5. page 5
Why Anti-Tampering ?
Memory
Array
BL-decode/SA
BG/HV CP
WL-decode
ctrl
NVM Hard Macro
Controller
APB
Slave
I/F
RTL Wrapper
Proprietary
Protocol
APB
Protocol
NVM attacks
Interface/Controller
attacks
◼ NVM arrays are obvious targets for physical attacks
◼ Interface and controller may be attacked to bypass security policies
6. page 6
Types of Physical Attacks .
• Side-channel analysis
• Malicious SW/FW
• EM fault injection
• External pin monitoring
or manipulation
• …
• Laser fault injection
• Photoemission
microscopy
• …
• TEM/SEM analysis
• Nano probing
• Voltage contrast
• …
No structural changes
→ Keeps normal function
No destructive changes
→ Keeps normal function
Destructive changes
→ Chip function fails
Non-Invasive Attacks Semi-Invasive Attacks Invasive Attacks
Attack strength & cost
Low High
7. page 7
For Example .
Invasive Attack
Non-Invasive Attack Semi-Invasive Attack
8. page 8
Non-Invasive Attacks .
Fault injection from
external pins
Monitoring through
external pins
EM fault injection
EM probing
◼ Physical change on the attack target is not needed
◼ E.g., external pins, EM waves, malicious software, …
◼ Can be performed using standard equipment
◼ Lowest attack strength and cost
9. page 9
Side Channel Attacks .
◼ Manipulating input or observing output to exploit vulnerability of
cryptographic system
V Power Analysis
(V, I)
Electro-Magnetic Emission
Output
Input
10. page 10
Power Analysis .
◼ CMOS logic only consume power when changing states
◼ Power consumption of a particular operation is input dependent
◼ Measuring power reveals the information of chip operations
Output
Input
VDD
DV
I
T1: OFF→ON
T2: ON→OFF
VDD
VSS
Input Output
Input 0 → 1
T1: ON→OFF
T2: OFF→ON
VDD
VSS
Input Output
Input 1 → 0
11. page 11
R
+
-
V
Attack platform Power traces
Statistical analysis Key guess
Find leakage
P. Kocher et. al, “Differential power analysis”
Side-channel attack using power analysis .
◼ Finding correct keys based on leakage information
◼ Significantly lowering the computation complexity (e.g., from 2256 to 32 x 28)
◼ Countermeasures: masking, TI, low-leakage design, analog filtering, …
12. page 12
Electromagnetic Analysis .
◼ Electromagnetic (EM) emission from charge transportation
◼ EM emission is dependent to circuit operations
◼ Measuring EM reveals the information of chip operations
Si-Substrate
M1
M2
X
Y
I
H-field
+V
-V
E-field
13. page 13
Software-based Physical Attacks .
Hammered
Affected
Sense-Amp.
Leakage
WL
WL
BL
Charge/
Discharge
Row Hammer attack on DRAM
N. A. Anagnostopoulos, et al. "Low-temperature data remanence attacks against intrinsic
SRAM PUFs." 2018 21st Euromicro Conference on Digital System Design (DSD). IEEE, 2018.
◼ Using malicious software to trigger exploitable physical changes
– E.g., injecting faults to DRAM by row hammer attack
◼ Exploiting physical mechanisms to help malicious software bypassing security measures
– E.g., using data remanence effects in SRAM to read protected contents
Data Remanence attack on SRAM
14. page 14
Semi-Invasive Attacks .
Substrate
Substrate Thinned
(Grinding/Drilling)
Laser Fault Injection
InGaAs EMMI
◼ Physical changes are needed, e.g., package removal, substrate thinning
◼ Chip can still function normally after physical changes
◼ Usually requires specialized equipment and proficient attackers
◼ Moderate attack strength and cost
15. page 15
Decapsulation .
Photo Emission (IR, NIR, …)
◼ Remove chip package or drilling holes into it allows closer approach to the chip
◼ Photo emission, reflection or photoelectric effects can be measured
16. page 16
Backside Laser Injection .
