FIB User Group, Washington DC, USA Valery Ray PBS&T FREUD Applications of FIB Invasive FIB Attacks and Countermeasures in Hardware.

Slides:



Advertisements
Similar presentations
Controller Tests Stephen Kaye Controller Test Motivation Testing the controller before the next generation helps to shake out any remaining.
Advertisements

Categories of I/O Devices
Crashworthiness and High Strain Rate Material Testing Test Development for Vehicle Crash Conditions Motivation: The current vehicle design approaches result.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Physical Unclonable Functions and Applications
Data Acquisition Concepts Data Translation, Inc. Basics of Data Acquisition.
MotoHawk Training Model-Based Design of Embedded Systems.
Smart Grid Projects Andrew Bui.
Valery Ray Particle Beam Systems & Technology, Methuen, USA High-Throughput Milling of HAR Vias with Concentrated Gas Delivery.
Valery Ray Particle Beam Systems & Technology, Methuen, USA Fluorocarbon Precursor for High Aspect Ratio Via Milling in Focused.
3D Skeletons Using Graphics Hardware Jonathan Bilodeau Chris Niski.
In Order of Presentation: Ishaan Sandhu DannY Kang Arslan Qaiser Eric Otte Anuar Tazabekov Capacitive Rain Sensor for Automatic Wiper Control.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
Introduction to Analog-to-Digital Converters
PH4705/ET4305: A/D: Analogue to Digital Conversion
Engineering 1040: Mechanisms & Electric Circuits Fall 2011 Introduction to Embedded Systems.
Introducing the LEO 1400 Series
1 © Unitec New Zealand Embedded Hardware ETEC 6416 Date: - 10 Aug,2011.
Oppenheimer Technologies Rick King Jonathan Creekmore.
Fabrication of Active Matrix (STEM) Detectors
Input technologies All require some form of data acquisition –e.g. Image scanner, Microphone Once acquired, if the signal is not already digital, it will.
1HSSPG Georgia Tech High Speed Image Acquisition System for Focal-Plane-Arrays Doctoral Dissertation Presentation by Youngjoong Joo School of Electrical.
Industrial Automation T Rajendran. Industrial Automation  Control Systems  Process Control  Industrial Control  Computer Integrated Manufacturing.
Copyright AIM INFRAROT-MODULE GmbH AIM AIM INFRAROT-MODULE GmbH Security SVGA Image Sensor VISION 2005, Dr. P. Stifter.
02/24/ th FIB/SEM User Group Meeting, Washington DC Valery Ray Developing FIB GAE Recipes: Practical Application of “Unfinished.
MICROPROCESSOR INPUT/OUTPUT
Test your projects… ….from your PC!. Today’s Presentation Background Problem Statement Objectives Milestones Technical Approach Future Work Achievements;
1 RF Vector Impedance Analyser Josh McIntyre Supervisor: Nasser Asgari.
Damageless Information Hiding Technique using Neural Network Keio University Graduate School of Media and Governance Kensuke Naoe.
Microcontroller Presented by Hasnain Heickal (07), Sabbir Ahmed(08) and Zakia Afroze Abedin(19)
Digitization When data acquisition hardware receives an analog signal it converts it to a voltage. An A/D (analog-to-digital) converter then digitizes.
Smart card security Nora Dabbous Security Technologies Department.
Test and Test Equipment Joshua Lottich CMPE /23/05.
An Unobtrusive Debugging Methodology for Actel AX and RTAX-S FPGAs Jonathan Alexander Applications Consulting Manager Actel Corporation MAPLD 2004.
Intro to Computers Computer Applications. What is a Computer? Initially the term computer referred to an individual whose job it was to perform mathematical.
LEPSI ir e s MIMOSA 13 Minimum Ionising particle Metal Oxyde Semi-conductor Active pixel sensor GSI Meeting, Darmstadt Sébastien HEINI 10/03/2005.
Top Down Manufacturing
Valery Ray Particle Beam Systems & Technology, Methuen, USA High-Throughput Milling of HAR Vias with Concentrated Gas Delivery.
Top Down Method Etch Processes
Michael Lisoski Leblanc Meneses Jason Schaer Bryan Staton.
This material exempt per Department of Commerce license exception TSU Xilinx On-Chip Debug.
Valery Ray Particle Beam Systems & Technology, Methuen, USA CAD – less Blind Navigation in Focused Ion Beam System PBS&T Chris.
High-Intensity Focused Ultrasound Therapy Array May1005 Alex Apel Stephen Rashid Justin Robinson.
Low Power, High-Throughput AD Converters
Digital Data-Acquisition Systems Since the late 1950s, computers have been used to monitor, and in many cases to control, the performance of large process.
16722 Mo: data acquisition150+1 data acquisition.
FINGER PRINT ATTENDANCE MANAGEMENT SYSTEM PROJECT MEMBERS: CH.S.ELLARAO (07765A1004) CHIRANJEEVI.N (06761A1012) CH.HARISH REDDY( 06761A1015) PROJECT GUIDE:
A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.
Low Power, High-Throughput AD Converters
HIGH SPEED DATA ACQUISITION SYSTEM RENISH THOMAS EECS /08/2015.
Valery Ray Particle Beam Systems & Technology, Methuen, USA High Aspect Ratio Via Milling Endpoint Phenomena in Focused Ion Beam.
 Introduction.  Block Diagram.  Sensors.  Arduino.  Advantages.  Limitations.  Applications.  Conclusion. Contents.
1 AQA ICT AS Level © Nelson Thornes 2008 Operating Systems What are they and why do we need them?
NAM S.B MDLAB. Electronic Engineering, Kangwon National University 1.
Front Side Circuit Edit: state of the art Circuit editing of first silicon using FIB (focused ion beam) technology has become increasingly more common.
USE-IT 2007, Toulouse France Valery Ray PBS&T FREUD Methods FIB Invasive Attacks and Countermeasures.
Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.
Low Power, High-Throughput AD Converters
CEng3361 CENG 336 INT. TO EMBEDDED SYSTEMS DEVELOPMENT Spring 2011 Recitation 06.
General Engineering Research Institute
Presented by Kartik Patel
ARDUINO BASED AUTOMATIC TEMPERATURE BASED FAN SPEED CONTROLLER
Mentored by Brian Schuster and Jonathan Ligda
Microcontroller Applications
I/O Organization and Peripherals
I/O Organization and Peripherals
Interfacing Memory Interfacing.
PBS&T What Gas Concentrator Does in Focused Ion Beam System? Applicable to Focused Electron Beam Systems and Broad-Beam Apparatus Valery Ray
Physical Unclonable Functions and Applications
Processing of Endpoint Information from HAR Vias
Presentation transcript:

FIB User Group, Washington DC, USA Valery Ray PBS&T FREUD Applications of FIB Invasive FIB Attacks and Countermeasures in Hardware Security Devices

10/23/2015 FIB User Group, Washington DC, USA 2 F R E U D Functional Reverse Engineering of Undocumented Devices © Extraction of functional codes, algorithms, data, and keys from secured hardware

10/23/2015 FIB User Group, Washington DC, USA 3 Outline  Targeted Devices and Applications  Workflow of FIB “invasion”, challenges and tricks  Signal extraction and injection  Limitations of FIB instrumentation  Countermeasures against FIB methods

10/23/2015 FIB User Group, Washington DC, USA 4 Typical Targeted Devices: μC in Distributed Security and Encryption Applications

10/23/2015 FIB User Group, Washington DC, USA 5 Typical Targeted Devices: μC in Distributed Security and Encryption Applications

10/23/2015 FIB User Group, Washington DC, USA 6 Workflow of FIB “Invasion”  Navigation on undocumented secure devices  Capturing layout and localizing nodes  Bypassing protective shields  Making contacts, extracting data, injecting signals

10/23/2015 FIB User Group, Washington DC, USA 7 Navigation on Secure Devices  Shields prevent direct navigation with optics  Have to use sacrificial device to localize nodes  Two steps of localization – coarse and precise  Dual positioning: coordinates and local reference Shield images © Christopher Tarnovsky Shield images © Christopher Tarnovsky

10/23/2015 FIB User Group, Washington DC, USA 8 Coarse Localization on Sacrificial Device (s)  Remove shield (wet chemistry or RIE)  Scan device under Optical Microscope, stitch mosaic bitmap, locate nodes, define coordinates  Establish references for coordinate conversion  Convert bitmap coordinates to FIB stage position

10/23/2015 FIB User Group, Washington DC, USA 9 Layout Capture and Node Localization Alignment Reference Targeted Node Stitched mosaic gives bitmap layout of the device for coordinate navigation: X / Y position of pixel is a bitmap coordinate!

