Sergei Skorobogatov

Optical Fault Induction Attacks

We describe a new class of attacks on secure microcontrollers and smartcards. Illumination of a target transistor causes it to conduct, thereby inducing a transient fault. Such attacks are practical; they do not even require expensive laser equipment. We have carried them out using a flashgun bought second-hand from a camera store for

Breakthrough silicon scanning discovers backdoor in military chip

30 and with an

On a new way to read data from memory

8 laser pointer. As an illustration of the power of this attack, we developed techniques to set or reset any individual bit of SRAM in a microcontroller. Unless suitable countermeasures are taken, optical probing may also be used to induce errors in cryptographic computations or protocols, and to disrupt the processors control flow. It thus provides a powerful extension of existing glitching and fault analysis techniques. This vulnerability may pose a big problem for the industry, similar to those resulting from probing attacks in the mid-1990s and power analysis attacks in the late 1990s.We have therefore developed a technology to block these attacks. We use self-timed dual-rail circuit design techniques whereby a logical 1 or 0 is not encoded by a high or low voltage on a single line, but by (HL) or (LH) on a pair of lines. The combination (HH) signals an alarm, which will typically reset the processor. Circuits can be designed so that single-transistor failures do not lead to security failure. This technology may also make power analysis attacks very much harder too.

Optically enhanced position-locked power analysis

This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips for accessing FPGA configuration. The backdoor was found amongst additional JTAG functionality and exists on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), our pioneered technique, we were able to extract the secret key to activate the backdoor, as well as other security keys such as the AES and the Passkey. This way an attacker can extract all the configuration data from the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property (IP) theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact they can be easily compromised or will have to be physically replaced after a redesign of the silicon itself.

Optical Fault Masking Attacks

This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. What these techniques have in common is the use of semi-invasive probing methods to induce measurable changes in the analogue characteristics of the memory cells of interest. The basic idea is that when a memory cell, or read-out amplifier, is scanned appropriately with a laser, the resulting increase in leakage current depends on its state; the same happens when we induce an eddy current in a cell. These perturbations can be carried out at a level that does not modify the stored value, but still enables it to be read out. Our techniques build on it number of recent advances in semi-invasive attack techniques, low temperature data remanence, electromagnetic analysis and eddy current induction. They can be used against a wide range of memory structures, from registers through RAM to FLASH. We have demonstrated their practicality by reading out DES keys stored in RAM without using the normal read-out circuits. This suggests that vendors of products such as smartcards and secure microcontrollers should review their memory encryption, access control and other storage security issues with care.

Using Optical Emission Analysis for Estimating Contribution to Power Analysis

This paper introduces a refinement of the power-analysis attack on integrated circuits. By using a laser to illuminate a specific area on the chip surface, the current through an individual transistor can be made visible in the circuit’s power trace. The photovoltaic effect converts light into a current that flows through a closed transistor. This way, the contribution of a single transistor to the overall supply current can be modulated by light. Compared to normal power-analysis attacks, the semi-invasive position-locking technique presented here gives attackers not only access to Hamming weights, but to individual bits of processed data. This technique is demonstrated on the SRAM array of a PIC16F84 microcontroller and reveals both which memory locations are being accessed, as well as their contents.

Local heating attacks on Flash memory devices

This paper introduces some new types of optical fault attacks called fault masking attacks. These attacks are aimed at disrupting of the normal memory operation through preventing changes of the memory contents. The technique was demonstrated on an EEPROM and Flash memory inside PIC microcontrollers. Then it was improved with a backside approach and tested on a PIC and MSP430microcontrollers. These attacks can be used for the partial reverse engineering of semiconductor chips by spotting the areas of activity in reprogrammable non-volatile memory. This can assist in data analysis and other types of fault injection attacks later, thereby saving the time otherwise required for exhaustive search. Practical limits for optical fault masking attacks in terms of sample preparation, operating conditions and chip technology are discussed, together with possible countermeasures.

Flash memory 'bumping' attacks

This paper shows that optical emissions from an operating chip have a good correlation with power traces and can therefore be used to estimate the contribution of different areas within the chip. I present a low-cost approach using inexpensive CCD cameras. The technique was used to recover data stored in SRAM, EEPROM and Flash of a 0.9 µm microcontroller. The result of a backside approach in analysing a 0.13 µm chip is also presented. Practical limits for this analysis in terms of sample preparation, operating conditions and chip technology are also discussed. Optical emission analysis can be used for partial reverse engineering of the chip structure by spotting the active areas. This can assist in carrying out optical fault injection attacks later, thereby saving the time otherwise required for exhaustive search.

Physical Attacks and Tamper Resistance

This paper shows how lasers can be used to implement modification attacks on EEPROM and Flash memory devices. This was achieved with inexpensive laser-diode module mounted on a microscope. By locally heating up a memory cell inside a memory array, the contents of the memory can be altered. As a result, the security of a semiconductor chip can be compromised. Even if changing each individual bit is not possible due to the small size of a memory cell, cryptographic keys can still be recovered with brute force attacks. This paper also discusses the limits for the safe use of lasers in semi-invasive attacks without damaging the device under test

Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy

This paper introduces a new class of optical fault injection attacks called bumping attacks. These attacks are aimed at data extraction from secure embedded memory, which usually stores critical parts of algorithms, sensitive data and cryptographic keys. As a security measure, read-back access to the memory is not implemented leaving only authentication and verification options for integrity check. Verification is usually performed on relatively large blocks of data, making brute force searching infeasible. This paper evaluates memory verification and AES authentication schemes used in secure microcontrollers and a highly secure FPGA. By attacking the security in three steps, the search space can be reduced from infeasible > 2100 to affordable ≈ 215 guesses per block of data. This progress was achieved by finding a way to preset certain bits in the data path to a known state using optical bumping. Research into positioning and timing dependency showed that Flash memory bumping attacks are relatively easy to carry out.