Laser
photocurrent
VDD
VSS
Laser
◼ Laser pulses are injected into the substrate of the chip
◼ Side-channel leakage may be observed (e.g., Seebeck’s effect)
◼ Faults may be induced due to photoelectric effects
Faults
V↓
17. page 17
Invasive Attacks .
Substrate
Substrate Thinned
(Grinding/Drilling)
Metal Delayered
TEM inspection
(cross-section)
SEM inspection
Nano-probing
◼ Destructive changes are needed, e.g., decapsulation + metal delayering
◼ Chip cannot function normally after sample preparation
◼ Usually requires high-end equipment and expert attackers
◼ Highest attack strength and cost
18. page 18
Chip Delayering .
Removing Upper Metal
Exposure of Gate & Contact
Exposure of Diffusion
19. page 19
Reverse Engineering .
◼ Find the design (layout and schematic) through visual inspection on delayered chips
◼ Expose memory locations that stores sensitive data → helps to find the keys using other methods
◼ Metal keys may be exposed through reverse engineering
Regeneration of Schematic
Layout Photo
Layer by Layer
20. page 20
Micro-probing (Nano-probing) .
channel1
1242901
channel2
2422578
◼ De-cap → De-layer→ Probing
– Forcing voltage/current or monitoring
◼ May use FIB (focused ion beam) to open probing window
21. page 21
Focused Ion Beam (FIB) .
◼ De-cap → De-layer→ Re-wire using FIB
– Critical information may be sent to unintended locations
CPU
Crypto
Secure
Non-secure
NVM
CPU
Crypto
Secure
Non-secure
NVM
1 Cut + 1 Connection
FIB
key leak
22. page 22
Ion m
on t ons
Passive Voltage Contrast (PVC) Attacks .
◼ Using FIB or SEM to scan through the target metal/semiconductor structure
◼ Secondary electron scattering affected by charge accumulation
– Positive voltage prevents electron scattering to the detector
◼ Leakage paths may be found in the resulting image
FIB/SEM FIB/SEM
Ion m
on t ons
Frontside scan Backside scan
24. page 24
Types of Anti-tampering techniques .
• Anti-Tamper Seal
• Back-to-back packaging
• …
• Temperature Sensor
• Glitch detector
• Frequency detector
• Active shield
• …
• Secure layout
• Fault detection
• Redundancy
• Random insertion
• …
Prevent physical access
→ Tampering makes chips
unfunctional
Send alarm flags
→ System can sense
abnormal behaviors
Mitigate faults and leakage
→ FI and SCA become
ineffective
Package Level Chip Level IP Level
All required to achieve the highest security level
25. page 25
Package Level Anti-Tampering .
Decap & Delayer Decap & Grind
◼ Decapsulating packages allows physical access to the frontside/backside of the chips
◼ Need special packaging techniques as countermeasures
Wirebond Package Flip-chip Package
26. page 26
Anti-tamper seal for secure packaging .
A B
Short circuit → Not Tampered
A B A B
A B
Open circuit → Tampered
Decap
◼ E.g., anti-tamper tape connected to tamper detection pins
– Tape will be broken if package is opened
– Tamper event is detected by checking short/open circuit
27. page 27
Back-to-back packaging .
◼ Conventional package techniques, especially flip-chip packages, may be accessed from the backside
◼ Solution: stick the backside of two chips together
◼ Need to separate two chips before accessing from the backside
Backside Physical Attacks
Conventional Flip-Chip Package Back-to-back Package
Back Front
29. page 29
◼ Detecting tampering events using global or distributed detectors
◼ Global Detectors: detecting tamper events that affect most of the circuits
◼ Distributed Detectors: detecting tamper events on localized fault injection or probing
CryptoEngine
VoltageGlitch
Detector
Core
Voltage
Detector
Frequency
Detector
ClockGlitch
Detector
Temperature
Sensor
Anti-Tamper
Controller
Hardware
RootofTrust Distributed
Detectors
Global Detectors
SoC
Tamper Detection Circuits .
