/299$30c3-talk-5459

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

I think we can begin now, so Dimitri is going to tell you something about the security of the icy backside. Please give him a warm round of applause. All right, so unfortunately, my my coauthors that I've done a lot of this research with couldn't be here, but so I get to do this alone, but this wasn't by any means just my work, but. And so this is a nice for people who maybe saw David Oswald's talk today. He kind of did a nice introduction to a lot of the concepts all covered today in terms of security. And also anyone who saw the talk by the Infineon guy just now, I'm sure got a very good overview as well. But that was in German, so I'll be covering a lot of the same stuff, but in English. So you're just a little bit about me. So I'm a third year a Ph.D. student on to Berlin at security and telecommunications. So one of the my main interests is physical attacks. So what's a physical attack against that? I see that's where you actually go in and you do something to the transistors. So not externally connecting an oscilloscope, it's where you completely open up the device. You go in, you put a needle down or something along those lines. So and also, we'll learn what exactly these all these terms are. So semi and fully invasive analysis is kind of what we did, which was never done before. And an important thing which which I mentioned and all of my talk is failure analysis because a lot of people think that, you know, we're applying this to security and no one has ever thought of this before. And where, you know, how do people come up with these crazy ideas to do all these things? And it turns out there's a there's a whole industry for this and the industry is failure analysis. So what failure analysis is, is is basically you have your when you're producing a chip and something goes wrong, you don't know what went wrong. So now you have to sit there and you have to you basically have to reverse engineer your own device even though you designed it because you don't kno
w what went wrong. So that's fairly nuts. And so there's my, you know, Twitter. And if you want to contact me by email and I'm especially proud, it's my homage to to Dan that I got such a cool domain name. So this is just kind of a joke. So people who do electrical engineering and maybe don't know this well will appreciate this. So this is kind of this was an April Fool's joke done by synthetics many years ago, and this is this shows you from a conceptual level. Some of the main misconceptions that people have when it comes to hardware and if you apply to security, the one of the main misconceptions when it comes to security. And so this as the joke is, so this is a data sheet. And what this is is a fully encoded random access, right? Only memory. So I don't know if people see the contradiction between memory and right only, but it doesn't make a lot of sense. And actually, nowadays you do have right only memory or certain types of right only memories or things that are called right only memory. But this is back in the 70s, and this literally meant something that you write to and you can never get the data out. And so they never get the data out is is kind of expressed in some of the applications. My favorite of which is the first in never old buffer. So, so your data goes in and it never gets out. And this is the I mean, everyone here is laughing and they see how absurd this is. But when you when you talk to vendors, when you talk to people doing security or people who try to build secure systems, they assume they write the data onto the secure hardware. And that's there's no way to get it out. Because the hardware has encryption, it's encrypting everything. Everything's being executed, you know, on the device and everything's being processed on the device and never leaves the device in an unencrypted form. And that's all true, but that means that it still gets decrypted on the device. So on the device somewhere, there's an area where you can find this and basicall
y, you know, break the crypto by getting it decrypted and the device does all the decryption for you. You don't even have to know how it works. And so we'll we'll cover that a couple of times as well. So here's kind of let alone for today. So I'm going to do some background. And so there's then I'm going to get into I see reverse engineering and then we'll talk about what the backside is of an icy and why this is important. And finally, we'll get into the more exciting stuff that we did, which was the kind of new research the same way in full invasive stuff. So for that, I have a nice little part of which is a nice also a nice motivation, a nice part of a nice BBC documentary, which was done. And so I hope to let's hope the sound works, OK? And I TVs on digital had picked one of those competitor systems. It was made by a French company called Canal Plus. Their smart card had never been hacked and can now police technologies were so confident in their ability to supply a secure system that they stated very openly that it was unhackable. The people who are setting us the microprocessor in which we embedded our software were telling us, I'm talking about the largest companies in this world of microprocessor cannot be broken. Your software cannot be extracted. But it could be an end, yes, had the resources to do it. All of the common and did crack open the Canal Plus card. Ends now possessed the competitor's greatest commercial secrets. Did people from the team and Haifa, your team reverse engineer, get a readout, understand the secrets of the canal plus encryption system of the kind of loose ideas? OK, so you get the idea. And so what happens is you extract the software from a from a smartcard and then you can build something like this, which I mean, I'll mention it also later, we're going to be hanging around. So if anyone wants to see all this kind of stuff because, I mean, it's impressive to me how simple it is. You can you can come and talk to me. But so what this
is is it's one of the original pirate cards. So once they extracted the software, they knew how the cryptographic algorithm worked. And now they could go and grab a different microcontroller and make a PCB that basically, you know, fits into a pay TV receiver and you stick the card in and now you didn't pay anything, but you have all the channels. So this is what this is, what results from it? So again, the thing is, this is this is what used to be the case for the industry, because now we kind of shifted because it used to be that the the office station was the fact was kind of what we talked about before. It was just the data. The fact there was data on the chip was considered to be a big enough kind of protection mechanism to protect anyone from attacks because no one would ever be able to extract the software from from a chip. And now we know that's not true. So it will be kind of getting into is what is what they do today, which is you implement the cryptographic algorithm in hardware instead, which makes it much more difficult to attack. But if you're more interested in this, this there's a nice book on this topic. So people who I talked to call it the book because it's pretty accurate and it has all the people who you need to know. And yeah, I mean, there's some, you know, it also covers the story of Tron, which CCC people will surely know, but it's basically how how chips actually get hacked. Because a lot of times when you look at academic publications, they talk about side channels and how it takes millions of tracers and hours of integration, et cetera. And in the real world, you know, it's everyone wants to have success off the first time and they don't want to tinker with this. So they, you know, they get out the bazooka and do what is surely going to work. So and yeah, so let's get into that. So what you kind of have this, you have to think of classes of attacks when you talk about hardware security and so on the left, you have the the least expensive.
