Hardware Security and Trust
Giorgio Di Natale, CNRS
1 License Information
This work is licensed under the Creative Commons BY-NC License
To view a copy of the license, visit: http://creativecommons.org/licenses/by-nc/3.0/legalcode
2 Disclaimer
• We disclaim any warranties or representations as to the accuracy or completeness of this material. • Materials are provided “as is” without warranty of any kind, either express or implied, including without limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement. • Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material.
3 Scenario • Security is all around… – Identification, private communication, electronic signature, access control, electronic purse, digital right management, software protection...
4 Motivation
• Hardware security and trust now play critical roles as computing is intimately integrated into many infrastructures that we depend on
• Hardware Security – dealing with (secret) data in hardware devices • Hardware Trust – dealing with design and manufacturing of devices
5 Outline
• Hardware Security – Side-Channel Attacks – Fault Attacks – Manufacturing Test Issues
• Hardware Trust – Counterfeiting – Hardware Trojan Horses
6 HARDWARE SECURITY
7 Scenario
• How to protect a (digital) secret: – Secure storage of confidential data – Cryptographic capabilities
• Implementation: – Crypto algorithms integrated as hardware devices – E.g., smartcards, crypto-cores, crypto- processors, hardware security module
8 Encryption/Decryption
Encryption K2
Plaintext Ciphering Cipher Deciphering Plaintext text
K1 Decryption
• Algorithms: – Symmetric: K1=K2 – Asymmetric: K1≠K2
9 Advanced Encryption Standard (AES) - 2001
10 AES: Generic HW Implementation
Plain Text
First Opera on
Round Key Generator Round
Round Register
Last Opera on Controller Output Register
Cipher Text 11 Motivation • Crypto-algorithms very strong, but… • New threat: hardware implementation!!
Side Channel Attacks • Power • Electromagnetic • Light • …
Fault Attacks • Laser • Electromagnetic • …
Test Infrastructures 12 Side-Channel Attacks
• Based on information gained from the non-primary interface of the physical implementation of a cryptosystem – Timing information Side – Power consumption Channel – Electromagnetic leaks – Sound
– Light Brute – … Force
13 Simple Power Analysis on RSA Introduction Le TEMPEST Le clavier PS/2 Le RSA Perspectives... Conclusion
Input:Impl´ementation:!X, N, K=(k Exponentiationj-1, …, k1, k0)2! Modulaire Output: !Z = XK mod N! ! Input: X , N, E =(ek 1,...,e1, e0)2 1: !Z = 1;! Output: Z = X E−mod N 2: !for i=j-11: downtoZ := 1; 0 {! 3: ! !Z = Z2: *for Zi =modk 1Ndownto //Square0 ! 3: Z := Z−* Z mod N;–squaring 4: ! !if (ki==1) {! 4: if (ei =1)then 5: ! ! !Z5: = Z Z*:= XZ mod* X modN //MultiplyN;–multiplication! 6: ! !}! 6: end if 7: !}! 7: end for
Key Bits 1 0 1 0 0 0
Operation Square Mutiply Square Square Mutiply Square Square Square
Waveform
Figure 6: Principe de la SEMA sur le RSA. 14
O. Meynard, < [email protected] > GDR SoC-SiP 37/62 Differential Power Analsys
• Differential Power Analysis (DPA) attacks – it requires the knowledge of the algorithm but not its physical implementation – it is cheap and easy to perform • The basic idea is to correlate the power consumed by the device and the encryption data including the key
15 Power Consumption of CMOS
IN Vdd
Idd OUT
(a) Idd IN (b) OUT (a) (b) C Switching Through + Through current current
Current that flows from Vdd to GND when the p- channel transistor and n-channel transistor turn on briefly at the same time during the logic transition 16 Power attack on XOR gate
Vdd OUT = 0
Din Idd
OUT = 1 Din
Idd = 0
= 1 17 Input patterns
• Target node: output of a gate within the circuit • Sequence of input patterns:
– P0, P1, …, Pn
– T1(P0àP1), T2(P1àP2), ..., Tn(Pn-1àPn) • Logic simulation to create two sets: – (PA) transitions that make the target node to commute from 0 to 1 and therefore that make the target gate to consume – (PB) transitions that do not lead the target gate to participate to the power consumed by the circuit
18 DPA: Basic Principle
• We classified the two sets in such a way that the set PA always leads to a component of power
consumption that Average is not present in Vectors belonging to PA the set PB
Average
Vectors belonging to PB
à Power(PA) > Power(PB)
19 DPA: Performing the Attack
• Target node: – output of a gate whose value depends on both the plain text under ciphering (primary inputs) and the secret key • Basic idea: – All the key suppositions – For each key guess, creation of the two sets PA and PB
20 DPA: Target Node
128 128 Input I1 I2 8 8 f
O = f (I1, I2)
21 Data Inputs: T , T , ..., T f O = f (Key, Data) 1 2 12 Key Key: Kx (8 bits)
T1 PA) T T T T T7 1 3 5 6 0 K1 Average PA – PB ≅ 0 T1 PB) T T T T T12 2 4 8 9 1
...
