Why is it so hard to make

secure chips?

Marc Witteman

GLSVLSI, May 18, 2016

Traditional internet

• connects people with machines

• shares data that people create

IoT (Internet of Things)

• connects machines to machines

• shares data that machines create

What’s new in internet?

Public

2

What is the Internet of Things?

inte

rna

l

3 Source: Vivante

inte

rna

l

4

Is IoT security important?

inte

rna

l

5

Remote car hijack

Identity theft

Medical device

disturbance

Premium content theft

Information Security?

How to protect?

• Cryptography

• Access control

What to protect?

• Confidentiality

• Integrity

• Availability

Primary targets

For attackers

Public

6

Are IoT devices sensitive to attacks?

• Fast growing market with new

unexperienced entrants

• Operate in an uncontrolled

(hostile) environment

• Pressure on time-to-market

and cost

7

Public

IoT example

8 SoC (System on Chip )

Power

management

Communication

Public

Security is all about the chip

9 Memory

Interfaces

CPU

Test logic

Geometry Layout

Speed

Security

features

Public

How does an attacker get access?

10

Find the key

or

Break the lock

Public

How do attackers work?

Chip Attacks

12

Invasive Logical

Side Channel

Public

Fault

Invasive attack steps

1. Prepare: get sample ready

2. Analyze: Optical Inspection

3. Modify: FIB

4. Extract: Standard interface or probe

13

Public

Depackaging

Co

nfid

en

tial

14

Co

nfid

en

tial

15

Sand

Cross-section of a chip

M1

M2

M3

M4

M5

Bulk silicon

P-doped area

N-doped area

Poly-Silicon

Via (plugs)

Metal wires

Passivation Layer

A Die’s metal side

Delayering

• Chemical delayering

• Polishing

• Plasma etching

• Visible light (390 to 700 nm)

• Maximum resolution: ~0.29 µm (550 nm)

• Computer controlled XYZ table + camera

Imaging by optical microscope

(front side)

• Infra red light (700 nm to 1100 nm)

• Maximum resolution: ~0.63 µm

• Helps to identify functional blocks

Imaging by optical microscope

(back side)

• Much higher resolution

• Oxide layer in between metal layers

is not transparent (for electrons)

• Computer controlled XYZ stage + imaging

Imaging by Scanning Electron

Microscope (SEM)

Image stitching

22

Public

inte

rna

l

23

Ok,

I have the chip layout,

now what?

Low-level HW reverse engineering

Reverse engineering reconstructs the functional layout, and then focuses on specific targets:

• Hardcoded secrets • ROM containing executable code • Fuses and OTP • CPU and registers • Security sensors • Crypto engines

How to reverse engineer a billion gates?

• Chips use a library of less than 1K standard cells

• Automated cell recognition possible and available

in tools • Use templates to automatically match standard cells

• Support for via and metal wire detection/tracing

• VHDL / Verilog export

25

Public

Confidential

26

Modify

Focused Ion Beam can do chip edits

• Restore test state (fuse repair)

enable arbitrary memory read

• Disable security features

short cut shields

• Export data bus

enable data dump

27

Public

Focused Ion Beam

28

Extract data

30

Public

Re-bonding Probing

Chip Attacks

31

Invasive Logical

Side Channel

Public

Fault

Logical attacks

Why do we need logical attacks?

Physical attacks provide access,

but may not reveal secrets yet

• Reconnected a test function

Need to run test routines to extract data

• Exported data lines

Need to reverse engineer code dump to find secrets

32

Public

A standardized test interface that uses a chain of

cells to set / capture internal states.

Controlled by 5 external connections

• TDI Test Data In

• TDO Test Data Out

• TCK Test Clock

• TMS Test Mode Select

• TRST Test Reset

JTAG

33

Public

34

Code analysis

boot loader

packed loader

packed main application

Key block

Further software attacks on chips

External analysis

• Run extracted code in debug environment

• De-compilation source code level analysis

Internal analysis

• Fuzzing

• Penetration testing

• Malicious code injection

Chip Attacks

39

Invasive Logical

Side Channel

Public

Fault

Side channel analysis (1)

inte

rna

l

40

41

• Light

• Sound

• Heat

• Time

• Power consumption

• Electro-Magnetic

radiation

Side Channel Analysis

42

A side channel is an unintended communication channel that can reveal secret information

Public

XBOX 360 timing issue

XBOX 360 has a secure boot chain

16 byte keyed hash value computed over bootloader

Comparison is per byte timing attack

Bootloader Hash

Compute hash

Report failure

Compare

hash

Run

bootloader

Nok Ok

43

Public

XBOX 360 timing attack procedure

Brute forcing 16*128 = 2048 values takes about 2 hrs

Init hash in memory

Reset XBOX

Observe failure

Register time

Init hash byte counter

Store rogue bootloader Increase hash byte

Reset XBOX

Increase byte counter

Later?

Observe failure

Final?

No

No

Yes

Success! Yes

44

Public

Timing attack with Infectus board

source: http://beta.ivancover.com

45

Public

Side Channel Analysis of Crypto

RSA most popular algorithm for signing data

Algorithm for S=Md mod N, with t exponent bits di

S := 1

for i from t down to 0 do:

S := S * S mod N

if di = 1 then S := S*M mod N

return S;

What do we see when we measure the radiation

emanated by a chip running this process? 46

Public

Electro magnetic analysis of RSA

Key bits revealed

1 0 1 0 1 0 0 1 0

variation of interval between dips

47

Chip Attacks

48

Invasive Logical

Side Channel

Public

Fault

Change the behavior of a device by

manipulating the environmental conditions

• Clock

• Power

• EM

• Laser

Threshold of

read value A power dip at the moment of

reading a memory cell

Fault Attacks

49

Voltage glitching setup

Glitch parameters

response

trigger glitch

command

Public

50

EM glitching

Laser

glitching

Public

52

A successful fault can

• Override decisions

escalate privileges

• Dump data

get secrets from memory

• Corrupt crypto

get secrets by output analysis

Exploiting faults

Public

53

Skip branch (1)

Public

54

Skip branch (2)

Dump

char* bufferAddress = bufferBegin;

while (bufferAddress != bufferEnd) {

send( * bufferAddress );

bufferAddress++;

}

Single glitch leads to full memory dump

Public

56

• Developers need to cover all bases,

but attackers need only one bug

• Security flaws are not ‘automatically’

found and fixed

So, is there any hope?

• Secure labs to the rescue!

So, why is it so hard

to make secure chips?

57

Public

• Security is a cat and

mouse game

• Testing helps identifying

and mitigating risk

• Interaction between

development and evaluation

drives industry best practices

• Vendors that actively seek security feedback learn faster!

Takeaways

58

Public

Riscure North America

550 Kearny St., Suite 330

San Francisco, CA 94108

USA

Phone: +1 650 646 99 79

inforequest@riscure.com

Riscure B.V.

Frontier Building, Delftechpark 49

2628 XJ Delft

The Netherlands

Phone: +31 15 251 40 90

www.riscure.com

Contact: Marc Witteman, witteman@riscure.com

Riscure is hiring! visit www.riscure.com/careers