The most simple attacks are noninvasive attacks. That's where you don't open up the device at all. So you connect to it externally, you watch the power consumption, you do something along those lines and some invasive analysis. Now you're opening up the package and now maybe you're trying to hit it with with a laser, for example. So using using a laser to induce a fault. Flip bits, et cetera. And full invasive is what I explained before, which is the stuff that I always wanted to do is, you know, there's a circuit manufactured on this chip. I'm going to go in and change the circuit so that I can get at the data. So noninvasive techniques are stuff like side channel analysis and different types of glitching and fuzzing, et cetera. And so this is actually a project I did together with Thorsten, who's up here in the front row of the DOD in Kharkiv, which is a nice little FPGA board to play around with. And we'll also mention how you can come and talk to us about that at the end of the talk. But so here you, you can really do this low cost so you can do things like there will be protocol errors. So now if you can talk to the device, you might be able to induce some some errors and dump a couple of bytes that way. Or you can play around with a clock or the voltage, et cetera. But so why is this not applicable? I kind of touched on this already. So I mean, on the one hand, I mean, this is kind of to compare and contrast. On the one hand, you have limited resources versus organizations that are very well equipped. And we kind of saw in the in the video, right? This was a professional lab from one of the competitors that hacked this chip. So, so in the real world, it's not always, you know, somebody in their garage, although there is also Chris Darnovsky, who does all this stuff in his garage, too. But I mean, the point is, is that in general, you you don't have the case where you have limited resources, you have substantial resources. That's kind of a misrepresented in ac
ademia. And so the thing like I said before, you want to have a foolproof attack, something you can do with a single trace so you don't have to. So like for sideshow analysis, a lot of times you'll talk about millions of traces. So what do people do to prevent psychoanalysis? They have a counter, and the counter usually accounts to two to the minus one. So the council sixty five thousand. And then after that, the car traces itself, and you're done. You can't do anything on this card, so you can't talk about doing a million repetitions to to extract some sort of key. So the the again high security attacks, you always assume that you have kind of a black box, but it doesn't stay a black box to you. You actually reverse engineered it. And you, you, you figure out how the crypto system works, which which is also kind of I found it interesting to me when I saw David Stark. He kind of touched on that as well. This is that for even for their side channel stuff, for for certain applications, they really have to understand how the crypto system works as well. So anyway, but the main thing is, you know, there there are countermeasures and weird stuff that people do on chips nowadays, and you have that on the you have that in every, you know, chip that you buy. You know, it is this relatively secure. And this is enough to to stop noninvasive techniques. But high security kinds of analysis will always be able to circumvent any techniques implement on the device because we can actually change the circuit. So what's a see reverse engineering? So here we can kind of kind of look at it. So, you know, transistors are created at the surface of the silicon wafer. And now on top of that, we have interconnects going around connecting the different circuit nodes and basically you passive nation around it. So if you look on this picture, you actually the MOSFET is actually, you know, here in the in the middle and around it, you have passive Asian. So so sorry, on top of it, you have these
this metal station. So like I talked about, these are the metal interconnects and around it, you also have this isolation, which kind of provides the chip structure, and it allows you to deposit layers on top of it, et cetera. And so this is also something which a lot of people think you know, that you look through a microscope and you can see the tracks running all across the chip. But in reality, you know, there's layers and layers of of of this. It's literally glass that you have to remove first before you can access the the chip. So it's not visible to the eye, but it's there. And so, yeah, but so just continuing. So the the thing is, you now have. So let me zoom out, you know, sorry, next slide. So the the thing that you actually end up doing when you're looking at a device is you begin to you want to reconstruct the logical function it's actually implement in the hardware. And to do that is you do what I have here. You image the chip and so you don't have one layer, you have multiple layers. So usually like on a modern smartcard, you might have five to seven or eight metal layers. If you have something like as complex as an Intel CPU, you have something like 15 layers, et cetera. And so you even see the complexity going up. It gets very complicated just because of all the routing you have to do. So but the process is always the same. So you image the device, you begin to identify the gates and you begin to reconstruct the net loss. So the net list is kind of the logical function that the circuit represents. So that's where you see like and at the end gate kind of like as a function. And there, if you sit there with a pen and paper, you can say, OK, what if I have a one here and a zero here? What do I get at the output, et cetera, of of a very complex, multi-stage circuit? So anyway, but the thing we want to do is now that we have the net list, we can see where is the data decrypted and now we can isolate that logic and we can basically extract the secret data
there, because now the chip decrypted the data for us. And so now we can pinpoint that area where it's decrypted and get the data out from there. So just to give you an idea if you're just an example, so this is just a simple should be a nand gate. One of the classics. And so you just have the the A and B and the output. And in this case, the outputs not connected to anything because this was a weird type of gate, but I'm not going to get into that. But the thing is like another thing which people underestimate when they think, you know, you do icy stuff and how do you look at chips? And that's unbelievable. You know how how you know how much experience is behind it. And the reality is what a lot of people, people just haven't seen these kinds of images. So which you do and the human eye is very good for this as you look at a chip and all of a sudden you see, Hey, those look alike. And over here, those look alike on the sides. So so what this is is in the middle where you had inverters and on the right and left you have flip flops. So you don't sit there figuring out, you know, what the logical function is. You one time with your eye, you recognize that this is a flip flop. And so you kind of scroll through the device identifying, Oh, that's a flip flop. So let me maybe write that down if I'm if I'm doing the on paper, et cetera. And so the only thing that's missing is this is just the gates. So. But they're somehow logically connected, so let's take a look at that. And so here's an example. This was some device and we'll get into what we actually see here. So we have a we have something that starts down here and and then it goes up here and it ends, but it doesn't actually end. It goes down. So now it goes down onto this layer. And so now it goes to the left, and now it goes down one more time. And now, boom, we're in that gate. So this is the input to the inverter. And so now we have the we have the the gate, and now we look at the output because there's only one