10/23/2015 FIB User Group, Washington DC, USA 10 References and Nodes in FIB Use alignment references for coarse coordinate navigation on sacrificial device Then remove dielectric and capture precise position of node

10/23/2015 FIB User Group, Washington DC, USA 11 Navigation with Local Alignment  Accuracy of FIB stage is limited – how to navigate on small-linewidth devices?  Use coordinates for coarse navigation  Use protective shield as your local reference!  Try to make contacts in between shield lines, if impossible then bypass the shield

10/23/2015 FIB User Group, Washington DC, USA 12 Bypassing Shield  Bypass entire shield » Best for analog shields, works for some digital » Takes 30 to 60 min. of FIB time per device » Often need follow-up by non-FIB techniques » Shield can be removed to speed up further work  Bypass protective shield locally » Works on analog and digital shields » On <200nm devices 2 – 3 shield lines may need bypassing to clear space for each contact » Takes 30 to 120 min. of FIB time per bypass

10/23/2015 FIB User Group, Washington DC, USA 13 Disabling Shield  Disable shield control circuitry » Requires detailed analysis of layout » Simulate “OK” shield on input of test circuitry » Cut output of charge pump – disable flash erase! » Cut “security interrupt” outputs, tie to “1” or “0”

10/23/2015 FIB User Group, Washington DC, USA 14 Making “Large” Contacts: Direct Line Probing FIB Image of bus opening © Christopher Tarnovsky On devices with spacious layout and line-width ≥ 350nm direct probing of internal nodes may be possible. On devices with spacious layout and line-width ≥ 350nm direct probing of internal nodes may be possible.

10/23/2015 FIB User Group, Washington DC, USA 15 Straight Sputter Basic GAE Making Small Contacts: High Aspect Ratio Milling Optimized GAE

10/23/2015 FIB User Group, Washington DC, USA 16 Making Small Contacts: High Aspect Ratio Milling Throughput Dose nC Time min. Contact, μm All contacts are 5μm deep

10/23/2015 FIB User Group, Washington DC, USA 17 Making Small Contacts: High Aspect Ratio Endpointing by Image Integrated Endpoint Filtered Endpoint x2 S/N Improvement Integration Window Spatial Filtering Filter Area

10/23/2015 FIB User Group, Washington DC, USA 18 Making Small Contacts: High Aspect Ratio Endpointing by Image Integration Window Spatial Filtering Filter Area

10/23/2015 FIB User Group, Washington DC, USA fA p-p noise Image Endpoint “Aftermarket” Sample Current Endpoint Making Small Contacts: High Aspect Ratio Endpointing by Current

10/23/2015 FIB User Group, Washington DC, USA 20 Making Small Contacts: High Aspect Ratio Deposition

10/23/2015 FIB User Group, Washington DC, USA 21 Making Contacts and Pads HAR vias connecting to the nodes Clean overspray of metal depo Contact pads for probing

10/23/2015 FIB User Group, Washington DC, USA 22 Data Extraction  Connect to data acquisition equipment by microprobing  Ensure proper buffering, internal nodes were not designed to drive 100pF cable  Use ultra-low capacitance buffers for glitch recovery and jittered clock reconstruction

10/23/2015 FIB User Group, Washington DC, USA 23 Filter, Align, and Convert to HEX Code

10/23/2015 FIB User Group, Washington DC, USA 24 Disassemble, decompile, and make yourself at home Disassemble, decompile, and make yourself at home

10/23/2015 FIB User Group, Washington DC, USA 25 Signal injection  Injection of impulses into data bus can alter execution of embedded code  Basic application: disruption of “End Of Loop” command in Answer To Reset (ATR) function of smartcard microcontrollers may cause extraction of data memory  Basic application: disruption of “End Of Loop” command in Answer To Reset (ATR) function of smartcard microcontrollers may cause extraction of data memory  Suitable injection buffers are not available from OEMs of pattern generators or otherwise, must DIY

10/23/2015 FIB User Group, Washington DC, USA 26 Limitations of existing FIB technology  Accuracy of navigation » Targeting nodes by only the coordinates on devices with linewidth < 200nm is unreliable on most FIBs  Aspect ratio of contacts » Endpoint of milling on contacts with 20:1 depth/width may require “aftermarket” upgrades  Linewidth (technology node) limitations » Making multiple deep contacts smaller then 250 nm is esoteric art, takes very dedicated operator…

10/23/2015 FIB User Group, Washington DC, USA 27 Countermeasures against FIB  FIB attacks can be made uneconomical for casual FIB access: » Planarise devices and use small linewidth technology » Thick copper plane combined with active shields is difficult to cut » Use Liquid Crystal Polymer for encapsulation – hard to remove » Use combination of analog and digital shields: bypass is difficult » Introduce “position jitter” to shield layer on lithography step to prevent local referencing for navigation » Orient straight shield lines at 45 degrees angle to the layout

10/23/2015 FIB User Group, Washington DC, USA 28 Summary  FREUD by FIB methods can’t be prevented, but can be made too expensive for casual access  Basic countermeasures are relatively simple in manufacturing – planarisation of devices, more sophisticated active shields  Advanced countermeasures become viable as cost of IC manufacturing is reduced: active double-shielding, LCP encapsulation, 45 degrees shield-to-layout orientation and shield position “jittering”

FIB User Group, Washington DC, USA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.