Antenna-in-packaging (AiP) enables the next generation of high-performance wireless 5G mmWave communication and beyond by incorporating antenna arrays in small form factors using System in Package (SiP) technology. The trend toward heterogeneous integration and advanced packaging will likely introduce more complexity to the semiconductor supply chain. In addition, there is also the risk of becoming more susceptible to security vulnerabilities associated with advanced packaging. This paper provides an overview of the supply chain vulnerabilities in advanced packaging and heterogeneous integration, followed by the existing security, reliability issues, and assurance of AiP. Apart from discussing existing physical modalities of AiP assurance and vulnerabilities, we propose Radio Frequency Fingerprint (RFF) as a new physical modality for AiP assurance. We also discuss possible future research direction and application of RFF in AiP assurance.

Globally distributed microelectronic supply chains have disrupted trust in silicon hardware and have drawn academia’s attention toward different scenarios of malicious circuit modifications, i.e., hardware Trojans. This dynamic hardware environment, including open-source approaches and evermore outsourcing, requires constant reassessment of offensive and defensive aspects. Based on an untrusted foundry model, this work assesses the concrete technical realizations of layout-only modifications via design file editing, mask editing, or in-line alterations. Furthermore, the attack possibility on different modules within a system on a chip is qualitatively evaluated. Consequently, a modification is demonstrated on an SRAM- ’PUF’ module. To link the attack point-of-view with a defensive measure, we propose a hardware reverse engineering-based countermeasure, which is non-reliant on a golden layout. Through a novel approach relying on inherent polygon properties, potentially occurring modifications are detected via clustering and a statistical evaluation of the intra-cluster distributions. Finally, the approach is demonstrated on samples from 7 nm to 150 nm, for which a modification detection rate between 95% and 100% is reached for all evaluated samples.

Contactless probing methods through the chip backside have been demonstrated to be powerful attack techniques in the field of electronic security. However, these attacks typically require the adversary to run the circuit under specific conditions, such as enforcing the switching of gates or registers with certain frequencies or repeating measurements over multiple executions to achieve an acceptable signal-to-noise ratio (SNR). Fulfilling such requirements may not always be feasible due to challenges such as low-frequency switching or inaccessibility of the control signals. In this work, we assess these requirements for contactless electron- and photon-based probing attacks by performing extensive experiments. Our findings demonstrate that E-beam probing, in particular, has the potential to outperform optical methods in scenarios involving static or low-frequency circuit activities.

The increasing demand for semiconductor chips and the outsourcing of chip fabrication have heightened vulnerability to hardware security threats. While optical probing has been used extensively for semi-invasive/non-invasive attacks, its resolution limits and obsolescence in advanced technologies have necessitated exploring other techniques. Electron-beam probing (EBP) has emerged as a powerful method, offering 20x better spatial resolution than optical probing, and applies to sub- 7nm flip-chips and advanced 3D architecture systems. However, the increased resolution of EBP also poses a threat to sensitive information on these advanced chips, calling for developing countermeasures to secure assets. By understanding the capability of EBP, the potential of using EBP to extract sensitive data such as encryption keys, soft IP, neural network parameters, and proprietary algorithms will be discussed. This paper delves into the principles behind EBP, its capabilities, challenges for this technique, and potential applications in failure analysis and potential attacks. It highlights the need for developing effective countermeasures to protect sensitive information on advanced node technologies.

Localizing security-relevant hard blocks on modern System-on-Chips (SoCs) for physical attacks, such as sidechannel analysis and fault attacks, has become increasingly time-consuming due to ever-increasing chip-area and - complexity. While this development increases the effort and reverse engineering cost, it is not sufficient to withstand resolute attackers. This paper explores the application of camera-based lock-in thermography (LIT), a nondestructive testing method, for identifying and localizing security hard blocks on integrated circuits. We use a synchronous signal to periodically activate security-related functions in the firmware, which causes periodic temperature changes in the activated die areas that we detect and localize via an infra-red camera. Using this method, we demonstrate the precise detection and localization of security-related hard blocks at the die level on a modern SoC.