output and you can actually see the the the contact, you can actually see what's going up. It's the dot. So that's either the inputs or the outputs, that's the actual connection to the different to the other metal layers. So now it's going up, obviously, because they can't go down anymore. That's the bottom metal layer. So now it goes up over here. And so now we know we can see it goes over to the left and up and boom, we hit the flip flop. So that was the image we had before. So if you actually reconstructed this, we have some nonvolatile memory because that's where we started off. We know that the chip has its program stored in nonvolatile memory. And now we start going from there and then we have an XOR. And then for whatever reason, we have an inverter because you can just have inverters sometimes, and it doesn't really affect anything. It just flips a bit, right? So and then we have our flip flop and then all of a sudden and I didn't show it here, you'll realize that after that you have the ALU and all these parts, which are actually parts of the core. So but just keep that in mind. So now just to just to give you a better idea of of what it is. So another thing that you do. You don't just start making these images. The first thing you do is you make it like an overview of the chip. So here you can already see and get a lot of information about the device so you can see that you have flash up there because it's a big nonvolatile memory. You can see the SRM and E problem at the bottom. And then here you have your actual core. And how do I know that that's the core? Well, it's just like when you write, you know, write, compile something logic. So if you were to write assembler by hand, you would get something which is much more humanly readable than something that GCSE potentially spits out at you because it will do tons of optimizations that you've never heard of, etc. And the same thing is the case here. So you have this gray area which doesn't have any any st
ructure to it. And the reason for that is it went through synthesis. It went through something which spit out the most optimized code. I mean, layout net lists that it could, and that's what gets placed there. And so in the middle, in the quarry, you see completely irregular structures, so it's almost depending on the device. It'll look very gray or something between, you know, black and and copper or whatever. So anyway, but the thing to remember is that so we have the flash and this data goes into the course. So somewhere between the flash and the core, we can find these wires, which I had on the previous slide. So this is the case if you're extracting data from a device which doesn't have encryption. So what is what if it has encryption? Well, we've kind of discussed this already that a CPU, it can't process encrypted data, so the environment is encrypted. And now this data comes out of the nonvolatile memory and it goes into the core. But before it gets to the core, it has to be decrypted. So now we know that we have a decryption function here somewhere. So now let's go back to this. So in the case where we don't have any encryption function, we would have just nonvolatile memory shooting straight through into our registers. But now we have an extra hint hint, which we don't even know what the other input is. And the other input is some sort of encryption function, which we don't even care about because the data we know for a fact will be decrypted on the right side. So that's just to give you an idea of the of the kind of general workflow. So you can also automate this process. So this is like Digg aid for professionals. So this is Olivia Thomas's talk from Recon. And so he actually did was he did something much more advanced than date. And this is literally a chip where it's stitching the images in real time, and he can just scroll around the chip and see all the connections and extract partial or full net loss, et cetera. And so this is kind of like, I mean,
there's you should you should. I don't want to take anything away from him because he did a really good talking to explained a lot of the engineering decisions because he also started with something like Deckard and why he ended up doing things like this and why this works much better. And it's kind of interesting, even from an icy engineering point of view to listen to this. But this is this is kind of the direction that if you when people ask me, you know, where do you what do you think attacks are going to be in the future? So now if everyone is making their own, you know, custom hardware, then you have software like this to the obfuscated for you because the obfuscation that you did is you converted your algorithm from software to hardware, put her on the device. And you assume that no one will ever be able to extract this. And another thing which I already had a discussion and kind of the speaker room that I expect is with software like this, you can also reconstruct the masks. So now you can go ahead and produce your own copy of this chip if you want it to. And so the interesting thing is, let's say you have something like, let's say somebody in the world was was smart enough to build a bitcoin ASEC, which was substantially better than all the other bitcoin. So now somebody in a country which doesn't respect, you know, patent and IP law as much as you do maybe in Germany goes ahead and constructs their own mask set and sends it off to somewhere. And now they get the best. Effectively the best bitcoin exec without spending a year of development of this thing. And now they can produce it for and save money over going to the to the manufacturer and having them produce the system. So, I mean, the fact that you can obfuscate hardware and automate this, it makes it opens up a lot of areas, new areas of research that people haven't really thought about. I mean, the other obvious cases. So let's say you have PTV again. So now you have a smart card, which basically doe