30. page 30
IP Level Anti-Tampering Techniques .
Output
Input
VDD
DV
I
Crypto
Conventional Crypto Design
Output
Input
VDD
DV
I
Crypto
Protected Crypto Design
◼ Make circuit designs intrinsically resilient to attacks – Security by Design
◼ For Soft IP: implemented in RTL design
◼ For Hard IP: implemented in schematic design and layout
31. page 31
Requirements in Certification Programs .
◼ Many electronic products need to obtain security certificates
◼ Different security levels defined in different certification programs
◼ Higher security level requires better resistance against physical attacks
32. page 32
Assessing Attacks and Countermeasures .
◼ JIL rating methodology, a commonly used approach
– Joint Interpretation Library – “Application of Attack Potential to Smartcards and Similar Devices”
– Refinement of the methodology in Common Criteria
– Originates from secure IC industry targeting the Smart Card applications
– Widely adopted in industries requires high security
Factors Identification Exploitation
Ratings Ratings
Elapsed time < one week (2) < one week (4)
Expertise … …
Knowledge of the TOE … …
Access to TOE … …
Equipment … …
Open samples/Samples
With known secrets
… …
Total Rating = ??
Requirements for
the attack method
Attack Rating
Range of
values
TOE Resistant to Attackers
with Potential of
0-15 No Rating
16-20 Basic
21-25 Enhanced Basic
26-30 Moderate
31 and above High
33. page 33
JIL Rating Example .
Factors Identification Exploitation
Identification: Identify a successful attack method
Exploitation: Repeat the identified attack method
Elapsed time < one week 2 < one week 4 → Requires less than 1 week (> 3 day) to perform the attack
Expertise Expert 5 Expert 4 → Th tt k ’s xp tis to p fo m th tt k
Knowledge of the TOE Restricted 2 Public 0 → How much information needed to perform the attack
Access to TOE < 10 samples 0 < 10 samples 0 → How many samples needed to complete the attack
Equipment Multiple Bespoke 7 Multiple Bespoke 8 → Required level of equipment for performing the attack
Open samples/Samples
With known secrets
Not Required 0 Not Applicable 0 → Number of open samples needed to perform the attack
Total Rating 32
Example: Attack potential evaluation against reverse engineering
TOE Resistant to Attackers with Potential of High
35. page 35
Root of Trust
Core Processor
Crypto
Coprocessor
DRAM
Controller
SRAM ROM
Main Bus
SoC
A Root of Trust (RoT) stores and manages the most sensitive digital assets
What is a Root of Trust ?
36. page 36
Device A
▪ How to ensure this key is unique?
→ Keys need to be securely provisioned
▪ How to ensure this key cannot be stolen?
→ Keys should be kept in a Root-of-Trust
A unique key must be
securely stored in the
hardware
Resilient
to attacks
Device B
Different
The Needs of Root of Trust in Silicon .
37. page 37
NVM Secure Macro .
◼ Need to store keys in the chip
◼ OTP, eFuse, Flash, ROM, …
– Designed in analog hard macro
– Without standard interface
◼ Need dedicated controller
◼ How to secure the contents?
Memory
Array
BL-decode/SA
BG/HV CP
WL-decode
ctrl
NVM Hard Macro
Controller
APB
Slave
I/F
RTL Wrapper
Proprietary
Protocol
APB
Protocol
38. page 38
Requirements for NVM Secure Macro .
◼ Usability
– Support standard interface to system bus
– RTL wrapper translate system command to proprietary control signals
◼ Security
– Secure control flow and access policy management
– Countermeasures against physical attacks
Root-of-Trust
CPU
Crypto
Coprocessor
SRAM
Main Bus
SoC
HardMacro
RTL
APB
APB
39. page 39
PUFrt: Hardware Root of Trust .