T1 PA) T T T T T 1 4 6 8 12 0 Kx Average PA – PB = T1 PB) T T T T T 2 3 5 7 9 1
...
T1 T1 PA) T T T T 2 3 8 6 1 0 Average PA – PB ≅ 0 K256
PB) T T T T T T12 1 4 5 9 7 22 DPA: Result
23 Light Emission
Optical detector system
http://www.vvku.eu/cv/efa/background.html
24 Countermeasures
• Goal: removing the correlation between processed data and the physical interface • Methods: – Adding noise (random power consumption, clock jitter, logic masking, random dummy calculations, …) – Making constant the physical interface (dual logic, triple logic, …)
25 Motivation • Crypto-algorithms very strong, but… • New threat: hardware implementation!!
Side Channel Attacks • Power • Electromagnetic • Light • …
Fault Attacks • Laser • Electromagnetic • …
Test Infrastructures 26 Fault Attacks
1 0 1 1 0 0 1 1 … Hypothesis: Injection forces a ‘0’ on a single bit of the secret key
1) COK=E(P)
2) Calculate C’=E(P), Encryption while injecting a fault Input Output
3) If C’ = COK à target bit is ‘0’ else à target bit is ‘1’
27 Differential Fault Attacks
D
Hypothesis: Single-bit fault in byte j
9 9 ! = SubByte ! SubByte ! C SR( j) D SR( j) (M j ) (M j e j)
28 Fault Attacks
29 # !l2 t % # ! % % e 4"D(t) ! n (t) = % % LET(t). dldS S % % 3/2 % ".D(t).t % $ ( ) $ l Fault Attacks S drain I(t) = nS (t)× q × vxd (t)
SEE induced current lower than that collected by a drain junction current diminished to 200µA, whereas PMOS-BIVS, and (b) the current it collects is lower a 6mA current flowed through the Pwell-deep Nwell than the current generating the SEE. junction. These figures are similar to those of the PMOS. Using triple-well CMOS creates more than an 4. Improving BBICS efficiency order of magnitude difference between the lower cur- rent contributing to SEE generation and the higher From the analyses drawn in section 3, we derived current potentially monitored by a BBICS. On basis two solutions to improve BBICS efficiency (4.1 and of these experiments we recommend the use of triple- 4.2). well CMOS to obtain an optimal use of BBICS.
4.1. Use of triple-well CMOS 4.2. Single BBICS architecture Modern CMOS technologies generally offer a triple- We also developed a new BBICS architecture well well option. It consists in embedding the NMOS tran- suited for the monitoring of triple-well CMOS logic: sistors into P-type well (or Pwell) isolated from the the ’single BBICS’ pictured in Fig. 7. It is de- Psubstrate. The Pwell containment is made laterally signed to monitor simultaneously NMOS and PMOS: with Nwell implants and with a deep Nwell implant its NMOS bulk and PMOS bulk inputs are respec- underneath.Information The deep Nwell and Nwell are electri- tively connectedDetectors to the corresponding Pwell and Nwell cally connected, both normally biased at 1.2V. biasing contacts.