Hardware obfuscation is a proactive design-for- trust technique against integrated circuit (IC) supply chain threats, i.e., intellectual property (IP) piracy and overproduction. Many studies have evaluated numerous obfuscation techniques, broadly classified as IC camouflaging, logic locking, and split manufacturing. In split manufacturing, threats introduced by an untrusted foundry are eliminated by manufacturing only the front-end of line (FEOL) layers in the high-end untrusted foundry, and back-end of line (BEOL) layers in the design house’s trusted low-end foundry to hide BEOL connections from the untrusted foundry. However, researchers proposed several attacks based on physical layout design heuristic, network-flow model, and placement-routing proximity to extract missing back-end of line connections. Nevertheless, split manufacturing suffers from yield due to challenges in properly aligning FEOL connections with the BEOL. This paper proposes LLE, which protects ICs from piracy and reverse-engineering by untrusted foundries. In this approach, we perform layout-level obfuscation by creating an intermediate metal layer mesh to obscure the BEOL connections from the FEOL. After fabrication from an untrusted foundry, the mesh can be edited using a focused-ion beam (FIB) editing tool in a trusted facility (e.g., FIB lab) to realize the actual inter- connection. Hence, unlike split manufacturing, LLE eliminates the requirement of a separate trusted foundry and establishes trust in the microelectronic supply chain by lowering cost and yield loss. To validate the effectiveness of LLE, we fabricated a test chip in MITLL Low- Power FDSOI CMOS Process. In the silicon test chip, we demonstrate that LLE can prevent IC piracy and reverse engineering with low costs and yield losses in the semiconductor supply chain.

Probing and imaging techniques that are conventionally used for failure analysis pose a major threat to the confidentiality and the integrity of data stored in non-volatile memory (NVM) cells integrated into a silicon chip. These techniques fall under the umbrella of physical attacks, which unlock tremendous capabilities for an attacker trying to access secret information stored in a target NVM. How vulnerable an NVM cell is to these attacks depends on device physics and the operational principles of the memory cell. The wide range of emerging NVM technologies opens new opportunities for attackers. Without significant attention to these emerging threats, confidential data stored in NVMs can get compromised without much effort, given access to advanced failure analysis tools. We aim to show how attackers can use their knowledge of how a memory device works to find out a suitable probing or imaging modality to extract the stored secret.

Laser-based fault injection (LFI) attacks are powerful physical attacks with high precision and controllability. Therefore, attempts have been in the literature to model and simulate the laser effect in pre-silicon digital designs. However, these efforts can only model the laser effect on small SPICE or TCAD circuits of individual standard cells. This paper proposes security properties and a machine-learning assisted layout signoff framework in verifying the full-chip layout's resiliency against LFI. In the framework, we leveraged the commercial SoC power integrity sign-off tool to inject the Gaussian laser current to any spot in the layout, by considering different layout features such as power distribution network, decoupling capacitor placement, metal geometry, instance switching power, etc. To avoid exhaustive analysis of all layout spots regardless of LFI criticality, we use security properties to drive the assessment and identify critical areas. We then use SPICE simulations and machine learning to develop cell-level laser fault models under different laser-induced transient current intensities. This laser cell library is used during full-chip LFI feasibility analysis for the cells inside laser illumination, enabling precise layout -level design fix for critical cells failing the fault injection threshold. Finally, we show the effectiveness of the proposed framework by analyzing the fully implemented AES design layout.