s some sort of encryption on it. And so now you go, you obfuscate this, you extract the cryptographic, you know, the hardware crypto that's implemented on the device and now you design the pirate card. Except now, instead of having a microcontroller as an FPGA because on the FPGA, you can now synthesize whatever the hardware function did. Now again, you have piracy everywhere. OK. But this is all kind of a background to I see security in general, so let's get into what we actually did. And so we did stuff with the AC back site. So this is these are things that. So these are attacks that go all the way through the silicon substrate. And actually, I don't have it on me. I think it's in my bag, but I also have the chips that we opened up. So if you come and see me, I can let you look at what they look like. So, yeah, so to understand the backside, let's talk about the front side for us because the front side is what was done up until today. And so now you kind of front side attacks are becoming unattractive, which is why we were motivated to look at the back side. And the reason for that is you have lots and lots of interconnect layers like I described before, like on an Intel chip, you would have no way to do anything to the chip from the front side. There's just too many metal layers. You would spend too much time moving signals out of the way just to interface to the to the very, you know, transistor level or to the very low level of the device. And the other thing is you have countermeasures like active shields and meshes. So what manufacturers do now is you. So let's say you buy a SIM card. So if you buy a SIM card, you'll probably have a not very secure device because everyone wants their SIM card for free, so no one's willing to pay a lot of money for it. But if you go to a big, you know, smart card vendor and say, I want the most secure card you have, what they'll do is they'll take the SIM card and they'll put another three layers of metal on it and they'll sa
y, You know, now we implemented these crazy protection schemes, these crazy signals that go all the way around. And just imagine you come down with your needle and you'll end up shorting them. And if you try to open them up using a fib, you'll short them as well and we can detect this. And so I mean, technically, there are still ways around it which Chris demonstrated a Black Hat in 2010, when he kind of showed this on an Infineon chip, which had a lot of the countermeasures. But the thing is, it's still a nuisance. So what it looks like this is kind of the image we had before. But the reality is you have something like this on a on a modern smart card. And what's completely irrelevant to the actual circuit underneath is this mesh. So these protective layers on top. So yeah, so that's why we want to flip the chip over and go in through the other side. So we'll get into that in a bit and you can do other stuff as well, so you can actually do sensors. So what you can do is assuming that the density of of what you have on top of the chip is so high you can assume that no light will ever get through. So if you ever see light underneath this mesh, then you know that somebody open up the chip. So stuff like that, and this is really stuff that is implemented on lots and lots of devices. And interestingly enough, the smart card industry remains the industry which has the most, you know, secure devices. I mean, I was talking to some, some some of our colleagues and friends and they say, you know, this is just obscene how paranoid the smart card industry is because you would think that the value of data stored on something like on some larger device to see on a smartphone processor is much more interesting. Anyway, long story short, it actually gets easier too, which is also something people don't want to believe. So there's actually a machine to do backside polishing. So this is an election. So it's a it's called a RCMP, a chemical mechanical. All Usher. And the thing is, it
doesn't have chemicals or electronics, so to me, it's completely mechanical. But basically what it does is it does this. So there's some seventy four series logic we threw on there, just some chips. For those who don't know who somebody for series logic is. And so what's happening is this machine you kind of limit the motion that it has in the X on the y axis and a kind of like spins around and it hits the one limiter and then it wobbles around to the other side and up and down. And so you let this run for a couple of hours with as many accurately said with some kind of slurry. So you can use the like diamond based slurry and stuff like this. And basically, I mean, depending on what you want to do, a lot of times it's enough to actually just get a bit, which is which is manufactured for for the for the packaging that you're going through. But in any case, so you kind of come in and you open up the chip from the back and that's it. Now you haven't used any of the fuming nitric acid that David showed, and you don't have any of this mess and you don't need a chemical hood and and all this so very, very nice, this backside stuff. So but so the thing to remember, though, is that so the devices, the actual transistors, we can see, they're at the bottom so we can actually access them directly. Potentially, I mean, depending on the size, this gets a little bit more hairy if you're doing like 45 nanometers. But if you're doing something like a smart card like 90 matter nanometers, this shouldn't be a problem. And hundred and eighty nanometers is gets even easier. And stuff like older smart cards, let's say, 240 nanometers, this shouldn't be a problem at all. And so anyway, but but the countermeasures? They're not there. There's no countermeasures to protect against backside attacks. So. So. And the other funny thing is is that if you look at a modern SSD like something that's in your smartphone, it'll be this gigantic BGA package. So how do they do these BGA packages? They
actually what they do is they they have all the metal position on the top and they flip the chip over onto kind of this carrier and then they have the BGA balls like directly underneath. But so now your backside is actually facing up, so it's even easier. You just take your, you know, you could even take it depending on how you do the polishing. You could even take the whole PCB and just polish down the chip, just the one that you need and now you would gain access to it. But the thing, the thing that which kind of which to me says or explains why, why people never looks into this is this which is to scale image of of what you actually have. So the thickness of the substrate is actually several times the thickness of all of the active devices and the wiring, et cetera. And so, you know, people would say, you're telling me I have to remove, you know, I have to remove instead of removing 10 micrometers of this chip, I have to remove 300. You know, how is that? How does that make it any easier? But the reality is you don't risk damaging anything if you go through the other side. You can safely thin most chips to something like 10, so 10 micrometers or even less without affecting anything on the chip other than it'll lose some. It'll get a little bit more warm, potentially because the substrates actually really useful for transporting heat away. So what this all looks like is this and I remembered because Colin always tells me I should include these images. I remember to include them this time. So what it looks like is something like this. So what we did here is so this is the chip which was polished. This is actually the backside. So the label, the text on the chip is on the other side. So the chips actually mounted upside down in this custom PCB, which we made with our wonderful Leica F proto modeling machine. They should send us more parts for free and because we go through a lot, that machine is actually pretty expensive to run. I mean, the they know where the money
