANALYSIS OF TARGETS (PART II)
- Strategies for reading out non ROMs
- EEPROM
- Flash
- Fuses
- OTP
- Microprobing
- Linear Code Extraction
Assignment 5: Dynamic Extraction Techniques
SECURITY ANALYSIS OF TARGETS (PART III)
- Potential countermeasures
- Techniques to manipulate the control flow after startup
Assignment 6: Manipulating the Execution Flow
ADVANCED ANALYSIS TECHNIQUES
- Accessing different memory regions
- Devise a fully-invasive strategy for extracting data
Assignment 7: Focused Ion Beam Circuit edit
POTENTIAL LIMITATIONS
- Amount of probe points
- Capacitance
- Smaller technologies
FUTURE OF IC ANALYSIS
- Automated analysis techniques
- Outsourcing the anlaysis workflow
- IC anlaysis of SoCs
- Device emulation
- IC obsolecense
- Patent Infringement
WHO SHOULD TAKE THIS COURSE
- Integrated Circuit (ICs) and Failure Analysis (FA) engineers
- Engineers involved in securing hardware platforms against attacks
- Researchers who want to understand the nature of many hardware attacks
- Security Team leaders
- Hardware hackers who want to become familiar with attacks on integrated circuits
- Parties involved in hardware Reverse-Engineering and vulnerability analysis
- Software / network security analysts who want to get into IC security evaluation
WHAT STUDENTS SHOULD BRING
- Students can come hands free as workbook and pens will be provided ;-)
- Having a laptop can be useful to follow the course on screen with the PDF version (without assignment solutions that will also be provided at the end of the training).
WHAT STUDENTS WILL BE PROVIDED WITH
- Student will be provided with:
- workbook with all assignments
- PDF file of the training with and without assignments solutions
OLIVIER THOMAS
Oliver THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world's leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL.
