Post on 10-Aug-2019
E"MATA&HARI&Electromagne4c&Analysis,&Deciphering&and&Reverse&Engineering&of&Integrated&Circuits&
Laurent(Chusseau,(Rachid(Omarouayache,(Jérémy(Raoult,(Sylvie(Jarrix,(Philippe(Maurine,(Karim(Tobich,(Alexandre(Boyer,(Bertrand(Vrignon,(John(Shepherd,(
ThanhEHa(Le,(Maël(Berthier,(Lionel(Rivière,(Bruno(Robisson,(AnneELise(RiboIa((
IES$(Montpellier),$LIRMM$(Montpellier),$LAAS4CNRS$(Toulouse),$Freescale$(Toulouse),$Safran$Morpho$(Osny),$CEA4LETI$(Gardanne),$ENSMSE$(Gardanne)$
Context&&&Goals&• Context&
– Electronic(money(transacKons(– Private(communicaKons(and/or(secret(data(exchange(– Need(for(cerKfied(secure(IC(both(at(soQware(and(hardware(level(
• State&of&the&art&
– Cryptographic(aIacks(on(circuits(are(usually(managed(by(opKcal(injecKon(or(by(conducted(interference(injecKon((
– ElectromagneKc(aIacks(have(just(been(proven(efficient(by(some(of(us((
• Goals&
– What(can(be(observed,(at(best,(in(an(integrated(circuit((IC)(by(EM(nearEfield(scan?(– Why(and(how(EM(fault(injecKon(works?(– What(are(the(pracKcal(and(theoreKcal(limits(of(EM(threats?(
• Requirements&
– Knowledge(of(crypto(circuits(at(hardware(level((LIRMM,(CEA,(Freescale,(Morpho)(– Knowledge(of(crypto(circuits(at(soQware(level((Morpho,(LIRMM,(CEA)(– ElectromagneKc(nearEfield(/(Probes:(design(and(realizaKon((IES,(LAAS,(Freescale)(– Skill(in(logic(circuit(EMC((LAAS,(Freescale,(IES)(– EM(aIacks((LIRMM,(CEA,(ENSMSE)(
• Probes(:(design,(fabricaKon(&(characterizaKon(– OpKmized(new(probes(– Dedicated(test(chips(– EM(coupling(experiments(&(models(– mmEwave(imagery(
• EM(aIacks(on(circuits(– EM(pla_orm(– EM(fault(injecKon(in(AES(– BitEset(&(bitEreset(– Fault(propagaKon(modeling(
Summary&
Classical loop probe (diameter 2-5 mm) Pulse injection in probe
! Courant induction in lines
! Local power supply voltage change
or Local logic level change
! Fault !
Probe figure of merit - Spatial resolution - Injection efficiency
Substrate
Magnetic probes are more efficient than electric probes @ f≤1 GHz
How&an&EM&fault&occurs&?&
Concentrate(magneKc(field(" beIer(resoluKon(Many(loops(with(a(thicker(wire(is(possible ((" beIer(efficiency(
Classical&open&loop&"&resolu4on&limit&is&≈&loop&∅&
SoluKon(:((add(a(ferrite(core(with(conical(shape!