is. It's like the Gillette model on steroids. So, so anyway. But this is a it's so that's what it is. So it's a custom board and the chips mounted upside down, so you can kind of see it from the single even better. So you can see the you can actually see the silicon in there. I was thinking about it holding like some drawing on the other side because you can you can see the reflection rate, so it could have like a face or something. But I didn't do it. But I mean, but so that's that's what you need to know. So now we take the chip, we polish the backside and now we're at 30 micrometers of thickness and now the fun ensues. So the first thing that we did a couple of years ago was this. So a lot of people have never heard of this. So people have seen my talk. Obviously know about this. But what this actually is is that you take an infrared camera and you let it watch your chip as it executes data and you get something like this. You can actually see the photons that transistors emit because with a certain very low probability, a transistor that switches emit photons. But now, if you sit there with your camera and you repeat this operation many times, then you can actually get an image like this. And so what this is is in the middle. You can see where memory actually. This is happening in SRM, and up top is the is the actual address, so now I'm going to let this run. So now you can see the layout of different addresses on the on the device. And not only that, but you can find data dependent parts of the circuit to and how to. I'll let you figure out how we know this is data dependent. So at the beginning, when we were starting to do this research, this is what I expected to happen, you know, like from the very beginning, and then it took us like a year to find an area of the chip where you could actually see the data bus like this. And that's what it is. So this is actually a region of the chip where the data bus comes in and it's addressing the SRM. So what you see is
on the bottom right, you see the lower address bits, et cetera, or sorry, this is the data bus, but it's kind of shared so depending on on kind of how many, how much logic it has to go through, depending on how many stages because of how it's structured. I mean, some people who write HDL will understand where I'm coming from. You need bigger transistors because it goes through more logic, et cetera. And so that kind of explains what you see there. And so, yeah, but the thing is that so you you still have the limitations that you have with a lot of these noninvasive techniques. So you need millions and millions and millions of integration. So to get a good image, you need something like you need the loop to execute, so you need the transistor. So the fact that you see a transistor approximately once every 10000 times the transistor switches means that you need millions of switches before you can see something as nice as this. But you can also apply to other stuff as well. So here is a chip that had an ace on it, and so I couldn't find the other image when I was clicking my my slides together. But so actually, when you look in this very corner, you this region, everything within that box would completely disappear if the U.S. wasn't running. And now, if the hardware ace was running, you would see this blob in the corner, and this is very nice. So we never kind of verified this, but I'm sure this is the ace because you could see that with other peripherals as well. But so now the thing that you have to think about is if light can get out through the silicon substrate because it's transparent to infrared light, that means infrared light can also get in, which is where we get this. So what you can do is actually use lasers as well. So what this actually is is it's instead of taking the image from from the front of the chip. What what you do is you open it up and you don't even have to thin it afterwards. You just have to remove the package. And so you take a laser scann
ing microscope. So in our case, we have one of the industry standards Hamamatsu famous. But this is actually I mean, I know that. So the research that I've been presenting up until now was done with our Optical Technologies Research Group and those guys like for them to build one of these. It's like a month's work. So anybody, any university group that builds optics stuff like when they figure out that this is interesting to people doing security, they're shocked because this is so, so it's such an easy task for them. But basically, you get a very good resolution because you're actually scanning the laser. So you get even though you don't have the resolution that you know. So even though you're using something like a one micrometer laser, you get a very nice you get a better resolution than you would expect because you're actually scanning the laser and the overlaps, you can kind of compute it out, et cetera. But so you can get a nice image just like this is the chip and you can kind of already see what's on it without you. So this is on a on a something like a SIM card or a smart card package. This is literally taking a scalpel and just removing the ground plane, which is which is the middle contact. So you open it up, you have your backside exposed. You put it under the famous and you can already see what kind of chip it is. You can even read if I don't have it in this image or actually, yeah, do I think in one of the corners in the bottom right one or in the bottom left one, you actually see at M. and what revision this is, et cetera. So this is also very nice. But the coolest thing that we did using using this is thermal stimulation. So what we actually did for this attack was we basically dropped. So what we do is we browned out the device, so we supply it. I believe the supply voltage we took it down from like 1.8 on on on the Infineon ship was also in a second and we dropped it to point six, which is enough where the data remains in the memory because it's no
t enough to lose the data, but it's not enough to execute anything either. And so now the chip is stuck in this zombie state and if you look very closely. So what we can do now is we can scan with the laser. And so now the chip's not executing, there's no switching and we can measure the current with a very precise current amplifier. And so we can get using that technique is an image like this. If you look very closely into the image, you can see what the data is within the SRM. So now what you're doing is you're browning out the device. The device is basically stuck in a zombie state, like I said, and now you're scanning across the device and based on the laser coming in, you're affecting kind of the leakage currents that are remnant on the device. And depending on whether there is a one or a zero there, you'll get a different kind of response in your image and that's what you can see there. So the nice thing was people always say you. Oh, that's great, but you know, who cares about this because, you know, on a on a real smart card, the memory will be encrypted, but so on the media, which Karsten did quite a bit of research on and present in Black Hat, et cetera. You actually have SRM to store the keys that encrypt the SRM, so that's not a good solution. So you can kind of see that you can begin to read them out there. Although we didn't really take this to the to the final stages. But the other thing is there's there's other things being proposed. There's also a big like if you get into hardware, research and academia. One of the big things now is pops and the most popular kind of puff. So puff is a physically and clonmel function, and that means that you figure out some way to have your device generate you unique response. So the easiest way to do this is you take an SRM and each SRM will have a different response. So you just read, you give it, you power it up, and it won't just give you back ones either one or either zero. It'll give you back some random, you k
now, data that'll be it won't be random. It'll be it'll have data which differs from every other chip, but it'll be the same every time you power it on this device and power it back up. It's like a unique fingerprint. And so now you can see that you this is really stupid to use Ethereum as well, because this is a really effective technique for for reading it up. But anyway, but then we got into kind of fully invasive stuffs, stuff that we did. And so now we want to actually go through and actually touch, you know, modify the circuitry. So we kind of just the first thing that we did was we continued with this topic of puffs. And so now we said we wanted to clone a physically on colonial function. So we read it, we could read it out and we knew what the data was that was stored in it. And so now we wanted to take a second instance of the device and basically turn it from this to to the next one and actually see a kind of screwed up these slides. But I'll get I'll get into that in a second. I have the wrong. But actually, let me just comment on that since this unexcited. So actually in this in this one of our attacks and this year or the first issue of CT for 2014, it mentions us, which is this is ironically exactly what claimants and I wear and when we're working on the film. So it actually describes a lot of the things that I'll be talking about. So if you're if you're curious, definitely take a look at that. But so again, getting back to the SRM, we knew what the SRM was. So we could we could do a couple of things there. So what we would do is we would take a second SRM area and we would prevent it from ever storing the value that we didn't want it to store. So we would program it to only be able to store zero or only be able to store one. And so that's the top image. So you can actually see the holes are actually going down to to the actual context. And so the transistor is completely gone there or at least the gate the gates no longer contacted, even if some of th
e data is left. And so the but it turned out, you know, since we work with. So all of this work was done in collaboration with our semiconductor devices, guys. They said, You know, this is way too simple. We can do it even better because we had a bunch of research previously on trimming transistors. So now the bottom image, what we did was you thin the transistor, and it turns out that if you thin a transistor, it becomes faster. So now you can set the value that you want to be at startup. And so now, as opposed to the first image where it basically became a ram. The second image, it still behaves like an SRM, but we can basically program. It's it's startup behavior. So that was that was really nice. And these are actual images from our focused ion beam workstation, which I should actually also mention what this is. So I think a lot of people are familiar with with what a semi or a scanning electron microscope. This is like a SEM, except it's ions. So no, OK. But so what it actually means is that if you have a Ironsi, have a lot more mass. And what you can do is you can put chemicals into into the vacuum chamber where you actually have your device. And so now you can basically stimulate a reaction to happen with nanometer precision. So now you deposit a guess that etches the way the silicon substrate, for example. And so now you go over it with your ion beam and you say only please only this, you know, two by two. Or let's say something more realistic. Let's say only this 10 by 10 nanometers square on. Please only react here and then this is what a fib lets you do. So this is what how you manipulate devices. I mean, this is how the most advanced the text works. And the thing that I should also mention here is, again, this is something which is done when chips are produced. So when they do an initial generation of of some chips, they'll run into tons and tons of issues. So they'll have stuff that doesn't work. And instead of creating a completely new design and a com
pletely new chip, they have different ways and they've developed different ways over the years to. You basically do like a hot fix. So do like a fix to see if it fixes all the other issues or without, you know, maybe they can kill two birds with one stone before they have to produce a new chip, etc. anyway. But so this is kind of this is kind of the simple case, right? We're just going, you know, shooting, we're thinning the chip. We're just completely removing the transistors that we don't want because we know what an SRM is. S films always have almost identical layouts independent of which device use, et cetera. And so now now, but we actually want to do is we want to probe it and we want to extract some, some data and we want to do some other stuff too. So this is what we did kind of here and again. So we send it to 25 micrometers and then what we do is so let's say we want to attack some signal, which is, let's say, over here. So what this looks like is we send it and this is all approximately to scale. So after we send it, we might leave, you know, 25, 50 micrometers or something like that. And so now after that, we take the fib and now we make what's called a flip trench. And so now we make a trench approximately like so and so now we have a hole basically going up to where our transistors are. And now we again, we wanted to target the wire in the middle. So now we have to remove just in that area, we have to just remove stuff there. And so we do that and then we deposit some, some metal. So now you see that it's kind of exposed. That signal is exposed to the outside world and now we can come in with a probing needle. And this is also approximately to scale. This is a one micrometer probing needle that you can't see with your eye, but you can install, you know, orders of magnitude bigger than the actual transistors there. So that kind of the the the steps that we went through was we had to figure out a way to to navigate through the chip. So on the left is a i
s an optical image of the device that we I mean, these are actually images of the crystal. And this is actually so I will use this opportunity to dimension if anyone's ever had to work on this is a training that you should all go and check out. It's I know Carson did it when Chris couldn't do it and Bunny did it with with Carson, as well as a sort of awesome training where you actually get to put some probes down on a device, etc. and you get to get your hands dirty and you get an idea of how all this stuff works. But so now we don't have an image like this and we can't just look through a microscope and see what's going on. But what we can do in our fab is the substrates then. So now we can use an infrared camera, which you can get for the fib to approximately orient ourselves. So this is this is actually. So these are identical regions. So something over there, which looks like that an optical image, you know, perfectly crisp looks completely blurred over here. But just based on the spacing, you can still figure out where it is. And this was just a second example. So now we find where we want to go and we start making the trenches, which is exactly what we have here. And so the wire that we're actually targeting is is this was as far as I remember this, I think this is metal three. So this was not. So this is, you know, the transistors, the transistors go up to metal one. Then there's a metal two and metal three. There is something connecting between two gates. And this is where we're targeting them. So we're going all the way from, you know, basically effectively going through three layers of the device to to to probe it. And so now we actually deposited some metal, which is which is you can see the conductor. That's the kind of blob on the or is the bar coming out? And the interesting thing is, you know, when I showed this to Chris, he said, that's the dirtiest fib I've ever seen in my life. And he's he's he's he's right. But the thing was, we screwed up. So the
first time we shorted out two of the wires when we were doing this in a fib. But the nice thing about the fibers, if you screw up and you short two wires, you can disconnect them with a different gas and then connect to the wires using a different gas where you're depositing metal. And so now we fix the chip, and now we can. We can come down and probe the chip as we wanted to before, which looks like. So approximately. So there I mean, claimants also built a probing amplifier, which which did its job. I mean, he even used some space simulations to to see how well it'll it'll behave. But I mean, in reality, you could do this a lot more quick and dirty. So anyway, but the getting back just kind of as a summary so the CPU can work on the encrypted data. So now we isolate a signal where the data has been decrypted for us, and that's where we put our needles down and extract the encrypted data. And yeah, I mean, that's pretty much all there needs to be said. So the the kind of an interesting thing that we thought of next was something which was covered pretty well and in the console hacking talk yesterday, which was how do you do in like modern days? How do you do crypto? So a lot of times what they do is they have fuzes, which they do to program. I mean, they use one time programable fuzes to program a key into the associate. And so what we see here is an area on an 80 mega microcontroller because then we could easily play around with the fuzes and set them and clear them, etc.. And so now this is an area where we have the fuzes. And you can actually see if the Fuze is set or not, because those those dots in the in both rows. So here you have eight fuzes. And so now you can see if the Fuze is set or not. And the reason for that is how the image that you get on the fib. These are actually secondary electrons. So these are electrons that could reflect that off the device and come back and basically into your imaging system. And so here, because of the fact that you have
a Fuze and you have a floating gate, the electrical field, et cetera, is different and there's some sort of charge there. And so now you get a different contrast. So you get a different amount of electrons coming back at you and you can see this. And so I remember when we were sitting there, you know, so now we can set and clear the Fuze the brute force way, which is either connected with wire or disconnected by disconnecting the wire. And I remember when we were sitting there with, you know, Starbuck and claimants. And as soon as as soon as we were somebody, I think Starbuck was sitting there just testing every argued. And as soon as as soon as we, you know, set it, you know, check if you are doing, what are the fuzes set to? And then, you know, it's like instead of it being f f, it's all of a sudden it's, you know, seven f four or whatever. And then I just remember, you know, we're jumping up and down and high fiving. You know, you're so happy. But the nice thing is with these contrasting images that you you can actually also see, you can actually also see how you're removing the gate, which is what you see here. So you can see that you can see it. And the contrast is also representative of the voltage that you have where you're looking at it. So if you see on the left and the right, the dots are actually the contacts going up until up to the metal layers of the floating it. So as we remove the floating gate, you'll see that the voltage changes. So we've actually changed the value stored in the Fuze because all of a sudden the right side isn't the same voltage level as the left side, it changes in its color. So that was kind of nice to see, too. But anyway, so kind of the summary is, you know, advanced. A lot of these are kind of claims that we hear a lot of times and a lot of claims that you hear from from, especially if you send in academic papers that reviewers send back to you. So like, you know, we have advanced packaging, you know, invasive analysis, you kno
w, this is all never going to happen. And the truth is like, I showed you, we don't even need chemicals anymore to open up these chips. So now you have a backside polishing machine and you put your chip in there and you let it polish away and you get a very nice result. And after that, you only need AFib. You don't need all of these disgusting chemicals that nowadays at universities who don't want to get sued by, you know, health insurance companies are very hard to get to. So anyway, but then the other claim is, you know, attackers must first reverse engineer a device to attack it. And so this is only this is not, you know, applicable to the real world because who's going to reverse engineer a device? And and although that may be true, that most of the cases and almost all the cases, the attacker is not going to reverse engineer the full integrated circuit he's going to. He doesn't even have to reverse engineering that much. I showed you what the what the processes are finding the areas where the decryption is. It's not it's not even reverse engineering, it's just following the lines anyway. And so the reverse engineering modernizes is impossible. They're way too complex. And in reality, you saw that, you know, the gates, they appear again and again. So like a cell library on a chip, nowadays, it might have something like 60 or 70 different types of gates. So fine you spend two weeks studying all the gates and now you have all the gates on that device, you know, all of them. So now you can say X or inverter flip flop, you know, this type of flip flop, that type of up, et cetera, you you just know them, and you can literally recognize them all with your eye when you're sitting in front of the the basically the images. So, yeah, the other thing is, you know, data and VM is encrypted. So who cares? And we saw, you know, if it's encrypted, it has to get decrypted for the chip to be able to do anything sensible with it. And the last one, which was my personal favorite,