The use of optical techniques for attacking integrated circuits (ICs) is increasingly being reported, particularly the nefarious extraction data from embedded SRAM. Such attacks can provide access to highly sensitive information such as encryption keys and bypass various security measures. Attackers usually exploit one of several interactions between light and semiconductors to generate logic-state images that reflect data in memory. Thermal laser stimulation (TLS) and laser probing via electro-optical frequency mapping (EOFM) have been reported in the literature, but photoelectric laser stimulation (PLS) gets little attention. Considering the potential advantages of PLS over other techniques (e.g., less power is required to generate current-voltage changes and the effect can be triggered at shorter wavelengths, which can lead to improved spatial resolution), the authors set out to determine if logic state images can be generated from various types of devices with PLS and assess the strengths and limitations for each case. The results of the investigation are presented in this paper.

Modern reverse engineering (RE) workflows involve a growing number of challenges as process nodes drop below 5 nm. As more circuitry is packed into smaller areas, larger quantities of raw data must be collected and processed to help reconstruct the underlying schematics of the circuit under test. This paper examines the role of cloud computing in reverse engineering, explaining how it improves throughput by orders of magnitude for 2D image registration and how it facilitates high-quality image segmentation with the help of machine learning.

Semiconductor manufacturing, including the multistep fabrication of ICs and tedious assembly of PCBs, has been outsourced to untrusted regions due to globalization. This invites many problems particularly for PCBs, which are vulnerable to nondestructive methods of attack such as X-ray data collection and surface trace probing. In the case of ICs, high-z materials have proven to be an effective countermeasure to block or scatter X-rays, but PCBs, because of their larger dimensions, are more difficult to fully secure. In this paper, a framework for passively obfuscating the critical connections between components on PCBs is demonstrated. A proof of concept is presented whereby an EDA tool combining the small features of micro electromechanical systems with X-ray simulation and 3D manufacturing processes is used to iteratively optimize a PCB design to thwart reverse engineering and probing attacks.

IC camouflaging has been proposed as a promising countermeasure against reverse engineering. Camouflaged gates contain multiple functional device structures, but appear as a single layout under microscope imaging, thereby concealing circuit functionality. The recent covert gate camouflaging design comes with a significantly reduced overhead cost, allowing numerous camouflaged gates in circuits which improves resiliency against invasive and semi-invasive attacks. Dummy inputs are used in the design, but SEM imaging analysis has only been performed on simplified contact structures so far. In this study, we fabricated real and dummy contacts in different structures and performed a systematic SEM analysis to investigate contact charging and passive voltage contrast. Machine learning based pattern recognition was also employed to examine the possibility of differentiating real and dummy contacts. Based on our experimental results, we found that the difference between real and dummy contacts is insignificant, which effectively prevents SEM-based reverse engineering.

A Bill of Materials (BoM) is the list of all components present on a Printed Circuit Board (PCB). BoMs are useful for multiple forms of failure analysis and hardware assurance. In this paper, we build upon previous work and present an updated framework to automatically extract a BoM from optical images of PCBs in order to keep up to date with technological advancements. This is accomplished by revising the framework to emphasize the role of machine learning and by incorporating domain knowledge of PCB design and hardware Trojans. For accurate machine learning methods, it is critical that the input PCB images are normalized. Hence, we explore the effect of imaging conditions (e.g. camera type, lighting intensity, and lighting color) on component classification, before and after color correction. This is accomplished by collecting PCB images under a variety of imaging conditions and conducting a linear discriminant analysis before and after color checker profile correction, a method commonly used in photography. This paper shows color correction can effectively reduce the intraclass variance of different PCB components, which results in a higher component classification accuracy. This is extremely desirable for machine learning methods, as increased prior knowledge can decrease the number of ground truth images necessary for training. Finally, we detail the future work for data normalization for more accurate automatic BoM extraction. Index Terms – automatic visual inspection; PCB reverse engineering; PCB competitor analysis; hardware assurance; bill of materials