◼ 3rd party Security Lab certified anti-tampering design
◼ 5-in-1 Secure OTP : OTP + PUF + TRNG + Control logic + Privilege mode
PUFrt
Secure
Sub-system
(Cryptos)
PUFrt Features / Benefits
Secure Storage
▪ Secure OTP
▪ Anti-physical/electrical attack
Integrated TRNG
▪ Instant ready 90b in 100us
▪ NIST SP800-90B / 800-22 compliant
Inborn PUF (1Kb)
▪ Save costly key injection process
▪ Instant ready without helper
Anti-Tamper
▪ The design and entropy will protect
macro, operation and interface
Dual Interface
▪ Standard APB-s Controller
▪ Privileges to Secure/Non-secure
▪ Customizable to TCM and TileLink
PUF
TRNG
OTP
APB 2
PUF-Realm
APB 1
CPU Core
41. page 41
PUFrt Design Diagram .
PUFrt consists of
APB-Client I/F
4*256 UID
TRNG
128*32 Secure OTP
Anti-Tampering Designs
Hard Macro in GDS
Wide
Bus
APB
Client
Digital RTL
PUFrt
Digital
(BUS
Protect)
X-Decode
Driver
Y-Decode/SA
Analog
(BG/Jitters)
NeoPUF
2K
NeoFuse
4K
SACTL
CTL
Logic
High
Voltage
Charge
Pump
APB
Digital
(BUS
Protect)
⑭
TRNG/Conditioning
TRNG/PUF Health Check
Post
Masking Random
Insertion
READ
Address
Data
Shuffler
Access
Permission
Interrupt Status
Test Mode Command
Fault Injection Protection
42. page 42
PUFrt
TYPES SECURITY FEATURES
Invasive
Attack
1 Intrinsic Physical Security
2 Voltage Contrast Attack Countermeasures
3 Data Address X-Y Scrambler and IO Shuffler using PUF
Semi-
Invasive
Attack
4 (Optional) Top Metal Shielding
5 Security-oriented IP Layout
6 Active Sense-Amplifier READ Protection
7 Hidden and Obfuscated Data Interface (inside macro)
8 Output Data Fault Detection
Non-
Invasive
Attack
9 Pin Integrity Protection on Mode and Array Selection
10 Word Lock; Non-Accessible Post-Masking (on OTP)
11 Zeroization and Post-Masking (on PUF)
12 Built-in Secure Repair and Test-mode Lock
13 (Optional) Random Dummy Insertion READ
14 PUF Health Check
15 Fault Injection Prevention (Mode/Address/Post-masking)
16 Unified Write Power to Prevent Electrical Analysis
17 Power Detection -VDD/VDDIO Floating
Digital RTL Hard Macro in GDS
TRNG/UID/OTP
Encryption
Secure Controller
APB Interfacing
ctrl
BL-decode/SA
HV CP
WL-
decode
NeoFuse
NeoPUF
Secure
Bus
ROSC Entropy
Anti-tampers
▪ Comprehensive IP-level anti-tampering
design in Hard Macro and RTL
PUFrt: CompleteAnti-Tampering .
43. page 43
Threat Model Against Design (Green/Blue for hard macro/digital)
SEM, FIB, TEM, optical inspection (OBIC/OBIRCH) Intrinsic physical security ①
Passive voltage contrast Sharing poly and OD array ②
Locate address, delayer and nano probing
optical inspection (OBIC/OBIRCH)
Top metal shielding, security-oriented IP layout, inter-metal routing ④⑤⑦
Address/IO scrambler, post-masking, random dummy read ③⑩⑪⑬
Power analysis on SA during read Active SA protection during reading ⑥
Fault injection on visible IO or mode select Output Data Fault Detection, Pin Protection, IO-Shuffler, FI prevention ③⑧⑨⑮
Rollback, replay attack and software access Assess Permission and Post-Masking on OTP and PUF ⑩⑪
Secure setting or reserved bit leakage/revise Secure repair and test-mode protection by lock ⑫
Fault injection or glitch protection Output Data Fault Detection, Random dummy read, FI Prevention ⑧⑬⑮
Power analysis on CP or maliciously cut power Unified operating power and power floating detection ⑯⑰
Skip enrolling PUF PUF health check and flag check ⑭
Photon emission inspection
Active SA protection during reading ⑥
Address/IO scrambler, post-masking, random dummy read ③⑩⑪⑬
Threat Model List and Countermeasures .