RedundancyG Vdd ! out_d S D (1.2V) B (gnd) DNwell bias (floating) LVT Gnd Vdd Mp1 HVT out_d reset Mn_reset Mp4 Gnd Validation via Fault Simulation: tLifting Mp_t Vdd HVT N+ N+ P+ N+ Mn1 LVT HVT Gnd Mp3
Nwell Pwell Nwell outb Gnd out PMOS_bulk e . Vdd Tabl 2 ! :;<&5*4&!$+,#5&'),$'#=>#-?/@?AB#+!"#-./011# NMOS_bulk LVT ’0’ => ’1’ ! Deep Nwell ’1’ => ’0’ Q*#+5*1)! Mn3 HVT P−substrate Mp2 Vdd HVT Mn_t outb_d !!!!!!!!!"#$%'!#()*$+,'#*(! !!-,&.'!/#+&.,'#*(!0/1! !! laser Gnd Vdd Mn4 resetb Mp_reset %#$%'! 2#34! 54%'*$/! 6&.'#78494.!! !:/;#%4! -,%'*$! Mn2 HVT Vdd LVT Gnd %<=>! ??>! @@! AB??C! DDB@E! ! ! Figure 8.! R))5%/4!-,)/#!)&$1!6$#!6,5-1!,11,+H)!)*%5-,1*$3! ! C'/3!1'/!*3&51!0,-5/)!,#/!-$,4/4!6$#!?UJ8/)G!1'/!-,)/#! ,11,+H!*)!1#*22/#/4!A*1'!,!4/-,(!$6!INW!+-$+H!&/#*$4!A,*1*32! 6$#!1'/!*3&51!)*23,-)!1$!@/!)1,@-/B!>'/!*--5%*3,1*$3!+$31*35/)! 531*-! 1'/! 3/D1! ,+1*0/! +-$+H! /42/B! E$A/0/#G! ,61/#! 1'/! -,)/#! )A*1+'/)!$66G!*1)!&>>&3$'#"=!0$#"*'+<<&+5!*%%/4*,1/-(!45/!1$! 1'/!,@)$#&1*$3!$6!&'$1$.2/3/#,1/4!+',#2/)B!>'*)!+,5)/)!1'/! 1#,3)*/31! 6,5-1! &5-)/! 1$! @/! A*4/#! 1',3! 1'/! -,)/#! ,11,+H! 45#,1*$3!X"*25#/!YZB!!!!!! ! ! Figure 7.! >'/!%5-1*.-/0/-!-,)/#.*345+/4!6,5-1!)*%5-,1*$3!$+/))! ! >,@-/!I!)5%%,#*K/)!1'/!/D&/#*%/31,-!#/)5-1)B!"$#!/,+'! @/3+'%,#HG!A/!#/&$#1/4!*1)!)*K/!*3!/L5*0,-/31!2,1/)!,34!1'/! 35%@/#! $6! )*%5-,1/4! 0/+1$#)B! >'/! 3/D1! 1A$! +$-5%3)! +$%&,#/! 1'/! /D/+51*$3! 1*%/)! $6! 1'/! 6,5-1! )*%5-,1*$3! @/1A//3! 1'/! %5-1*.-/0/-! ,&$,+'! ,34! 1'/! 65--! E)&*+/! )*%5-,1*$3B! >'/! *3+#/,)/! *3! )&//4! *)! 2*0/3! *3! 1'/! -,)1! +$-5%3B!;1!#,32/)!6#$%!MNND!6$#!1'/!)%,--/)1!+*#+5*1G!5&!1$! %$#/! 1',3! OPND! 6$#! 1'/! @*22/)1! @/3+'%,#HB! ?*3+/! 1'/! /-/+1#*+,-!-/0/-!)*%5-,1*$3!*)!-*%*1/4!1$!,!0/#(!)%,--!&,#1!$6! ! 1'/!+*#+5*1G!1'/!-,#2/#!1'/!+*#+5*1G!1'/!'*2'/#!1'/!@/3/6*1! $6! ! %5-1*.-/0/-!)*%5-,1*$3B! Figure 9.! >*%*32!)+'/%,1*+!4*,2#,%!$6!-,)/#!*3F/+1*$3! 113 Laser Detector • Basic idea: using inverters to detect laser injections 1.2 Vdd 1.0 0.8 ‘1’ ‘0’ 0.6 0.4 0.2 Laser spot = 3.25µm 0 Laser power = 1.0w -10 0 10 20 30 Technology = 90nm ST 1.2 Vdd 1.0 0.8 ‘0’ ‘1’ 0.6 0.4 0.2 0 -10 0 10 20 30 31 Laser Detectors 1.2 1.0 INV0 INV3 S_INVP3 0.8 1 PMOS of 0.6 INV3 0.4 V 0.2 th 0 NMOS of -10 0 10 20 30 INV0 INV0 INV3 S_INVN3 1.2 0 1.0 Vth 0.8 PMOS of INV0 0.6 0.4 0.2 NMOS of 0 INV3 -10 0 10 20 30 32 Proposed Solution … 1 1 … 1 Q 1 … Legend 1 … S_INVP3 S_INVN3 Feng LU, Giorgio DI NATALE, Marie-Lise FLOTTES, Bruno ROUZEYRE, Customized Cell Detector for Laser-Induced-Fault Detection, IEEE IOLTS 2014 33 Error Detection Codes Output code Operation prediction Code calculation = EDC 34 Code Calcula on Operation 1 Op. 1* Code Calcula on = Operation 2 Op. 2* Code Calcula on = Operation 3 Op. 3* Operation N Op. N* Code Calcula on = 35 Which code ? • Linear EDC: parity bits – 1 parity bit for 128 data bits – 1 parity bit for each data byte – 1 parity bit for each state "column" – SubByte non linear 36 Fault Attacks vs Side-Channel Side-Channel Test Attacks Infrastructures Fault Cryptanalysis Attacks 37 Motivation • Crypto-algorithms very strong, but… • New threat: hardware implementation!! Side Channel Attacks • Power • Electromagnetic • Light • … Fault Attacks • Laser • Electromagnetic • … Test Infrastructures 38 Manufacturing Test • Circuit testing is mandatory to guarantee high quality of digital ICs – Increase controllability and observability • On the contrary, security fears testability – Test infrastructure used for attacks 39 Scan-based Design Primary Primary Inputs ...... Outputs Combinational ... Logic ... Observability of all states Scan Enable Scan Out FF FF Controllability ... of all states FF Scan In 40 Scan-chain attack on AES PlainText – 128 bits • AES a – Secure after 10 rounds b • Hypothesis: Secret Key 128 bits SubBytes – Round-register belongs c