In the hardware assurance community, Reverse Engineering (RE) is considered a key tool and asset in ensuring the security and reliability of Integrated Circuits (IC). However, with the introduction of advanced node technologies, the application of RE to ICs is turning into a daunting task. This is amplified by the challenges introduced by the imaging modalities such as the Scanning Electron Microscope (SEM) used in acquiring images of ICs. One such challenge is the lack of understanding of the influence of noise in the imaging modality along with its detrimental effect on the quality of images and the overall time frame required for imaging the IC. In this paper, we characterize some aspects of the noise in the image along with its primary source. Furthermore, we use this understanding to propose a novel texture-based segmentation algorithm for SEM images called LASRE. The proposed approach is unsupervised, model-free, robust to the presence of noise and can be applied to all layers of the IC with consistent results. Finally, the results from a comparison study is reported, and the issues associated with the approach are discussed in detail. The approach consistently achieved over 86% accuracy in segmenting various layers in the IC.

Printed Circuit Boards (PCBs) play a critical role in everyday electronic systems, therefore the quality and assurance of the functionality for these systems is a topic of great interest to the government and industry. PCB manufacturing has been largely outsourced to cut manufacturing costs in comparison with the designing and testing of PCBs which still retains a large presence domestically. This offshoring of manufacturing has created a surge in the supply chain vulnerability for potential adversaries to garner access and attack a device via a malicious modification. Current hardware assurance and verification methods are based on electrical and optical tests. These tests are limited in the detection of malicious hardware modifications, otherwise known as Hardware Trojans. For PCB manufacturing there has been an increase in the use of automated X-ray inspection. These inspections can validate a PCB’s functionality during production. Such inspections mitigate process errors in real time but are unable to perform highresolution characterization on multi-layer fully assembled PCBs. In this paper, several X-ray reconstruction methods, ranging from proprietary to open-source, are compared. The high-fidelity, commercial NRecon software for SkyScan 2211 Multi-scale X-ray micro-Tomography system is compared to various methods from the ASTRA Toolbox. The latter is an open-source, transparent approach to reconstruction via analytical and iterative methods. The toolbox is based on C++ and MEX file functions with MATLAB and Python wrappers for analysis of PCB samples. In addition, the differences in required imaging parameters and the resultant artifacts generated by planar PCBs are compared to the imaging of cylindrical biological samples. Finally, recommendations are made for improving the ASTRA Toolbox reconstruction results and guidance is given on the appropriate scenarios for each algorithm in the context of hardware assurance for PCBs.

Reverse engineering (RE) is the only foolproof method of establishing trust and assurance in hardware. This is especially important in today's climate, where new threats are arising daily. A Printed Circuit Board (PCB) serves at the heart of virtually all electronic systems and, for that reason, a precious target amongst attackers. Therefore, it is increasingly necessary to validate and verify these hardware boards both accurately and efficiently. When discussing PCBs, the current state-of-the-art is non-destructive RE through X-ray Computed Tomography (CT); however, it remains a predominantly manual process. Our work in this paper aims at paving the way for future developments in the automation of PCB RE by presenting automatic detection of vias, a key component to every PCB design. We provide a via detection framework that utilizes the Hough circle transform for the initial detection, and is followed by an iterative false removal process developed specifically for detecting vias. We discuss the challenges of detecting vias, our proposed solution, and lastly, evaluate our methodology not only from an accuracy perspective but the insights gained through iteratively removing false-positive circles as well. We also compare our proposed methodology to an off-the-shelf implementation with minimal adjustments of Mask R-CNN; a fast object detection algorithm that, although is not optimized for our application, is a reasonable deep learning model to measure our work against. The Mask R-CNN we utilize is a network pretrained on MS COCO followed by fine tuning/training on prepared PCB via images. Finally, we evaluate our results on two datasets, one PCB designed in house and another commercial PCB, and achieve peak results of 0.886, 0.936, 0.973, for intersection over union (IoU), Dice Coefficient, and Structural Similarity Index. These results vastly outperform our tuned implementation of Mask R-CNN.