Backside optical analysis hardware/software running on ICs presented at REcon 2012

by Dmitry Nedospasov,

Tags: Hardware Reverse Engineering


Summary : Reverse-engineering ICs can be very capital intensive. Traditionally, this process consists of many steps including depackaging, imaging, rebonding and probing. This becomes increasingly difficult as feature sizes shrink and as chips implement additional countermeasures. This work demonstrates how ICs can be reverse-engineered via backside optical analysis.

Many of today’s techniques for reverse-engineering integrated circuits (ICs) are actually techniques borrowed from the failure analysis community. Traditionally such methods for reverse-engineering ICs require a substantial amount of experience in operating several expensive pieces of test equipment. Without this knowledge and equipment it is becoming increasingly difficult for anyone who wants to begin reverse-engineering ICs to get their foot in the door. Moreover, the traditional analysis methods are a very lengthy process consisting of multiple steps including depackaging, imaging, rebonding and probing. As feature sizes continue to shrink and as vendors implement additional defenses and layers of obfuscation, such as active meshes, attackers have to continue to improve on their techniques to keep pace with the vendors.

This work demonstrates how ICs can be reverse-engineered via semi-invasive backside optical analysis. Because it is a form of backside analysis it completely bypasses any defenses implemented in the upper layers of the IC. The sample preparation process is substantially simplified and can be essentially eliminated for newer ICs. By executing specific code on the chip, important functional groups of the IC can be quickly and easily identified. Moreover, the spatial resolution of the emission images reveals the exact location of critical registers. Since memory accesses also result in characteristic emission patterns, commonly used static variables such as encryption keys can be recovered at runtime. Hardware accelerated implementations no longer have to be probed, since the registers can be read out optically. When combined with invasive frontside methods this technique can greatly reduce the amount of effort that must go into identifying vulnerable areas of the IC.