to the scan chain ShiftRows – Attacker controls test mode d – Deterministic circuit MixColumns – Other FFs belong to the scan e chain Key Generation f ScanIn ScanOut • Attack: Other FFs Register – Accessing the scan chain Round after the first round CipherText – 128 bits 41 Differential Scan Attack Vector 1 • 2 vectors per step a1 • For each vector: – Reset b – Normal mode, Secret Key 1 until first round 128 bits SubBytes c – Test mode, to 1 shift out the ShiftRows response d1 MixColumns e Key 1 Generation f1 Other FFs Register ScanOut ScanIn x 1 Round CipherText – 128 bits 42 Differential Scan Attack Vector 2 • 2 vectors per step a2 • For each vector: – Reset b – Normal mode, Secret Key 2 until first round 128 bits SubBytes c – Test mode, to 2 shift out the ShiftRows response d2 MixColumns e Key 2 Generation f2 x1 f1 Other FFs Register ScanOut ScanIn x 2 Round CipherText – 128 bits 43 Avoiding other FFs • Hypothesis: – Other FFs are independent of the plaintext – Deterministic circuit – After one round, they have always the same value • Solution: XORing the output response Other FFs Register x1 f1 Other FFs Register f x2 2 …00000000000… f1 xor f2 = e1 xor e2 44 Avoiding other FFs • Hypothesis: PlainText – 128 bits a – Other FFs are independent of the plaintext b – Deterministic circuit Secret Key 128 bits SubBytes c – After one round, they have always the same value ShiftRows d MixColumns • Solution: XORing the output response e Key Generation f Register Other FFs Register Round x1 f1 CipherText – 128 bits Other FFs Register f x2 2 …00000000000… f1 xor f2 = e1 xor e2 45 Avoiding the chain • Position of FFs within the scan chain is not known • OutScanChain = array [N] • We need a function such that: • p = f (OutScanChain) • f : array à number 46 Hamming Distance (b1, b1 XOR 1) Constant (a1,a2) k (b1,b2) S S S S b = 226 b = 242 MixColumns 1 1 b1 = 130 b1 = 122 (o1,o2) è HD12 47 Signature Attack Constant (a1,a2) (a1,a2) (a3,a4) (a5,a6) (a7,a8) k S S S S MixColumns (o1,o2) P12 P34 P56 P78 SIGNATURE Parity (o1) XOR Parity (o2) 48 Signature Table • Signature depends on the key guess • Signature table consists of the signature for each key Input Pairs V1 V2 V3 VM (a1, a2) k Guessed Key K1 P11 P12 P13 P1M S S S S K2 P21 P22 P23 P2M K MixColumns 3 P31 P32 P33 P3M Parity (HD) KN PN1 PN2 PN3 PNM Observed difference Signature Goal: have unique signatures! 49 A Real Threat??? iPhone 4 Pinout Apple TV – Access to JTAG XBOX 360 50 Countermeasures • Leave the scan chain unbound (fuses) • Built-In Self-Test • On-chip test comparison • Secure Test Access Mechanism 51 Countermeasures • Leave the scan chain unbound (fuses) • Built-In Self-Test • On-chip test comparison • Secure Test Access Mechanism 52 Built-In Self-Test (BIST) • Motivation: – Avoid scan-based testing – Allow at-speed testing – Reduced ATE cost • But: – Area overhead ? – Fault coverage ? 53 Properties of Crypto-Algorithms • Confusion – making the relationship between the key and the ciphertext as complex and involved as possible • Diffusion – a change in a single bit of the plaintext should result in changing the value of many ciphertext bits 54 Testability • Diffusion vs testability: – every input bit influences many output bits (i.e. every input bit is in the logic cone of many output bits) • the circuit is very observable – the input logic cone of every output contains many inputs • each fault is highly controllable • Therefore these circuits are highly testable by nature no matter the implementations 55 Randomness • Diffusion and confusion de-correlate the output values from the input ones (both at encryption and round levels) • It has been demonstrated that by feeding back the output to the input, the generated output sequence has random properties [ B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996 ] • AES/DES better than LFSR (proved by NIST tests) 56 BIST Architecture Plain Text First Opera on Secret Key Round Key Generator Round Internal Register Last Opera on Controller Output Register Cipher Text 57 AES Round Testability Sbox Implementations: - ROM à 256 patterns - Logic à 200 – 220 patterns S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15 S16 Faults in ShiftRows, MixColumns, Addkey, and Register MixColumns MixColumns MixColumns MixColumns are also tested by the 200 patterns Fault coverage: 100% always before 2400 clock cycles (several keys, several plaintexts) 58 Countermeasures • Leave the scan chain unbound (fuses) • Built-In Self-Test • On-chip test comparison • Secure Test Access Mechanism 59 On-Chip Test Comparison FUNCTIONAL I/O EXPECTED SCAN IN Sticky RESPONSE Mismatch SCAN Comparator OUT FUNCTIONAL I/O pass/fail SCAN 1 0 1 ENABLE ATE SCAN INs SCAN Input Results Expected OUTs Pa erns Responses SCAN ENABLE Fault/Diagnosis Information ATE Input Expected Pa erns Responses = Fault/Diagnosis Information 60 Countermeasures • Leave the scan chain unbound (fuses) • Built-In Self-Test • On-chip test comparison • Secure Test Access Mechanism 61 Scan Chain Testing #L clock cycles #L clock cycles Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1) Capture (Scan-Enable=0) 62 Scan Chain Testing (delay fault testing with Launch On Capture) #L clock cycles #L clock cycles Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1) Capture (Scan-Enable=0) 63 Secure Test Access Mechanism • How to start a test session – Additional signal – Power on – Authentication • What to do in functional mode – e.g., scrambling, avoiding shift mode, spy Flip Flops • What to do when switching to test mode – e.g., reset FFs • What to do in test mode – e.g., test key instead of actual secret key 64 Control Test Session Enable Power off Test Session Enable Test Mode Test Shift mode Functional Mode key Secret Normal Mode key Normal mode [B. Yang et al., IEEE TRANS. ON CAD, oct. 2006] 65 The smart test controller Test Attack S_in S_in CUT S_en S_en S_out S_out S_en Smart Controller OUT_en [J. Darolt et al., IEEE IOLTS, 2013] 66 Detection of the test mode S_en=1 COUNTER=0 S_en=0 Normal Flushing Stuck-At-Capture Delay-Capture OUT_en = 0 OUT_en = 0 OUT_en = 1 OUT_en = 1 MODE = normal MODE = test MODE = test MODE = test COUNTER = #L COUNTER -- COUNTER=0 S_en=1 COUNTER=0 S_en=0 S_en=0 and Shifting S_en=1 S_en=0 S_en=1 S_en=0 COUNTER>0 OUT_en = 1 MODE = test COUNTER=0 S_en=1 Normal Mode Protection Mode Test Mode (S_out blocked) (S_out blocked) (S_out open) 67 The smart test controller S_in S_in CUT S_en S_en SecretKey S_out S_out normal test KNormal KTest S_en MODE Smart Controller OUT_en 68 HARDWARE TRUST 69 Counterfeiting • Counterfeiting of integrated circuits has become a major challenge – deficiencies in the existing test solutions – lack of low-cost and effective avoidance mechanisms in place • Numbers: – $75 billion lost in 2013 (in semiconductors) – E.g., 186 million fake mobile phones in 2013 Source: http://www.havocscope.com/tag/counterfeit-electronics/ 70 Which is the cause? • Complexity of the electronic systems significantly increased over the past few decades – To reduce production cost, they are mostly fabricated and assembled globally • This globalization has led to an illicit market willing to undercut the competition with counterfeit and fake parts 71 Stories • November 8, 2011, the United States Committee on Armed Services held a hearing on an investigation of counterfeit electronic parts in the defense supply chain • The investigation had revealed alarming facts: materials used to make counterfeit electronic (a.k.a. e-waste) parts are shipped from the United States and other countries http://www.industryweek.com/procurement/ticking-time-bomb-counterfeit-electronic-parts 72 Stories (2) • The e-waste is sent to cities like Shantou, China, where: – It is disassembled by hand, washed in dirty river water, and dried on the city sidewalk – It is sanded down to remove the existing part number or other markings that indicate its quality or performance – False markings are placed on the parts that lead the average person to believe they are new or high- quality parts 73 Stories (3) 74 The Untrusted Chain Design Time Manufacturing Time Specs Design Fabrication Test IP Tools TechLib Untested Discarded Netlist / Mask Overbuilding IP Theft Theft Life Time Distribution Use Life IC Piracy Recycling Repackaging Refurbishing 75 Counterfeit types: Recycled • Electronic component that is recovered from a system and then modified to be misrepresented as a new component. • Problems: – lower performance – shorter lifetime – damaged component, due to the reclaiming process (removal under very high temperature, aggressive physical removal from boards, washing, sanding, repackaging, etc.) 76 Aging Detectors • Sensor in the chip to capture the usage of the chip in the field – It relies on aging effects of MOSFETs to change a ring oscillator frequency in comparison with the golden one embedded in the chip. • Antifuse-based Technology for Recording Usage Time 77 Counterfeit types: Remarked • Chemically or physically removing the original marking • Goal: – to drive up a component’s price on the open market – to make a dissimilar lot fraudulently appear homogeneous 78 Counterfeit types: Overproduced • Overproduction occurs when foundries sell components outside of contract with the design house • Problems: – loss in profits for the design and IP owner – reliability threats since they are often not subjected to the same rigorous testing as authentic parts 79 Hardware Metering • A set of security protocols that enable the design house to achieve the post- fabrication control of the produced ICs to prevent overproduction – Physically Unclonable Functions – Post-Manufacturing Activation – Adding a Finite-State Machine (FSM) which is initially locked and can be unlocked only with the correct sequence of primary inputs – Logic Encryption 80 Physically Unclonable Functions • Silicon PUFs exploit inherent physical variations (process variations) that exist in modern integrated circuits – variations are uncontrollable and unpredictable, making PUFs suitable for IC identification and authentication • Based on: – Content of SRAMs at power-up – Delay of some networks 81 Logic Encryption Logic Encryption E1 K1 E2 E3 K2 82 Counterfeit types: Defective • A part is considered defective if it produces an incorrect response to post- manufacturing tests • These parts should be destroyed, downgraded, or otherwise properly disposed of • However, if they can be sold on the open markets, either knowingly by an untrusted entity or by a third party who has stolen them Source: http://www.bradreese.com/blog/2-16-2014.htm 83 Counterfeit types: Cloned • A copy of a design, in order to eliminate the large development cost of a part • Methods: – Reverse engineering, – By obtaining IP illegally (also called IP theft) – With unauthorized knowledge transfer from a person with access to the part design 84 Security Evaluation of IC Camouflaging by using VLSI Test Principles Jeyavijayan Rajendran†, Ozgur Sinanoglu‡, and Ramesh Karri† [email protected], [email protected], [email protected] Polytechnic Institute of New York University New York University Abu Dhabi † ‡ Abstract—An Integrated Circuit (IC) can be reverse engineered by However, the layout of camouflaged NAND cell in Figure 1 (c) and imaging its layout and reconstructing the netlist. IC camouflaging is a the layout of camouflaged NOR cell in Figure 1 (d) look identical and layout-level technique that hampers