Direct access to the data stored inside semiconductor chips is becoming an important issue. This is not only needed for Failure Analysis by chip manufacturers, but also by developers investigating various failures of their devices in the field. As silicon chips become more complex year on year those failures appear more frequent. Another important area is Forensic Analysis carried out by government agencies. Various cases require scrupulous investigation for the cause of a problem. Not only that, but in some cases the semiconductor device is electrically or even mechanically damaged.
Lets imagine the following challenge which do appear from time to time:
- Information needs to be extracted from on-chip Flash memory in a microcontroller of a data processing block as it contains some sensitive data;
- The task is hardened by existance of the-only-one real sample and limitation in time;
- Although the microcontroller has security protection this can be defeated by resetting the security fuse followed by password guess with power analysis;
- However, the chip I/O was electrically damaged by a voltage surge as a result of an accident, hence, it cannot be easily accessed; still it might be possible to restore I/O or probe the internal data bus;
- But, the chip undergo a mechanical stress and as a result was cracked in half and cannot be powered up; although the Flash memory integrity was not affected, all the essential surrounding support circuit is irreversably damaged; rewiring hundreds of nanometer-scale wires will be extremely expensive and time consuming;
We aim at bringing the solution to that challenge.
In collaboration with Quo Vadis Labs I am managing this project on security analysis of semiconductor memory.
At the University part of the project I supervise a postdoctoral researcher. We are exploring the limits for penetrative and non-penetrative analysis of embedded memory. We are developing new probing techniques to analyse the contents of on-chip semiconductor memory using non-invasive, semi-invasive and invasive methods.
The first paper on one of our new methods will be published at a prestigious Failure Analysis conference in November 2016:
Franck Courbon, Sergei Skorobogatov, Christopher Woods: Direct charge measurement in Floating Gate transistors of Flash EEPROM using Scanning Electron Microscopy. In Proceedings of the 42nd International Symposium for Testing and Failure Analysis (ISTFA), November 2016
The second paper was presented at one of the leading conferences on smartcard security in November 2016:
Franck Courbon, Sergei Skorobogatov, Christopher Woods: Reverse engineering Flash EEPROM memories using Scanning Electron Microscopy. In Proceedings of the 15th Smart Card Research and Advanced Application Conference (CARDIS 2016), Cannes, France, November 2016
The project will run until September 2017 and we are looking for sponsors and collaborators to take the project to the next level - practical implementation for modern fabrication processes.
In the meantime I will keep updating on major events and achievements in that area.
Please stay tuned.
<Sergei.Skorobogatov (at) cl.cam.ac.uk>
last modified 01-09-2017 -- http://www.cl.cam.ac.uk/~sps32/