Founder and Security Consultant at Texplained SARL.
The undercover world of Reverse-Engineering based Integrated Circuit attacks
Invasive attacks are more than two decades old and the accepted Integrated Circuit attack classification seems to have been build around the invasive criteria. Non- and semi-invasive attacks are representing the vast majority of the research related to IC security in a context where hardware vulnerabilities became a hot topic with attacks such as Spectre and Meltdown. In that context, it is legitimate to consider the security of an Integrated Circuit at the silicon level as transistors are the first functional layer and therefore the initial root of trust. Invasive attacks are still described as being expensive, time-consuming and requiring a multi-disciplinary expertise. Those considerations, among others, have left them far from the public domain. On the other hand, invasive attacks are considered as the most powerful attacks since their first appearance in the payTv domain and are still widely used by pirates and counterfeiters. Integrated Circuit Reverse-Engineering has been introduced in the invasive attack workflow more recently. This technique seems not to have significantly reached the public domain when pirate groups are using dedicated tools for more than a decade. One should now consider that pirates can not only dump embedded software but also recover hardware functions. This improves their attack capabilities but also raises questions about hardware trojan introduction during the IC manufacturing process or patent violation. This talk aims at demonstrating the capabilities of Reverse-Engineering based invasive attacks and its impact on various known attacks. It will show how vulnerabilities can be found in an automated way while some new techniques can be created by taking advantage of a better understanding of the IC even in a black box scenario. Finally, it will discuss the complexity, cost and resources involved in those techniques as proper evaluation will be key for Reverse-Engineering based techniques to reach the public domain, allowing for more targeted counter-measure design, faster overall security assessment and benchmark, increased forensics capabilities, etc.
Oliver Thomas studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world's leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smart cards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL.