© 2012 - 2019 Trustworks GmbH. All rights reserved. Privacy Policy

Contact us

E-mail:


PGP Key-Id:

PGP Fingerprint: 

Imprint:

office -at- trustworks.at

989a04a6 (get key)

9BCB 782D 6E3A 5FAB C11C

3754 FD5F B9E1 989A 04A6

Trustworks GmbH
Rienoesslgasse 14/17
1040 Vienna, Austria

Commercial Court Vienna, Registration: FN 511775 k

Physical Microchip Security

Today, many microchips such as programmable controllers, Field Programmable Gate Arrays (FPGAs) or Application Specific Integrated Circuits (ASICs) are utilized to hold security critical data such as firmware, user credentials, cryptographic key material or proprietary algorithms.

With our Hardware Security Lab, we can evaluate many physical attacks on integrated circuits. This includes both the evaluation of resistance against common physical attacks as well as the use of physical methods to extract netlist information, firmware and data to conduct independent embedded security audits.

Physical Methods

With non-invasive methods, the chip package is not opened. Utilizing test and measurement lab equipment as well as in-house developments, we can evaluate microchip targets against Side Channel Attacks, Fault Injection Attacks as well as programming and communication interface security flaws

With semi-invasive methods, the chip package is opened (decapsulation) and the isolation layer (passivation) stays intact. Since the surface of the chip is visible now, optical analysis becomes feasible. While at this point semi-invasive attacks such as laser fault injection could be conducted, we currently do not offer semi-invasive attack evaluation due to our focus on fully invasive methods.
 

With fully-invasive methods, the passivation layer of the chip does not stay intact. The chip can either be deprocessed (destructive process) to analyze the chip layers and the contained logic or it can be carefully modified (e.g. using FIB circuit edits) to allow electrical probing or to modify security relevant behavior.

Our Analysis Techniques and Capabilities
  • Testing of communication and programming interfaces (e.g. JTAG, SPI, I2C, USB, UART)

  • Side Channel Attack Evaluation (SPA, CPA, Timing Analysis)

  • Fault Injection Attack Evaluation (Clock and Voltage Glitching)

  • Chip Decapsulation

  • Bond analysis

  • High resolution imaging using optical (confocal/DIC) and electron (SEM/FIB) microscopy

  • Material analysis using Energy-Dispersive X-ray spectroscopy (EDX)

  • Voltage contrast imaging

  • Chip deprocessing (CMP, Plasma, selective wet-etch)

  • Selective contrasting and chip preparation

  • Netlist extraction and analysis

  • Test Mode Security Analysis

  • Intellectual Property and Technology Analysis

  • ROM extraction

  • FIB circuit edits

  • Microprobing

  • Thermosonic wedge and ball bonding

  • Basic failure analysis

Service Overview
  • Fake Device Identification

  • Intellectual Property (IP) Analysis

  • Forensic Analysis

  • Failure Analysis

  • Reverse Engineering (e.g., for backdoor analysis)

  • IC Decapsulation and High Resolution Imaging

  • Firmware and Logic/Netlist Extraction

  • ROM Code Security Audit

  • Side Channel and Fault Injection Evaluation

  • Physical Attack Evaluation

  • Interface Security Audit

We can offer a vast amount of services in that area. If your specific application is not listed, don't hesitate to ask us. 

We are looking forward to your challenges!

Want to know more ?

Side Channel Attack Evaluation

Side Channel Attacks exploit the implementations of (cryptographic) algorithms in hard- or software. When performing a side channel attack, some observable behavior of the implementation such as the timing, the current consumption or the EM emission is used to obtain additional information that allows the attacker to decode cipher text, calculate the cryptographic keys or obtain details of the executed instructions and data within the system.

In timing attacks, typically the time between the request and the response is observed. If it is data dependent (e.g., in a bad password check implementation), the timing information can be utilized to break the security of the implementation.

Similarly, in power analysis attacks, the current consumption of the target is measured over the time. If the current consumption is data dependent, it can often be used to determine secret information such as cryptographic keys or passwords. In contrast to Simple Power Analysis (SPA), Correlation Power Analysis (CPA) is a much stronger analysis method that relies on the statistical correlation. Besides determining the correctness of a candidate within a power model, the correlation function can be conveniently used for a number of other tasks such as trace alignment and data usage testing during analysis. We have developed our own testing tools to conduct automated evaluations within a target-in-the-loop configuration involving a custom probe configuration with automated triggering (FPGA based), measurement readout and time synchronized target communication.

Fault Injection Attack Evaluation

During Fault Injection (FI) attacks, a typically temporary fault is intentionally injected into the target. For instance, this could be an out of specification clock pulse (clock glitching) or a short change of the supply voltage (voltage glitching).  Depending on the target and the type of fault injection, executed instructions can often be modified and memory reads may return wrong or a different amount of data. An attacker can thus carefully utilize these faults to bypass security checks such as firmware signature verification and bootloader or communication protocol authentication. As a result, firmware may be extracted from protected devices and unsigned code might be injected.

At Trustworks, we have developed proprietary fault injection testing technologies allowing us to evaluate a wide range of non-invasive fault injection attacks. Our current fault injection technologies can inject <10ns faults with both positive and negative voltages and a peak pulsed current of up to 10A.

Fake Device Identification

Authentic Atmel ATMega8 Chip

Fake ATMega8 Chip ("Mandela")

Fake microchips can lead to tremendous functional, security and safety issues. While some of the implemented functions are similar to authentic chips, others might be implemented incorrectly or are not available in the first place. Considering the large production volumes of today's embedded products, a late discovery of fake devices can have a serious business impact.

In typical cases, the markings on the outside of the chip package are hard to distinguish. Even device data reported over programming interfaces such as JTAG is typically indistinguishable between genuine and fake devices. At Trustworks, we have the technology to conduct fake device identification tests ranging from chip marking, packaging and communication analysis to chip depackaging and deep silicon analysis.

High Resolution Microchip Imaging

For up to Gigapixel resolution imaging, we have developed a custom automation supported hard- and software toolchain for our following microscopes:

  • Fei FIB 200 Focused Ion Beam Workstation

  • Aspex Scanning Electron Microscope

  • Custom K2 IND/Nikon based reflected white-light confocal Microscope (Nipkow type disc)

  • Nikon Optiphot DIC Microscope (BF and DF)

  • Leitz Ergolux Microscope

  • Cascade Microtech RHM-06 Probe Station

Our toolchain includes stage automation, live imaging, automated image acquisition, imaging plane based auto focusing and high precision image stitching. Our in-house stitching software has been specifically designed for microchip image stitching to support subsequent automated circuit analysis. Depending on the imaging requirements, we can determine which microscope to use and leverage sample preparation techniques such as sputter coating, precision polishing, plasma etching and cleaning or ultrasonic cleaning.

Netlist Extraction and Analysis

We have developed key technologies to analyze microchip logic implementations. Applications include security and forensic analysis, process analysis as well as intellectual property (IP) analysis. Our technologies include:

  • High resolution chip imaging using our automation supported hard- and software toolchain

  • Device decapsulation either for live or for destructive analysis

  • Device deprocessing relying on a combination of wet- and dry-etch as well as CMP techniques

  • Automation supported image analysis for netlist extraction including signal and logic gate analysis

  • Graphical and block based netlist simulation

  • Graphical netlist reverse engineering to obtain high level functional blocks from low level logic gates

During analysis, we typically remove the silicon die from the package. Using our deprocessing methods, we can carefully strip off chip layers from the top most metal down to the polysilicon layer. Using high resolution Scanning Electron Microscopy (SEM) with our automated toolchain, images are created for each chip layer. The images are subsequently processed with our netlist extraction toolchain to obtain the netlist. The netlist can then be simulated and further analyzed to obtain a high level logic representation of security relevant regions-of-interest (ROI).

ROM Extraction and Firmware Analysis

While programmable (micro-) controllers typically store their firmware code within non-volatile memory technologies such as Flash and EEPROM memories, ASICs (Application Specific Integrated Circuits) often rely on non-programmable (e.g. Mask ROM) or one time programmable OTP memories. Their security critical firmware thus resides within ROM memories. To analyze these ASIC devices with regard to potential security weaknesses, we have developed ROM extraction technologies allowing us to extract the firmware from these devices as well. Especially for known embedded architectures such as AVR, 8051, PIC or ARM, contained firmware can thus be analyzed using our conventional embedded security testing techniques.

In general, our ROM firmware extraction techniques leverage the same techniques we utilize for netlist extraction. For firmware extraction from ROM images, we have developed a ROM extraction software tool that can directly output the firmware image. For proprietary CPU architectures, ROM extraction can be combined with netlist extraction and anaylsis.

If you have an ASIC controller that should undergo a security audit to identify potential security vulnerabilities, don't hesitate to contact us for an ASIC firmware security audit.

FIB Circuit Edits

A Focused Ion Beam (FIB) workstation works in a similar way to a Scanning Electron Microscope (SEM). However instead of low-mass electrons, it utilizes accelerated Gallium ions with a much higher mass. The effect is that with low beam currents, the instrument can be utilized for imaging while with higher beam currents milling (and thus IC device modification) becomes feasible. With the addition of process gases (GIS systems), selective milling as well as the deposition of both insulators and metals are possible. Our FIB thus provides us with the following basic capabilities:

  • Imaging

  • Milling

  • Selective material removal (e.g. removal of passivation/ILD)

  • Deposition of new circuit traces and pads (W and Pt)

  • Deposition of SiO2 as insulator

Leveraging information obtained through our advanced microchip analysis capabilities, we can thus actively modify microchips. Applications include:

  • Failure analysis and patches ("FIB edit")

  • Dynamic firmware extraction

  • Addition of probing pads for microprobing

  • Selective device deprocessing (especially for smaller fabrication technologies)

Especially with the addition of probing pads and selective device modifications, we can conduct fully dynamic circuit tests. These are supported by our following tools:

  • Cascade Microtech RHM-06 probe station

  • Hybond Wedge Bonder

  • Kulicke & Soffa Ball Bonder

  • Standard electronic testing tools (oscilloscope, logic analyzer, signal generator)

  • Electronic development boards (e.g., various FPGA, SoC and MCU development boards)