Direct access to the data stored inside semiconductor chips is becoming an important issue. This is not only needed for Failure Analysis by chip manufacturers, but also by developers investigating various failures of their devices in the field. As silicon chips become more complex year on year those failures appear more frequent. Another important area is Forensic Analysis carried out by government agencies. Various cases require scrupulous investigation for the cause of a problem. Not only that, but in some cases the semiconductor device is electrically or even mechanically damaged.
Lets imagine the following challenge which do appear from time to time:
- Information needs to be extracted from on-chip Flash memory in a microcontroller of a data processing block as it contains some sensitive data;
- The task is hardened by existance of the-only-one real sample and limitation in time;
- Although the microcontroller has security protection this can be defeated by resetting the security fuse followed by password guess with power analysis;
- However, the chip I/O was electrically damaged by a voltage surge as a result of an accident, hence, it cannot be easily accessed;
still it might be possible to restore I/O or probe the internal data bus;
- But, the chip undergo a mechanical stress and as a result was cracked in half and cannot be powered up;
although the Flash memory integrity was not affected, all the essential surrounding support circuit is irreversably damaged;
rewiring hundreds of nanometer-scale wires will be extremely expensive and time consuming;
We aim at bringing the solution to that challenge.
This project is running in collaboration with industrial companies and semiconductor manufacturers. It is aimed at security analysis of embedded semiconductor memory, in particular, Flash and EEPROM. The ultimate goals are to assist chip manufacturers in selecting the most secure building blocks for embedded memory and bring up more robust memory cells in the long run.
The recent achievements include successful extraction from embedded Flash memory fabricated with 0.5-micron, 0.35-micron, 0.25-micron, 180nm, 150nm, 130nm, 110nm, 90nm, 65nm, 55nm, 45nm, 40nm and 28nm processes. Successful extraction from NAND Flash memory was achieved down to 19nm process.
Pictures of the real devices and images of their embedded Flash areas will appear soon.
Selected publications:
Sergei Skorobogatov: Hardware Security: Present challenges and Future directions. TL@NTU Workshop on IC Hardware Analysis, 20th July 2018, Singapore
Sergei Skorobogatov: Combining Hardware Security, Failure Analysis and Forensic Analysis for the benefit of all. Invited talk at ISTFA 2017, Pasadena, USA, November 2017
Sergei Skorobogatov: Challenging real-world targets: from iPhone to insulin pump. Keynote talk at Hardware Security Conference and Training (Hardwear.IO 2017), Hague, Netherlands, September 2017
Sergei Skorobogatov: Deep dip teardown of tubeless insulin pump. arXiv:1709.06026, September 2017
Franck Courbon, Sergei Skorobogatov, Christopher Woods: Direct charge measurement in Floating Gate transistors of Flash EEPROM using Scanning Electron Microscopy. In Proceedings of the 42nd International Symposium for Testing and Failure Analysis (ISTFA), November 2016
Franck Courbon, Sergei Skorobogatov, Christopher Woods: Reverse engineering Flash EEPROM memories using Scanning Electron Microscopy. In Proceedings of the 15th Smart Card Research and Advanced Application Conference (CARDIS 2016), Cannes, France, November 2016
In the meantime I will keep updating on major events and achievements in that area.
Please stay tuned.
Sergei Skorobogatov
<Sergei.Skorobogatov (at) cl.cam.ac.uk>
last modified 09-05-2022 -- http://www.cl.cam.ac.uk/~sps32/