44. page 44
Digital
X-Decode
Driver
Y-Decode/SA
Analog
(BG/Jitters)
NeoPUF
2K
NeoFuse
4K
SACTL
CTL
Logic
High
Voltage
Charge
Pump
Hard Macro Anti-Tampering Features .
APB/CTR
Functions
Hard Macro in GDS
Digital RTL
⑤
⑯
⑥
Global Protection: ④⑤⑦
⑧
⑨
⑰
APB
Client
Wide
Bus
①②
③⑩⑪⑫
⑬⑭⑮
① Intrinsic Physical Security
② Voltage Contrast Attack Countermeasures
③ Data Address X-Y Scrambler and IO Shuffler using PUF
④ (Optional) Top Metal Shielding
⑤ Security-oriented IP Layout
⑥ Active Sense-Amplifier READ Protection
⑦ Hidden and Obfuscated Data Interface (inside macro)
⑧ Output Data Fault Detection
⑨ Pin Integrity Protection on Mode and Array Selection
⑩ Word Lock; Non-Accessible Post-Masking (on OTP)
⑪ Zeroization and Post-Masking (on PUF)
⑫ Built-in Secure Repair and Test-mode Lock
⑬ (Optional) Random Dummy Insertion READ
⑭ PUF Health Check
⑮ Fault Injection Protection (Mode/Address/Post-masking)
⑯ Unified Write Power to Prevent Electrical Analysis
⑰ Power Detection -VDD/VDDIO Floating
45. page 45
Digital Anti-Tampering Features .
Digital
(
BUS
Protect
)
OTP
PUF
Entropy
Hard Macro
⑧
⑨
APB
Client
Wide
Bus
Digital RTL
①②④
⑤⑥⑦
⑯⑰
⑭
① Intrinsic Physical Security
② Voltage Contrast Attack Countermeasures
③ Data Address X-Y Scrambler and IO Shuffler using PUF
④ (Optional) Top Metal Shielding
⑤ Security-oriented IP Layout
⑥ Active Sense-Amplifier READ Protection
⑦ Hidden and Obfuscated Data Interface (inside macro)
⑧ Output Data Fault Detection
⑨ Pin Integrity Protection on Mode and Array Selection
⑩ Word Lock; Non-Accessible Post-Masking (on OTP)
⑪ Zeroization and Post-Masking (on PUF)
⑫ Built-in Secure Repair and Test-mode Lock
⑬ (Optional) Random Dummy Insertion READ
⑭ PUF Health Check
⑮ Fault Injection Protection (Mode/Address/Post-masking)
⑯ Unified Write Power to Prevent Electrical Analysis
⑰ Power Detection -VDD/VDDIO Floating
APB
⑭
TRNG/Conditioning
TRNG/PUF Health Check
Interrupt Status
Test Mode Command
Post
Masking Random
Insertion
READ
Address
Data
Shuffler
Access
Permission
③
⑫
⑬
⑩
⑪
Digital
(
BUS
Protect
)
⑨
Fault Injection Protection ⑮
47. page 47
Summary .
◼ PUFrt is a NVM secure macro that works as a Hardware Root of Trust
◼ NVM secure macro need to be resistant to physical attacks
◼ Various physical attacks need to be considered
– Invasive attacks, e.g., TEM, SEM
– Semi-invasive attacks, e.g., laser fault injection
– Non-invasive attacks, e.g., power analysis
◼ Anti-tampering techniques need to be implemented for against physical attacks
– Package level, chip level and IP level solutions
◼ PUFrt is equipped with comprehensive anti-tampering designs
– Anti-tampering designs in hard macro
– Anti-tampering designs in RTL wrapper