Skip Nav Destination
Close Modal
Update search
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
Filter
- Title
- Authors
- Author Affiliations
- Full Text
- Abstract
- Keywords
- DOI
- ISBN
- EISBN
- Issue
- ISSN
- EISSN
- Volume
- References
NARROW
Date
Availability
1-10 of 10
Hardware Attacks and Reverse Engineering
Close
Follow your search
Access your saved searches in your account
Would you like to receive an alert when new items match your search?
Sort by
Proceedings Papers
ISTFA2019, ISTFA 2019: Conference Proceedings from the 45th International Symposium for Testing and Failure Analysis, 249-255, November 10–14, 2019,
Abstract
View Paper
PDF
Reverse engineering today is supported by several tools, such as ICWorks, that assist in the processing and extraction of logic elements from high definition layer by layer images of integrated circuits. To the best of our knowledge, they all work under the assumption that the standard cell library used in the design process of the integrated circuit is available. However, in situations where reverse engineering is done on commercial off-the-shelf components, this information is not available thereby, rendering the assumption invalid. Until now, this problem has not been addressed. In this paper, we introduce a novel approach for the extraction of standard cell library using the contact layer from these images. The approach is completely automated and does not require any prior knowledge on the construction or layout of the target semiconductor integrated circuit. The performance of the approach is evaluated on two AES designs with 10,000 cells compiled from standard libraries with 32nm and 90nm node technologies having 350 and 340 standard cells respectively. We were able to successfully extract 94% and 60% of the standard cells from the 32nm and 90nm AES designs using the proposed approach. We also perform a case study using a realworld sample extracted from a smartcard. Finally, we also investigate the various challenges involved in the extraction of standard cells from images and the steps involved in resolving them.
Proceedings Papers
ISTFA2019, ISTFA 2019: Conference Proceedings from the 45th International Symposium for Testing and Failure Analysis, 256-265, November 10–14, 2019,
Abstract
View Paper
PDF
Globalization and complexity of the PCB supply chain has made hardware assurance a challenging task. An automated system to extract the Bill of Materials (BoM) can save time and resources during the authentication process, however, there are numerous imaging modalities and image analysis techniques that can be used to create such a system. In this paper we review different imaging modalities and their pros and cons for automatic PCB inspection. In addition, image analysis techniques commonly used for such images are reviewed in a systematic way to provide a direction for future research in this area. Index Terms —Component Detection, PCB, Authentication, Image Analysis, Machine Learning
Proceedings Papers
ISTFA2018, ISTFA 2018: Conference Proceedings from the 44th International Symposium for Testing and Failure Analysis, 256-265, October 28–November 1, 2018,
Abstract
View Paper
PDF
Hardware Trojans are malicious changes to the design of integrated circuits (ICs) at different stages of the design and fabrication processes. Different approaches have been developed to detect Trojans namely non-destructive (electrical tests like run-time monitoring, functional and structural tests) and destructive (full chip reverse engineering). However, these methods cannot detect all types of Trojans and they suffer from a number of disadvantages such as slow speed of detection and lack of confidence in detecting all types of Trojans. Majority of hardware Trojans implemented in an IC will leave a footprint at the doping (active) layer. In this paper, we introduce a new version of our previously developed “Trojan Scanner” [1] framework for the untrusted foundry threat model, where a trusted GDSII layout (golden layout) is available. Advanced computer vision algorithms in combination with the supervised machine-learning model are used to classify different features of the golden layout and SEM images from an IC under authentication, as a unique descriptor for each type of gates. These descriptors are compared with each other to detect any subtle changes on the active region, which can raise the flag for the existence of a potential hardware Trojan. The descriptors can differentiate variation due to fabrication process, defects, and common SEM image distortions to rule out the possibility of false detection. Our results demonstrate that Trojan Scanner is more reliable than electrical testing and faster than full chip reverse engineering. Trojan Scanner does not rely on the functionality of the circuit rather focuses on the real physical structure to detect malicious changes inserted by the untrusted foundry.
Proceedings Papers
ISTFA2018, ISTFA 2018: Conference Proceedings from the 44th International Symposium for Testing and Failure Analysis, 266-271, October 28–November 1, 2018,
Abstract
View Paper
PDF
This paper compares the three major semi-invasive optical approaches, Photon Emission (PE), Thermal Laser Stimulation (TLS) and Electro-Optical Frequency Mapping (EOFM) for contactless static random access memory (SRAM) content read-out on a commercial microcontroller. Advantages and disadvantages of these techniques are evaluated by applying those techniques on a 1 KB SRAM in an MSP430 microcontroller. It is demonstrated that successful read out depends strongly on the core voltage parameters for each technique. For PE, better SNR and shorter integration time are to be achieved by using the highest nominal core voltage. In TLS measurements, the core voltage needs to be externally applied via a current amplifier with a bias voltage slightly above nominal. EOFM can use nominal core voltages again; however, a modulation needs to be applied. The amplitude of the modulated supply voltage signal has a strong effect on the quality of the signal. Semi-invasive read out of the memory content is necessary in order to remotely understand the organization of memory, which finds applications in hardware and software security evaluation, reverse engineering, defect localization, failure analysis, chip testing and debugging.