is devices will stop working if you do any kind of backside attacks on them. And the truth is, I can say, with 100 percent of certainty, we've removed 99 percent of the device and it still works fine without, you know, literally 99 percent of the thickness of the backside we removed and the device still works. So that's not true at all. So just a couple of acknowledgments, you know, Chris Oliver Starbuck, who is a who's who really got me motivated. So starving back in the day and this kind of gets into because I'm going to do questions after this number one question that I get, especially when people come in and talk to me like offline, is how do I get into this? And Starbucks said. Learn HDL, and he's right. The best way to get into this is learn HDL and try to try to implement, you know, your own soft core processors and start writing this because you'll get into the mentality that the engineers have designed these chips. And it's not rocket science, it's quantum physics. But it's no I'm kidding, of course, because from a logical point of view, it's much it's much simpler than that even. So yeah, and the other two people I'd like to sincerely thank or my colleagues claimants who did all of the kind of invasive crazy stuff, and Alex who was basically there as she on all the optics stuff that we used for our experiments. So questions, oh, and I should before I'll use this as all usurped this as a small opportunity to say whoever wants to talk to me and see all of the lovely devices that I have with me or wants to potentially buy this lovely device called the Don Crocker can come and find us in the hack center. So we're kind of in the bottom and to the left and one of the alleys. And you can find us there. You can look. I took a picture for the Don Crocker Twitter account if you want to find it there, but I guess I don't know how much time I have for questions. Yeah, OK, thank you very much for this interesting talk. So we we still have a couple of minutes for questi
ons, so if you have a question, just get up and get in front of one of the mics. Do we have a question from the internet? Yeah, form is asking what the usual amount of destroyed chips is. You need to get the information you're looking for typically. So I mean, that really depends. If you're so the answer is kind of complicated, right? So in terms of usually when you're studying, so I can I can name a number that I know from Chris. When Chris was attacking the Infineon 66 six before he had his first success, he destroyed something like 80 chips. So he spent 80 times, you know, on the average, you know, for six hours of work before he succeeded. But this is a really secure device. So if you're attacking something simpler than this, you won't go through as many chips. And the other thing is, once you've done this for for so let's say so in general, you'll you'll see, you know, this chip might not only be used on one device, it might be used in lots of devices. So once you have the layout, once you know what the chip looks like, you don't have to repeat this again. So you have to. I mean, you you know what the layout is. So at that point, it's one chip, one success. So but kind of this this practicing and education stage is less trivial. You need a you need to understand how the chip works to reverse engineer, etc. So there are engineering needs a couple of devices. OK, then, Mike, three, please. This is a really interesting talk. Thanks. The intel are Angie doping problem that you may have seen earlier today. Yeah. Do you think that through any applications to backside scanning to try to detect so you don't even have some? I mean, anyway, so this this was an interesting, interesting paper, and a lot of the claims in there are valid and I would agree with especially everything that they say in terms of, you know, inducing additional psi channel leakage that I completely agree with. But the thing is, there are ways to detect this, you know, and the industry has faced thi
s problem too, because sometimes you produce a chip and for whatever reason, the transistor is not working. And it's because, you know, you have some creep of your of whatever doping theory depositing over into the next well. And so what you can do is what's done with ROMs. So you basically use you use other chemicals and you basically doped them again to make them stand out in an a scanning electron microscope image. But you wouldn't do this through the back side. What you would do is completely declare the device. We're completely removing all the metal and just be left with your your basically your wells and then you would basically color them, you know, stain them so that you can see them in a SEM image. This would be this would be one way to verify this. But of course, the claim is true that you know, how realistic is it for Intel to do this after they have some production going? You know, can they do this every week and they do this every month? Can they do this every time they they produce something? I would say a company like Intel? Yes, but when you get into low cost smart cards, I would agree that you might have better success in hiding something there. Thank you. OK, then microphone number two, please. Hi. Thank you for the talk. I've actually a detailed question about the Asaram readout with the infrared laser. I was wondering if that actually worked with the standard amplifier that came with the famous and whether you needed to probe the device for that or if that worked on the external leads? No. So we were just looking at the supply voltage, so it wasn't using the it was literally measuring the current through the supply voltage of the device. And this was I mean, this was again working on smart cards and working on microcontrollers. So even did it on a hundred and thirty nanometer MSP for 30, and this worked great there. And but the other question, I think it works with the famous model, with the famous amplifier, the standard one. But ours was broke
n, so we used a different one. And so that's actually another thing for people who don't work with failure analysis equipment. It's it's like a matter of you sitting there and praying that your equipment works on whichever day you want to use it. Because I mean, like for some of the people, I'll tell this story because people will appreciate. I just remember when we were doing these Fitbits, we lost the X and the Y stage we're in. No, sorry. Yeah, yeah, the X and the Y stage on the fib. So afterwards we were using nanometer screws, so one of us was standing there and actually moving the fib stage across the chip. But the thing is, once you approximately get it, you can still scan with a beam. That's not mechanical. You just have to approximately get to that area. But I mean, we would still have crazy stuff like sit there with a screwdriver, tapping on the relays until they until they let go, so the stage can go a little bit, etc. So it's horrible, you know? Anyway, I see the kind of people ask us, how how well do these attacks scale? And I say we attacked. We more than successfully attacked 10 year old or five year old chips with the 10 year old fib. So now if we got a new fib today, we could attack newer chips as well. But I mean, your question was kind of the laser scanning, but failure analysis equipment is a nightmare. OK, then maybe one short question from the internet do you have one trick users can? Wouldn't asynchronous processor design render the analysis a lot more difficult? To the point, it's practically impossible. So I'm not sure what they mean from an asynchronous processor design. I mean, you have a lot of I mean, I would say I don't know how that would affect anything. I mean, in terms of obfuscation, yes, but I mean, the the kinds of attacks that we were presenting were understanding what the the, you know, the actual algorithm is or being able to reproduce the device, produce a clone of it, etc. So I'm not I'm not entirely sure if the person was h
ere I could ask for. OK, then our time is up. The people at the mikes can grip Dimitri after the talk and ask him, so give him a warm round of applause again. Thank you.