Nanofocused X-Ray Beam To Reprogram Secure Circuits Stéphanie Anceau, Pierre Bleuet, Jessy Clédière, Laurent Maingault, Jean-luc Rainard, Rémi Tucoulou
Let’s speak about X-rays • Ionizing radiations are often mentioned in literature, but without real practical results • Lots of references in failure analysis and space systems literature • A new method of perturbation? • We propose using a nanofocused X-ray beam of a synchrotron CHES | Jessy Clédière | 2017 | 2
How did we get to a synchrotron? …after doing some preliminary tests on more simple equipment medical equipment material science equipment CHES | Jessy Clédière | 2017 | 3
With some basic focusing… …a hole in a lead sheet X-ray exposed area die lead Device Under Test PCB ZIF support CHES | Jessy Clédière | 2017 | 4
ATMEGA A fairly old circuit (350 nm) but useful to investigate new attacks CHES | Jessy Clédière | 2017 | 5
ATMEGA layout E E P flash R O M RAM logic 500 µm CHES | Jessy Clédière | 2017 | 6
ATMEGA + lead sheet and hole we fill flash memory with value 0x 55 CHES | Jessy Clédière | 2017 | 7
First faults obtained after 210 seconds of exposure red: “1” to “0” corruption CHES | Jessy Clédière | 2017 | 8
40 seconds later… CHES | Jessy Clédière | 2017 | 9
then 40 more… CHES | Jessy Clédière | 2017 | 10
and finally CHES | Jessy Clédière | 2017 | 11
| 12 CHES | Jessy Clédière | 2017 floating gate transistor transistor access What happened?
charge in the Data is stored in the floating gates floating gate: transistor is blocked value 1 is stored no charge in the floating gate: transistor is conductive value 0 is stored CHES | Jessy Clédière | 2017 | 13
Access to the floating gates access transistors of the active line are conductive CHES | Jessy Clédière | 2017 | 14
| 15 CHES | Jessy Clédière | 2017 X-ray exposure : we discharge the floating gates
| 16 CHES | Jessy Clédière | 2017 Access to the data
X-ray exposure continued : we semi-permanently switch on access transistors CHES | Jessy Clédière | 2017 | 17
| 18 CHES | Jessy Clédière | 2017 Column errors
| 19 CHES | Jessy Clédière | 2017 Column errors
Two major effects observed during these first tests • We empty floating gates of carriers we could modify (1 to 0) flash and EEPROM • We modify transistors semi-permanently NMOS are made conductive (and PMOS blocked) it is reversible with a heat treatment (150°C, 1 hour) The last result applied to logic area of the circuit : we could reconfigure circuits : circuit edit CHES | Jessy Clédière | 2017 | 20
Two major effects observed during these first tests (cont’d) • These effects are described in the space systems literature and are very interesting for our activity let’s focus X-rays down to the nano-scale to target a single transistor! CHES | Jessy Clédière | 2017 | 21
Grenoble, France European Synchrotron Radiation Facility Léti ITSEF (ESRF) 500 m CHES | Jessy Clédière | 2017 | 22
Inside the donut CHES | Jessy Clédière | 2017 | 23
Focusing to the nano scale: 60 nm X-ray spot long focal length optic f l u o r e s c e n c e d e t e c t o r X-ray X-ray ATMEGA at the focal point of X-ray optic CHES | Jessy Clédière | 2017 | 24
Fluorescence image by scanning the IC with the nano-beam tungsten fluorescence mapping cross-section (SEM view) tungsten via SEM view CHES | Jessy Clédière | 2017 | 25
Obtained results on ATMEGA • Fluorescence mapping allows powerful and accurate positioning at the transistor level • Flash and EEPROM can be modified (1 to 0) at the bit level : code of a circuit can be changed (good example in the proceedings) • Single RAM cells can be semi-permanently stuck at 0 or 1 by corrupting transistors • Logic can be modified at the transistor level : circuit edit this could be used to: • change the behavior of the circuit • remove hardware countermeasures… • No need to open the package of the die CHES | Jessy Clédière | 2017 | 26
RAM results on ATMEGA superposition RAM SEM view fluorescence view and results address RAM cell stuck at 0 RAM cell stuck at 1 5 µm CHES | Jessy Clédière | 2017 | 27
Obtained results on state of the art technology node • Fluorescence mapping still allows a powerful and accurate positioning at the transistor level • Flash / EEPROM can still be modified (1 to 0) at the bit level (110 nm and 90 nm NOR flash) • Single RAM cells can still be stuck at 0 or 1 (45 nm microcontroller) • Still no need to open the package of the die CHES | Jessy Clédière | 2017 | 28
Comparison • Nanofocused X-rays could be compared to laser perturbation or to F ocused I on B eam (invasive attack, circuit edit) • Implementation is like a laser setup with no sample preparation required (package opening, thinning…). But very small spot (60 nm or less): reverse engineering is required! • Effects are like invasive attacks but totally non invasive! FIB: modification of metal layers of the circuit X-rays: modification of the transistors of the circuit CHES | Jessy Clédière | 2017 | 29
The cost of such a thing? • Cost of a FIB access via service : 400 € / hour • Cost of ESRF access via industrial channel : 3000 € for 8 hours CHES | Jessy Clédière | 2017 | 30
Conclusion on nanofocused X-ray • A new technique to attack circuits and to perform circuit-editing • “Extreme” resolution with accurate positioning thanks to the use of fluorescence mapping • Tool with a difficult access, but not that expensive ! • Experiments are still ongoing. CHES | Jessy Clédière | 2017 | 31
Thanks Leti, technology research institute Commissariat à l’énergie atomique et aux énergies alternatives Minatec Campus | 17 rue des Martyrs | 38054 Grenoble Cedex | France www.leti-cea.com
Recommend
More recommend
