EMATA&HARI& - IES Institut d'Electronique fileVref Vref 50 Ω Line 0 µm Vref Vref Line 0.455 µm...
22
E"MATA HARI Electromagne4c Analysis, Deciphering and Reverse Engineering of Integrated Circuits Laurent Chusseau, Rachid Omarouayache, Jérémy Raoult, Sylvie Jarrix, Philippe Maurine, Karim Tobich, Alexandre Boyer, Bertrand Vrignon, John Shepherd, ThanhEHa Le, Maël Berthier, Lionel Rivière, Bruno Robisson, AnneELise RiboIa IES (Montpellier), LIRMM (Montpellier), LAAS4CNRS (Toulouse), Freescale (Toulouse), Safran Morpho (Osny), CEA4LETI (Gardanne), ENSMSE (Gardanne)
-
Upload
hoangtuyen -
Category
Documents
-
view
223 -
download
0
Transcript of EMATA&HARI& - IES Institut d'Electronique fileVref Vref 50 Ω Line 0 µm Vref Vref Line 0.455 µm...
E"MATA&HARI&Electromagne4c&Analysis,&Deciphering&and&Reverse&Engineering&of&Integrated&Circuits&
Laurent(Chusseau,(Rachid(Omarouayache,(Jérémy(Raoult,(Sylvie(Jarrix,(Philippe(Maurine,(Karim(Tobich,(Alexandre(Boyer,(Bertrand(Vrignon,(John(Shepherd,(
ThanhEHa(Le,(Maël(Berthier,(Lionel(Rivière,(Bruno(Robisson,(AnneELise(RiboIa((
IES$(Montpellier),$LIRMM$(Montpellier),$LAAS4CNRS$(Toulouse),$Freescale$(Toulouse),$Safran$Morpho$(Osny),$CEA4LETI$(Gardanne),$ENSMSE$(Gardanne)$
Context&&&Goals&• Context&
– Electronic(money(transacKons(– Private(communicaKons(and/or(secret(data(exchange(– Need(for(cerKfied(secure(IC(both(at(soQware(and(hardware(level(
• State&of&the&art&
– Cryptographic(aIacks(on(circuits(are(usually(managed(by(opKcal(injecKon(or(by(conducted(interference(injecKon((
– ElectromagneKc(aIacks(have(just(been(proven(efficient(by(some(of(us((
• Goals&
– What(can(be(observed,(at(best,(in(an(integrated(circuit((IC)(by(EM(nearEfield(scan?(– Why(and(how(EM(fault(injecKon(works?(– What(are(the(pracKcal(and(theoreKcal(limits(of(EM(threats?(
• Requirements&
– Knowledge(of(crypto(circuits(at(hardware(level((LIRMM,(CEA,(Freescale,(Morpho)(– Knowledge(of(crypto(circuits(at(soQware(level((Morpho,(LIRMM,(CEA)(– ElectromagneKc(nearEfield(/(Probes:(design(and(realizaKon((IES,(LAAS,(Freescale)(– Skill(in(logic(circuit(EMC((LAAS,(Freescale,(IES)(– EM(aIacks((LIRMM,(CEA,(ENSMSE)(
• Probes(:(design,(fabricaKon(&(characterizaKon(– OpKmized(new(probes(– Dedicated(test(chips(– EM(coupling(experiments(&(models(– mmEwave(imagery(
• EM(aIacks(on(circuits(– EM(pla_orm(– EM(fault(injecKon(in(AES(– BitEset(&(bitEreset(– Fault(propagaKon(modeling(
Summary&
Classical loop probe (diameter 2-5 mm) Pulse injection in probe
! Courant induction in lines
! Local power supply voltage change
or Local logic level change
! Fault !
Probe figure of merit - Spatial resolution - Injection efficiency
Substrate
Magnetic probes are more efficient than electric probes @ f≤1 GHz
How&an&EM&fault&occurs&?&
Concentrate(magneKc(field(" beIer(resoluKon(Many(loops(with(a(thicker(wire(is(possible ((" beIer(efficiency(
Classical&open&loop&"&resolu4on&limit&is&≈&loop&∅&
SoluKon(:((add(a(ferrite(core(with(conical(shape!
Ferrite&rod&op4mized&probe&
H(field(vs(the(distance(to(the(Kp(d(and(vs(number(of(turns(N$(Pulse(tR=3(ns,(tW=100(ns)(
&
H(fie
ld(amplitu
de((A
/m)(
H(fie
ld(amplitu
de((A
/m)(
Axis(X((mm)(Axis(X((mm)(
d(=(20(µm(d(=(50(µm(d(=(100(µm(d(=(200(µm(
0.5(mm(
12(turns(1(turn(
400(µm(
400(µm(
0.5(mm(
0( 1( 2( 3( 4( 5mm(
Realized&
Modeled&
Ferrite(rod(of(diameter(2(mm(• (SpaKal(resoluKon(≈400µm(close(to(the(Kp(• (SpaKal(resoluKon(does(not(depend(on(N$
Simula4on&of&ferrite&probes&
# Test(chip(designed(with(Freescale(0.25(µm(SMARTMOS(
# Contains(various(interconnect(structures(with(high(frequency(on"chip&voltage&sensors&(OCS)&to(measure(local(voltage(fluctuaKons(induced(by(the(nearEfield(injecKon(
# Mounted(in(CQFP64(package(with(a(removable(metallic(lid((
Wide(power(rails(
Power(rails(above(power(grid(and(logic(blocks(
Power(rails(above(analog(blocks(
Power(rail(above(logic(blocks(
OVS(
DieEtoEdie(bonding(between((50Ω(loads(
DieEtoEdie(bonding((between(buffers(
50Ω(lines(
Buses(OVS(
Chip#1&3mmx4.5m
m&
Chip#2&3mmx3mm&
PCB&control&card&
Dedicated&chips&for&probe&tes4ng&
Vref
Vref
50 Ω Line 0 µm
Vref Vref
Line 0.455 µm
Metal 2 connected to VrefOn-chip sensors
Analog pad connected to Vref
Line 5.5 µm
Line 10 µm
50 Ω
50 Ω50 Ω
Vref
Vref
Vref
Vref
Vref
Vref
50 Ω
50 Ω
50 Ω
50 Ω
50 Ω
50 Ω
Line30µm
Vref Vref50 Ω 50 Ω
Line70µm
Vref Vref50 Ω 50 Ω
Line120µm
Vref Vref50 Ω 50 Ω
Line320µm
Bandgap Vref
On"chip&EM&measurements&
Targeted structure: set of 50Ω transmission lines with variable spacing • Evaluate coupling between the
probe and the lines (injection) • Evaluate spurious coupling
between the lines (injection)
Structure 1
CW injection on 50Ω transmission lines f=1.4(GHz,(PRF(=(43(dBm(
Scan(alKtude(=(400(µm,(Scan(step(=(50(µm(
# Voltage(coupled(on(Struct1(lines(vs(probe(posiKon((
# DisKnguish(two(lines(separated(by(more(than(100(µm(
!
≈ 300 µm
H
Struct1
Probe-sample model • Equivalent circuit model
extracted from S-parameters • Coupling accounted by
mutual inductance vs $ frequency $ distance
On"chip&EM&measurements&Pulse injection on 50Ω transmission lines
×××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××
×××××××××××××××××
××××××××××××××××××
××××××××××××××××××××××
×××××××××
××××××××××××××××××××××××××××××××××××××××××××××× ××××
××××××××××××
×××××××××××××�� �� �� ��� ��� �����
-���
-���
���
���
Ferrite probe, 5.5 turns, f=10MHz, tR=tF≈10ns, tW=50ns, VPP=10V
• Excellent behavior agreement • True input pulse shape (overshoot) not accounted for
x x x x Measure Model
60&GHz&near"field&imagery&
Plas4cs&and&ceramics&are&almost&transparent&to&mm"wave&$ InspecKon(of(ICs(through(the(package($ IdenKficaKon(of(area(of(interest(for(future(EM(
injecKon(
60 GHz Gunn diode + isolator + 10 dB coupler + Schottky detector
Piezo actuator
Probe and its reflection
60GHz WR15 tuner
MetalizaKons(between(die(and(connecKng(pads(
Package&IC&imaged&with&open&waveguide&&"&spaKal(resoluKon(≈1(mm(
E"probe&@&60&GHz&
Resolu4on&limit&on&a&square&angle&@&h=5µm&
Spa4al&resolu4on&33&µm&i.e.&λ/150&
Both&should&be&merged…&s4ll&to&come&
mm(mm(
60&GHz&near"field&imagery&
die
We&are&able&to&inspect&through&the&package&
� � � � �
�
�
� � � � � �
���� ���� ���� ���� ���� ������
��
��
�
�
�������
• Probes(:(design,(fabricaKon(&(characterizaKon(– OpKmized(new(probes(– Dedicated(test(chips(– EM(coupling(experiments(&(models(– mmEwave(imagery(
• EM(aIacks(on(circuits(– EM(pla_orm(– EM(fault(injecKon(in(AES(– BitEset(&(bitEreset(– Fault(propagaKon(modeling(
Summary&
• Technical(datasheet(– 3(motorized(axes((stepsize(0.1(µm)(– Faraday(cage(isolaKon(– Flexible(probe(support(for(emirng(
or(receiving(probes(– Modified(smartcard(reader((accept(
current(Side(Channel(AIack)(– Oscilloscope(monitoring(and(PC(
controlled(
• Suitable(for…(– Mapping(in(EM(listening(mode(– Pulse(injecKon((up(to(200V(peak)(
New&EM&acack&pladorm&
Problem&of&EM&acack&on&secure&ICs&
1. Enhance EM injection $ improve spatial resolution $ improve EM power transfer to IC
2. Enhance the capability of EM injection $ single-bit and multi-bit timing faults have been
demonstrated $ it is not enough for smartcards…
3. Enhance the protection of future ICs and smartcards $ simulate fault propagation at hardware level $ help to define countermeasures
Figure of merit of the probe Impedance matching
Timing&faults&on&AES&
AES&mapped&into&FPGA&opera4ng&@&50MHz&&&100MHz&Acack&with&ferrite&probes&and&posi4ve&or&nega4ve&square&pulses&
$ PosiKve(pulses(are(more(efficient("(layout(dependent(?($ Fault(probability(depends(on(clock(frequency("(Kming(faults($ Compared(to(single(loop,(ferrite(probes(are(more(efficient((
� strong(reducKon(of(pulse(intensity(needed(to(produce(the(fault(&EM&acack&enhanced&by&probe&op4miza4on&
SETUP2CK TTD2][Q1Q1][CK1 −−<>−+>− δ
Vdd"Gnd&
Vdd/2&
Effects&of&EM&injec4on&on&secure&circuits&
D1(
CK(
Q1(LOGIC&
Skew&δ&&
Data( D2( Q2(
Vdd&
Gnd&
CK1(
EM&coupling&
EM&coupling&
Moderate&intensity&
D1(
CK(
Q1(LOGIC&
Skew&δ&&
Data( D2( Q2(
Vdd&
Gnd&
CK1(
EM&coupling&
EM&coupling&
Effects&of&EM&injec4on&on&secure&circuits&
Vdd"Gnd&
Bit"set&or&bit"reset&!&
Inversion(
High&intensity&
DFF&0&to&7&
DFF&N"&7&to&N&
DFF&i+8&to&i+15&
Reset (On = 0)
Set (On = 1)
CLK
All bytes set to AA (‘10101010’) Read data in memory
CLK
CLK stopped ! Timing fault not allowed
EM Injection
Data_IN Data_OUT
Effects&of&EM&injec4on&on&secure&circuits&
$ Deterministic errors $ EM injection is strongly localized
Bit"set&and&bit"reset&on&secure&circuits&
(Embedded&fault&simula4on&&
– concept(• Embbeded(funcKonality(which(is(
able(to(interrupt(the(program(execuKon(to(modify(the(context((variables,(addresses,(registers,(program(counter,….)((
– Results(
• Realized(Fault(Models:(InstrucKon(jump,(memory(modificaKon(
• ApplicaKon(on(soQware(implementaKon(:(VulnerabiliKes(idenKcaKon(
EM&faults&modeling&
We(have(addressed(EM(aIacks(on(ICs:(($ EM(listening(of(ICs(is(wellEknown((not(invesKgated(here)($ EM(observaKon(of(ICs(
# New(setup(@(60GHz(proposed($ EM(fault(injecKon(
# Dedicated(opKmized(probes((ferrite,(mulKple(loops)(# In4situ(probe(characterizaKon(owing(to(dedicated(testchips(# QuanKtaKve(model(of(probeEcircuit(coupling(# Timing(faults(observed(on(AES,(efficiency(improved(with(new(probes(# BitEset(and(bitEreset(demonstrated(on(smartcards(# Embedded(EM(fault(modeling(tool(
Expected(future(improvement(in(countermeasures(against(EM(aIacks(
Conclusion&
Thank(you(!(