Ferrite&rod&op4mized&probe&
H(field(vs(the(distance(to(the(Kp(d(and(vs(number(of(turns(N$(Pulse(tR=3(ns,(tW=100(ns)(
&
H(fie
ld(amplitu
de((A
/m)(
H(fie
ld(amplitu
de((A
/m)(
Axis(X((mm)(Axis(X((mm)(
d(=(20(µm(d(=(50(µm(d(=(100(µm(d(=(200(µm(
0.5(mm(
12(turns(1(turn(
400(µm(
400(µm(
0.5(mm(
0( 1( 2( 3( 4( 5mm(
Realized&
Modeled&
Ferrite(rod(of(diameter(2(mm(• (SpaKal(resoluKon(≈400µm(close(to(the(Kp(• (SpaKal(resoluKon(does(not(depend(on(N$
Simula4on&of&ferrite&probes&
# Test(chip(designed(with(Freescale(0.25(µm(SMARTMOS(
# Contains(various(interconnect(structures(with(high(frequency(on"chip&voltage&sensors&(OCS)&to(measure(local(voltage(fluctuaKons(induced(by(the(nearEfield(injecKon(
# Mounted(in(CQFP64(package(with(a(removable(metallic(lid((
Wide(power(rails(
Power(rails(above(power(grid(and(logic(blocks(
Power(rails(above(analog(blocks(
Power(rail(above(logic(blocks(
OVS(
DieEtoEdie(bonding(between((50Ω(loads(
DieEtoEdie(bonding((between(buffers(
50Ω(lines(
Buses(OVS(
Chip#1&3mmx4.5m
m&
Chip#2&3mmx3mm&
PCB&control&card&
Dedicated&chips&for&probe&tes4ng&
Vref
Vref
50 Ω Line 0 µm
Vref Vref
Line 0.455 µm
Metal 2 connected to VrefOn-chip sensors
Analog pad connected to Vref
Line 5.5 µm
Line 10 µm
50 Ω
50 Ω50 Ω
Vref
Vref
Vref
Vref
Vref
Vref
50 Ω
50 Ω
50 Ω
50 Ω
50 Ω
50 Ω
Line30µm
Vref Vref50 Ω 50 Ω
Line70µm
Vref Vref50 Ω 50 Ω
Line120µm
Vref Vref50 Ω 50 Ω
Line320µm
Bandgap Vref
On"chip&EM&measurements&
Targeted structure: set of 50Ω transmission lines with variable spacing • Evaluate coupling between the
probe and the lines (injection) • Evaluate spurious coupling
between the lines (injection)
Structure 1
CW injection on 50Ω transmission lines f=1.4(GHz,(PRF(=(43(dBm(
Scan(alKtude(=(400(µm,(Scan(step(=(50(µm(
# Voltage(coupled(on(Struct1(lines(vs(probe(posiKon((
# DisKnguish(two(lines(separated(by(more(than(100(µm(
!
≈ 300 µm
H
Struct1
Probe-sample model • Equivalent circuit model
extracted from S-parameters • Coupling accounted by
mutual inductance vs $ frequency $ distance
On"chip&EM&measurements&Pulse injection on 50Ω transmission lines
×××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××
×××××××××××××××××
××××××××××××××××××
××××××××××××××××××××××
×××××××××
××××××××××××××××××××××××××××××××××××××××××××××× ××××
××××××××××××
×××××××××××××�� �� �� ��� ��� �����
-���
-���
���
���
Ferrite probe, 5.5 turns, f=10MHz, tR=tF≈10ns, tW=50ns, VPP=10V
• Excellent behavior agreement • True input pulse shape (overshoot) not accounted for
x x x x Measure Model
60&GHz&near"field&imagery&
Plas4cs&and&ceramics&are&almost&transparent&to&mm"wave&$ InspecKon(of(ICs(through(the(package($ IdenKficaKon(of(area(of(interest(for(future(EM(
injecKon(
60 GHz Gunn diode + isolator + 10 dB coupler + Schottky detector
Piezo actuator
Probe and its reflection
60GHz WR15 tuner
MetalizaKons(between(die(and(connecKng(pads(
Package&IC&imaged&with&open&waveguide&&"&spaKal(resoluKon(≈1(mm(
E"probe&@&60&GHz&
Resolu4on&limit&on&a&square&angle&@&h=5µm&
Spa4al&resolu4on&33&µm&i.e.&λ/150&
Both&should&be&merged…&s4ll&to&come&
mm(mm(
60&GHz&near"field&imagery&
die
We&are&able&to&inspect&through&the&package&
� � � � �
�
�
� � � � � �
���� ���� ���� ���� ���� ������
��
��
�
�
�������
• Probes(:(design,(fabricaKon(&(characterizaKon(– OpKmized(new(probes(– Dedicated(test(chips(– EM(coupling(experiments(&(models(– mmEwave(imagery(
• EM(aIacks(on(circuits(– EM(pla_orm(– EM(fault(injecKon(in(AES(– BitEset(&(bitEreset(– Fault(propagaKon(modeling(
Summary&
• Technical(datasheet(– 3(motorized(axes((stepsize(0.1(µm)(– Faraday(cage(isolaKon(– Flexible(probe(support(for(emirng(
or(receiving(probes(– Modified(smartcard(reader((accept(
current(Side(Channel(AIack)(– Oscilloscope(monitoring(and(PC(
controlled(
• Suitable(for…(– Mapping(in(EM(listening(mode(– Pulse(injecKon((up(to(200V(peak)(
New&EM&acack&pladorm&
Problem&of&EM&acack&on&secure&ICs&
1. Enhance EM injection $ improve spatial resolution $ improve EM power transfer to IC
2. Enhance the capability of EM injection $ single-bit and multi-bit timing faults have been
demonstrated $ it is not enough for smartcards…
3. Enhance the protection of future ICs and smartcards $ simulate fault propagation at hardware level $ help to define countermeasures
Figure of merit of the probe Impedance matching
Timing&faults&on&AES&
AES&mapped&into&FPGA&opera4ng&@&50MHz&&&100MHz&Acack&with&ferrite&probes&and&posi4ve&or&nega4ve&square&pulses&
$ PosiKve(pulses(are(more(efficient("(layout(dependent(?($ Fault(probability(depends(on(clock(frequency("(Kming(faults($ Compared(to(single(loop,(ferrite(probes(are(more(efficient((
� strong(reducKon(of(pulse(intensity(needed(to(produce(the(fault(&EM&acack&enhanced&by&probe&op4miza4on&
SETUP2CK TTD2][Q1Q1][CK1 −−<>−+>− δ
Vdd"Gnd&
Vdd/2&
Effects&of&EM&injec4on&on&secure&circuits&
D1(
CK(
Q1(LOGIC&
Skew&δ&&
Data( D2( Q2(
Vdd&
Gnd&
CK1(
EM&coupling&
EM&coupling&
Moderate&intensity&
D1(
CK(
Q1(LOGIC&
Skew&δ&&
Data( D2( Q2(
Vdd&
Gnd&
CK1(
EM&coupling&
EM&coupling&
Effects&of&EM&injec4on&on&secure&circuits&
Vdd"Gnd&
Bit"set&or&bit"reset&!&
Inversion(
High&intensity&
DFF&0&to&7&
DFF&N"&7&to&N&
DFF&i+8&to&i+15&
Reset (On = 0)
Set (On = 1)
CLK
All bytes set to AA (‘10101010’) Read data in memory
CLK
CLK stopped ! Timing fault not allowed
EM Injection
Data_IN Data_OUT
Effects&of&EM&injec4on&on&secure&circuits&
$ Deterministic errors $ EM injection is strongly localized
Bit"set&and&bit"reset&on&secure&circuits&
(Embedded&fault&simula4on&&
– concept(• Embbeded(funcKonality(which(is(
able(to(interrupt(the(program(execuKon(to(modify(the(context((variables,(addresses,(registers,(program(counter,….)((
– Results(
• Realized(Fault(Models:(InstrucKon(jump,(memory(modificaKon(
• ApplicaKon(on(soQware(implementaKon(:(VulnerabiliKes(idenKcaKon(
EM&faults&modeling&
We(have(addressed(EM(aIacks(on(ICs:(($ EM(listening(of(ICs(is(wellEknown((not(invesKgated(here)($ EM(observaKon(of(ICs(
# New(setup(@(60GHz(proposed($ EM(fault(injecKon(
# Dedicated(opKmized(probes((ferrite,(mulKple(loops)(# In4situ(probe(characterizaKon(owing(to(dedicated(testchips(# QuanKtaKve(model(of(probeEcircuit(coupling(# Timing(faults(observed(on(AES,(efficiency(improved(with(new(probes(# BitEset(and(bitEreset(demonstrated(on(smartcards(# Embedded(EM(fault(modeling(tool(
Expected(future(improvement(in(countermeasures(against(EM(aIacks(
Conclusion&
Thank(you(!(