Stéphanie Anceau, Pierre Bleuet, Jessy Clédière, Laurent Maingault, Jean-luc Rainard, Rémi Tucoulou
Nanofocused X-Ray Beam To Reprogram Secure Circuits
| 2CHES | Jessy Clédière | 2017
Let’s speak about X-rays
• Ionizing radiations are often mentioned in literature, but without real practical results
• Lots of references in failure analysis and space systems literature• A new method of perturbation? • We propose using a nanofocused X-ray beam of a synchrotron
| 3CHES | Jessy Clédière | 2017
…after doing some preliminary tests on more simple equipment
How did we get to a synchrotron?
medical equipmentmaterial science equipment
| 4CHES | Jessy Clédière | 2017
With some basic focusing…
ZIF support
X-ray
dielead
exposed area
PCB
Device Under Test
…a hole in a lead sheet
| 5CHES | Jessy Clédière | 2017
ATMEGA
A fairly old circuit (350 nm) but useful to investigate new attacks
| 6CHES | Jessy Clédière | 2017
ATMEGA layout
500 µm
logic
RAM
flash
EEPROM
| 7CHES | Jessy Clédière | 2017
ATMEGA + lead sheet and hole
we fill flash memory with value 0x55
| 8CHES | Jessy Clédière | 2017
First faults obtained after 210 seconds of exposure
red: “1” to “0” corruption
| 9CHES | Jessy Clédière | 2017
40 seconds later…
| 10CHES | Jessy Clédière | 2017
then 40 more…
| 11CHES | Jessy Clédière | 2017
and finally
| 12CHES | Jessy Clédière | 2017
What happened?
floating gate transistor
access transistor
| 13CHES | Jessy Clédière | 2017
Data is stored in the floating gates charge in the floating gate:
transistor is blocked
value 1 is stored
no charge in the floating gate:
transistor is conductive
value 0 is stored
| 14CHES | Jessy Clédière | 2017
Access to the floating gates
access transistorsof the active lineare conductive
| 15CHES | Jessy Clédière | 2017
X-ray exposure : we discharge the floating gates
| 16CHES | Jessy Clédière | 2017
Access to the data
| 17CHES | Jessy Clédière | 2017
X-ray exposure continued : we semi-permanently switch on access transistors
| 18CHES | Jessy Clédière | 2017
Column errors
| 19CHES | Jessy Clédière | 2017
Column errors
| 20
• We empty floating gates of carrierswe could modify (1 to 0) flash and EEPROM
• We modify transistors semi-permanentlyNMOS are made conductive (and PMOS blocked)it is reversible with a heat treatment (150°C, 1 hour)
The last result applied to logic area of the circuit :we could reconfigure circuits : circuit edit
CHES | Jessy Clédière | 2017
Two major effects observed during these first tests
| 21
• These effects are described in the space systems literature and are very interesting for our activity
let’s focus X-rays down to the nano-scale to target a single transistor!
CHES | Jessy Clédière | 2017
Two major effects observed during these first tests (cont’d)
| 22CHES | Jessy Clédière | 2017
Grenoble, France
Léti ITSEF European Synchrotron Radiation Facility(ESRF)
500 m
| 23CHES | Jessy Clédière | 2017
Inside the donut
| 24CHES | Jessy Clédière | 2017
Focusing to the nano scale: 60 nm X-ray spot
ATMEGA at the focal point of X-ray optic
fluorescence detector X-rayX-ray
long focal length optic
| 25CHES | Jessy Clédière | 2017
Fluorescence image by scanning the IC with the nano-beam
cross-section (SEM view)
tungsten via
SEM view
tungsten fluorescence mapping
| 26CHES | Jessy Clédière | 2017
Obtained results on ATMEGA
• Fluorescence mapping allows powerful and accurate positioning at the transistor level
• Flash and EEPROM can be modified (1 to 0) at the bit level : code of a circuit can be changed (good example in the proceedings)
• Single RAM cells can be semi-permanently stuck at 0 or 1 by corrupting transistors
• Logic can be modified at the transistor level : circuit editthis could be used to:• change the behavior of the circuit• remove hardware countermeasures…
• No need to open the package of the die
| 27CHES | Jessy Clédière | 2017
RAM results on ATMEGA
SEM view fluorescence viewsuperposition
and results
5 µm
RAM address
RAM cellstuck at 1
RAM cellstuck at 0
| 28CHES | Jessy Clédière | 2017
Obtained results on state of the art technology node
• Fluorescence mapping still allows a powerful and accurate positioning at the transistor level
• Flash / EEPROM can still be modified (1 to 0) at the bit level (110 nm and 90 nm NOR flash)
• Single RAM cells can still be stuck at 0 or 1 (45 nm microcontroller)
• Still no need to open the package of the die
| 29CHES | Jessy Clédière | 2017
Comparison
• Nanofocused X-rays could be compared to laser perturbation or to Focused Ion Beam (invasive attack, circuit edit)
• Implementation is like a laser setup with no sample preparation required (package opening, thinning…). But very small spot (60 nm or less): reverse engineering is required!
• Effects are like invasive attacks but totally non invasive!FIB: modification of metal layers of the circuitX-rays: modification of the transistors of the circuit
| 30CHES | Jessy Clédière | 2017
The cost of such a thing?
• Cost of a FIB access via service : 400 € / hour
• Cost of ESRF access via industrial channel : 3000 € for 8 hours
| 31CHES | Jessy Clédière | 2017
Conclusion on nanofocused X-ray
• A new technique to attack circuits and to perform circuit-editing
• “Extreme” resolution with accurate positioning thanks to the use of fluorescence mapping
• Tool with a difficult access, but not that expensive!
• Experiments are still ongoing.
Leti, technology research instituteCommissariat à l’énergie atomique et aux énergies alternativesMinatec Campus | 17 rue des Martyrs | 38054 Grenoble Cedex | Francewww.leti-cea.com
Thanks
Top Related