OBJECTIVE

In the security industry it is common to assume that security implemented in hardware is in to analysis. In reality the hardware may be the most vulnerable component of a security system. Analyzing hardware requires some additional knowledge about circuits, the engineering and especially the manufacturing. However, the skills required for performing vulnerability and/or risk analysis of the underlying circuit are very similar to vulnerability analysis of software.

This training will provide security professionals the skills necessary for performing the vulnerability analysis of Integrated Circuits (ICs). Students who complete this course will be familiar with all important classes of low-level hardware attacks. Students will have an opportunity to study several real-world examples of devices with different classes of vulnerabilities. Students will then develop analysis strategies for the target devices and will apply these strategies for extracting the data from images of the device.

Topics Covered during the course:

• IC analysis
• Code Extraction
• ROM
• Flash
• Databus
• Focused Ion Beam Edits
• ROM Decryption
• Feature Extraction
• SEM Imaging
• Optical Imaging
• Sample Preparation

INTRODUCTION

• Recommended reading
  • Background on Hardware Security
  • Reverse-engineering mindset
  • History of hardware hacking
  • Smartcard security
• Overview of analysis techniques
• Previous and current threat models
• Common Criteria and certification
• Piracy and monetization scenarios

BACKGROUND: IC REVERSE-ENGINEERING BASICS

• What is a chip?
• CPU architecture basics
• Synthesized logic vs. licensed and/or IP blocks

Assignment 1: Identification of Functional Block

BACKGROUND: THE IC MANUFACTURING PROCESS

• Steps in IC manufacturing
• Lithography and photolithographic masks
• Device layers and their role
• Standard CMOS process
• CMOS Layout
• Packaging Techniques
• ASIC design cycle
• Costs associated with manufacturing

CONSTRAINTS FOR IC ANALYSIS

• Planirization
• Proprietary material makeup
• Black box analysis
• Overall device complexity

DIGITAL CIRCUITS

• Transistors
  • Theory of operation
  • Theory of malfunctions
• Combinatorial logic
• Register Transfer Logic

Assignment 2: Logical Functions

CMOS LAYOUT

• Basic gates
• Complex gates
• Finite State Machines

Assignment 3: Reconstructing the Cell Library

IC FAILURE ANALYSIS

• Deprocessing
  • Wet-Chemical
  • CMP
  • Dry-Chemical (Plasma)
• Imaging
  • Optical
  • SEM
  • Laser scanning
• Invasive tools
  • EZ Laze
  • FIB
  • Microprobing

SECURITY ANALYSIS OF TARGETS

• What to look for and why?
• Countermeasures
  • Sensors
  • Erasing memories
  • Shields
• FIB Bypass of a shield
  • FIB edit of shields
• Introduction to ROM Extraction
  • Optical readout
  • Scripting for ROM reading with FiJi
• Memory architectures
  • Addressing and data multiplexing

Assignment 4: ROM Extraction

SECURITY ANALYSIS OF TARGETS (PART II)

• Strategies for reading out non ROMs
  • EEPROM
  • Flash
  • Fuses
  • OTP
• Microprobing
• Linear Code Extraction

Assignment 5: Dynamic Extraction Techniques

SECURITY ANALYSIS OF TARGETS (PART III)

• Potential countermeasures
• Techniques to manipulate the control flow after startup

Assignment 6: Manipulating the Execution Flow

ADVANCED ANALYSIS TECHNIQUES

• Accessing different memory regions
• Devise a fully-invasive strategy for extracting data

Assignment 7: Focused Ion Beam Circuit edit

POTENTIAL LIMITATIONS

• Amount of probe points
• Capacitance
• Smaller technologies

FUTURE OF IC ANALYSIS

• Automated analysis techniques
• Outsourcing the anlaysis workflow
• IC anlaysis of SoCs
• Device emulation
• IC obsolecense
• Patent Infringement

WHO SHOULD TAKE THIS COURSE

• Integrated Circuit (ICs) and Failure Analysis (FA) engineers
• Engineers involved in securing hardware platforms against attacks
• Researchers who want to understand the nature of many hardware attacks
• Security Team leaders
• Hardware hackers who want to become familiar with attacks on integrated circuits
• Parties involved in hardware Reverse-Engineering and vulnerability analysis
• Software / network security analysts who want to get into IC security evaluation

WHAT STUDENTS SHOULD BRING

• Students can come hands free as workbook and pens will be provided ;-)
• Having a laptop can be useful to follow the course on screen with the PDF version (without assignment solutions that will also be provided at the end of the training).

WHAT STUDENTS WILL BE PROVIDED WITH

• Student will be provided with:
  • workbook with all assignments
  • PDF file of the training with and without assignments solutions

MINIMUM SOFTWARE TO INSTALL

• VMware Player, VMware Workstation, VMware Fusion or Virtualbox.
• Virtual machine images will be distributed at the training along with all the written assignments.

OLIVIER THOMAS

Oliver Thomas studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world's leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL.