Semi-Invasive Attacks

Sergei P. Skorobogatov
sps32 (at)

A secure microcontroller or smartcard should be built in such way that as little secret information as possible can be extracted when it is used. Another goal is to keep the secret information intact during the operation, so an attacker will not be able to change the secret key to a known value or otherwise interact with the encryption/decryption algorithm.

At present all attack technologies are divided into two main categories - non-invasive and invasive attacks [1][2][3].

Non-invasive attacks include playing around with the supply voltage and clock signal. Under-voltage and over-voltage attacks can be used to disable protection circuits or force processors to do the wrong operations. Power and clock transients can also be used to affect the decoding and execution of individual instructions. By varying the parameters, the CPU can be made to execute a number of completely different wrong instructions. Sometimes it can be fairly simple to conduct a systematic search. Another possible attack is power analysis, in which we measure the fluctuations in the current consumed by the device. The various instructions cause different levels of activity in the instruction decoder and arithmetic units; they can often be quite clearly distinguished, and parts of algorithms can be reconstructed.

Non-invasive attacks can be particularly dangerous for two reasons. Firstly, the owner of the compromised device might not notice that the secret keys have been stolen, so it is unlikely that the compromised keys will be revoked before they are abused. Secondly, non-invasive attacks often scale well, as the necessary equipment can usually be reproduced and updated at low cost. The main problem with implementation of such attacks is the requirement for detailed knowledge of both the processor and software.

Invasive attacks start with the removal of the chip package. Once the chip is opened, it is possible to perform probing or modification attacks. The most important tool for invasive attacks is a microprobing workstation. We have to remove at least part of the passivation layer before probes can establish contact. This could be done by etching, drilling or by a laser cutter. Another approach to understand how particular chip works is to reverse engineer it. The first step is to create a map of a new processor. It could be done by using an optical microscope with a CCD camera to produce high-resolution photographs of the chip surface. The attacker has to be familiar with CMOS VLSI design techniques and microcontroller architectures, but the necessary knowledge is easily available from numerous textbooks. Deeper layers can only be recognized in a second series of photographs after the metal layers have been stripped off, which can be achieved by etching the chip. More sophisticated tools like focused ion beam (FIB) workstations can be used to perform attacks. FIB workstations simplify manual probing of deep metal and polysilicon lines; they also can be used for modification of the chip structure by creating new interconnect lines and even new transistors.

All invasive attacks are quite complicated. They require hours or weeks in a specialized laboratory and, in the process, they destroy the package. In addition invasive attacks require highly qualified specialists and a proper budget.

There is thus a large gap between these two types of attack. Therefore we decided to define and introduce a new type of attack, called semi-invasive attacks. Like invasive attacks they require depackaging the chip in order to get access to the chip surface. However the passivation layer of the chip remains virgin, as semi-invasive methods do not require depassivation or creating contacts to the internal lines. This is because microprobing is not used for this attack technology.

Semi-invasive attacks could be performed using such tools as UV light, X-rays and other sources of ionizing radiation, lasers and electromagnetic fields. They can be used individually or in conjunction with each other.

Comparing with non-invasive attacks, semi-invasive attacks are harder to implement as they require depackaging of the chip. However, very much less expensive equipment is needed than for invasive attacks. And these attacks can be performed in a reasonably short time.


[1] Ross J. Anderson, Markus G. Kuhn, "Tamper Resistance - a Cautionary Note", The Second USENIX Workshop on Electronic Commerce, Oakland, California, November 18-21, 1996
[2] Ross J. Anderson, Markus G. Kuhn, "Low Cost Attacks on Tamper Resistant Devices", in M.Lomas et al. (ed.), Security Protocols, 5th International Workshop, Paris, France, April 7-9, 1997
[3] Oliver Kommerling, Markus G. Kuhn, "Design Principles for Tamper-Resistant Smartcard Processors", USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10-11, 1999

created 20-10-2001 -- last modified 22-10-2001 --