imaging-based reverse engineering hence their functionality cannot be unambiguously extracted [6]–[9]. by using, in one embodiment, functionally different standard cells that look alike. Reverse engineering will fail if the functionality of a Figure 2 shows how camouflaging protects an IC design against camouflaged gate cannot be correctly resolved. We adapt VLSI testing image processing-based reverse engineering. A designer camouflages principles of justification and sensitization to quantify the ability of a certain gates in the design. For example, the NAND gate, G7, in the reverse engineer to unambiguously resolve the functionality of look-alike left hand side netlist in Figure 2 is camouflaged. The design with camouflaged gates. We evaluate the security of look-alike NAND/NOR standard cells based IC camouflaging of the controllers in OpenSPARC camouflaged gates is then manufactured at a foundry. The manu- T1 microprocessor. factured IC is sold in the market. A reverse engineer depackages, delayers, images, and extracts the netlist. The correct functionality I. INTRODUCTION of the camouflaged gates in this extracted netlist are unknown. In A. Reverse engineering of Integrated Circuits (ICs) the right hand side netlist in Figure 2, the correct functionality of Reverse engineering of an IC involves (i) identifying the device G7 is unknown. The reverse engineer may arbitrarily assign one of technology used [1], (ii) extracting its gate-level netlist [2], and/or the possible functions that can be implemented by the camouflaged (iii) inferring the implemented functionality. Several techniques and standard cell used (NAND or NOR in this paper). tools have been developed to reverse engineer an IC. To thwart reverse engineering of an IC, one should not be able On one hand, an IC is reverse engineered to collect competitive to identify the functionality of the camouflaged gates. We use VLSI intelligence, to verify a design, to check for commercial piracy, and test principles – justification and sensitization – to quantify a reverse to determine patent infringements [3], [4]. On the other hand, reverse engineer’s ability to resolve the functionality of a camouflaged gate. engineering can be misused to steal and/or pirate a design, to identify II. REVERSE ENGINEERING A CAMOUFLAGED IC the device technology and illegally fabricate similar devices, and to A. VLSI test principles extract the gate-level netlist of a competitor’s intellectual property (IP) and use it in one’s own IC or illegally sell it as an IP. Reverse The following two principles from VLSI testing [10] can be engineering was listed as a serious threat to semiconductor industry adapted to resolve the functionality of camouflaged gates. [5]. Proactive solutions such as IC camouflaging [6] are needed to Justification: The output of a gate can be justified to a known value prevent reverse engineering. by controlling one or more of its inputs. For example, the output of an AND gate can be justified to ‘0’ by setting one of its inputs to B. IC camouflaging to thwart reverse engineering ‘0.’ Camouflaging is a layout-level technique that hampers image Sensitization: A net can be sensitized to an output by setting all the processing-based extractionIC Camouflage of the gate-level netlist. In one embodi- side inputs of each gate in between to the non-controlling value of ment of camouflaging, the layouts of standard cells are designed to the gate. This way the value on the net is bijectively mapped to the •lookStandard-cells alike, resulting in incorrect are extractionre-designed of the netlist. not The to layout value on the output. of NAND cell in Figure 1 (a) and the layout of NOR cell in Figure B. Capabilities of a reverse engineer 1 (b)disclose look different their and identity hence their functionality can be extracted. Consider an entity with the following capabilities: 1) It has tools to reverse engineer an IC, i.e., the setup to delayer an IC, an optical microscope or SEM to image the layers, and image processing software [3], [4]. 2) It can differentiate between a camouflaged standard cell and a regular standard cell from the images of different layers. The images of regular and camouflaged standard cells are publicly available [6]. Camouflaged Camouflaged 3) It knows the list of functions that a camouflaged cell can NAND(a) NOR(b) (c) (d) NAND NOR implement. In this paper, a camouflaged cell can implement Fig. 1: Standard cell layout of regular 2-input (a) NAND and (b) NOR either a NAND or a NOR function. gates. The metal layers are different and hence it is easy to differentiate them by just looking at the top metal layer. Layouts of look-alike 85C. Reverse engineering a camouflaged IC camouflaged cells of 2-input (c) NAND and (b) NOR gates. The metal The objective of reverse engineering an IC is to unambiguously layers are identical and hence it is difficult to differentiate them by just determine the functionality of all camouflaged gates, and in turn looking at the top metal layer. extract the correct gate-level netlist using the following steps: Split Manufacturing • Front End Of Line (FEOL) layers (transistor and lower metal layers) are fabricated in an untrusted foundry • Back End Of Line (BEOL) in a trusted low-end fab • It is considered secure against reverse engineering as it hides the BEOL connections from an attacker in the FEOL foundry 86 Counterfeit types: Tampered • Components modified in order to cause damage or make unauthorized alterations • Examples: – time bombs that stop the circuit functionality at a critical moment – Backdoors that give access to critical system functionality or leak secret information 87 Hardware Trojan Horses • A Hardware Trojan Horse is a malicious modification of an integrated circuit – Performed at any design and/or manufacturing step • A real threat? – Few real cases – A big fear!! 88 Trojan at Manufacturing Time BAKE Baking a chip for 24 hours after fabrication could shorten its life span from 15 years to a scant 6 months NICK THE WIRE A notch in a few interconnects would be almost impossible to detect but would cause eventual mechanical failure as the wire became overloaded. ADD OR RECONNECT WIRING During the layout process, new ADD EXTRA TRANSISTORS circuit traces and wiring can be Adding just 1000 extra transistors added to the circuit. A skilled during either the design or the engineer familiar with the chip’s fabrication process could create a blueprints could reconnect the kill switch or a trapdoor. Extra wires that connect transistors, transistors could enable access adding gates and hooking them for a hidden code that shuts off up using a process called circuit all or part of the chip. editing. Source: IEEE Spectrum 89 Hardware Trojan Horses: Solutions • Detection: – Test methods – Side-Channel (power, EM, timing) – Destructive methods (reverse engineering) • Prevention: – Split Manufacturing – Logic Encryption 90 Summary Overproduction Recycling Cloning Trojans HW Metering Y Y y IC Camouflage Y y Aging Detectors Y PUFs y Y Split Manufacturing Y Y Y Test methods y Y Side-Channel Y Reverse Engineering As mean Y Ujjwal Guin · Daniel DiMase · Mohammad Tehranipoor, Counterfeit Integrated Circuits: Detection, Avoidance, and the Challenges Ahead, J Electron Test (2014) 30:9–23 DOI 10.1007/s10836-013-5430-8 91 Evolution of IC Supply Chain IP Tools TechLib Models Fab Specs Design Mask Fab Interface Wafers Wafer Package Package Deploy Test Test Can we trust the specifications??? 92 Advertisement • TRUDEVICE – COST Action IC1204 – Summer School: Lisbon, 14th-18th July – http://www.trudevice.com 93 Thank you!! 94