Proceedings Papers
ISTFA2018, ISTFA 2018: Conference Proceedings from the 44th International Symposium for Testing and Failure Analysis, 272-279, October 28–November 1, 2018,
Abstract
View Paper
PDF
Reverse engineering typically requires expensive equipment, skilled technicians, time, a cross section of the component to be sliced out, and a dedicated reconstruction software. In this paper, we present a low-cost alternative, combining fast frontside sample preparation, electron microscopy imaging, similar standard cell recognition, as well as within and between die Standard Cell Statistical Analysis (SCSA). We develop the process to access the transistor’s drain/source area; image the full surface; develop a robust pattern recognition tool and analyze the standard cell size, local / global location and occurrences number. We present the inner workings of each step and results on 45–65nm FCBGA devices enabling to locate specific areas (core registers, hardware accelerator, and so on) within a die, and find similarities between dies. We particularly point out the importance of such design information extraction for local fault injection and hardware assurance. The primary goal is to analyze how much integrated circuit design information can be retrieved with minimal costs and without outsourcing.
Proceedings Papers
ISTFA2018, ISTFA 2018: Conference Proceedings from the 44th International Symposium for Testing and Failure Analysis, 280-289, October 28–November 1, 2018,
Abstract
View Paper
PDF
Optical probing from the backside of an integrated circuit (IC) is a powerful failure analysis technique but raises serious security concerns when in the hands of attackers. For instance, attacks using laser voltage probing (LVP) allow direct reading of sensitive information being stored and/or processed in the IC. Although a few sensor-based countermeasures against backside optical probing attacks have been proposed, the overheads (fabrication cost and/or area) are considerable. In this paper, we introduce nanopyramid structures that mitigate optical probing attacks by scrambling the measurements reflected by a laser pulse. Nanopyramid structure is applied to selected areas inside an IC that requires protection against optical probing attacks. The fabrication of nanopyramids is CMOS compatible and well established for photovoltaic applications. We design the nanopyramid structure in ICs, develop the LVP attacking model, and perform optical simulations to analyze the impact of nanopyramids on LVP. According to the simulation results, the nanopyramid can disturb the optical measurements enough to make LVP attacks practically infeasible. In addition, our nanopyramid countermeasure has no area overheads and works in a passive mode without consuming any energy.
Proceedings Papers
ISTFA2018, ISTFA 2018: Conference Proceedings from the 44th International Symposium for Testing and Failure Analysis, 290-294, October 28–November 1, 2018,
Abstract
View Paper
PDF
In the last decades, the supply chain of printed circuit boards (PCBs) becomes distributed with growing complexity of PCB designs and the economic trend of outsourcing the PCB manufacturing. This makes the PCBs more vulnerable to security attacks, such as tampering, snooping, and electromagnetic (EM) attacks. Because of the large feature size of PCBs (compared to integrated circuits), it is challenging to protect the PCBs from those attacks or proof the suspected attacks. For the same reason, PCBs are vulnerable to non-invasive reverse engineering by X-ray tomography as well. In this paper, we propose a novel silicon carbide (SiC) coating technique to provide passive protection for PCBs from in-field tampering, snooping and EM attacks. In addition, capacitive sensors are designed based on the SiC coating, offering active defense against those attacks. The coating and sensors can be implemented on PCBs in cost-efficient ways and the area overheads are minimized. The insulating coating also allows an extra tungsten-based painting to be applied to prevent the X-ray reverse engineering.
Proceedings Papers
ISTFA2017, ISTFA 2017: Conference Proceedings from the 43rd International Symposium for Testing and Failure Analysis, 279-284, November 5–9, 2017,
Abstract
View Paper
PDF
Modern integrated circuits (ICs) are in permanent risk of hardware attacks on sensitive data. But, proper and affordable protection of the IC backside against Focused Ion Beam (FIB) and optical fault injection attacks is missing. In this work, we investigate a patent [1] that uses p-n junctions as light emitters (forward bias) and detectors. We improved the backside detection mechanism presented in the patent by developing a test structure and adding an optically active layer on the backside as protective element to detect an attacked backside with electrical signals in the IC. The angle dependent reflection provided by the layer acts as the protective function. We demonstrate how the light emission and detection concept is quantitatively working and how the active layer produces a backside layer integrity related signal in the IC which can act as attack indicator. We also show that, due to the weak light emission intensity of silicon and the high excitation current, influences such as multi-angle reflection and stray current are reducing the angle-dependent effect on the signal and have to be taken into account in practical use.
Proceedings Papers
ISTFA2017, ISTFA 2017: Conference Proceedings from the 43rd International Symposium for Testing and Failure Analysis, 285-298, November 5–9, 2017,
Abstract
View Paper
PDF
This paper discusses the development of an extensible programmatic workflow that leverages evolving technologies in 2D/3D imaging, distributed instrument control, image processing, and automated mechanical/chemical deprocessing technology. Initial studies involve automated backside mechanical ultra-thinning of 65nm node IC processor chips in combination with SEM imaging and X-ray tomography. Areas as large as 800μm x 800μm were deprocessed using gas-assisted plasma FIB delayering. Ongoing work involves enhancing the workflow with “intelligent automation” by bridging FIB-SEM instrument control and near real-time data analysis to establish a computationally guided microscopy suite.
Proceedings Papers
ISTFA2017, ISTFA 2017: Conference Proceedings from the 43rd International Symposium for Testing and Failure Analysis, 299-302, November 5–9, 2017,
Abstract
View Paper
PDF
This paper proposes a compact and robust topology descriptor for the automated identification of logic gates during the reverse engineering of full integrated circuits (ICs). This gate signature proves to be very insensitive to technology scaling, device sizing or layout extraction accuracy. Based on this new descriptor, an automated gate identification tool named Gate-X is implemented on top of commercial IC design tools. The speed tests for a practical 100k-gate digital IC example show that the complete sea of gates can be identified in a few hours.