For an embedded system on a circuit board, physical attacks can be launched by
using probes to eavesdrop on inter-component communications. However, for a
system-on-chip, sophisticated microprobing techniques become necessary. The
first step in such attacks is de-packaging. De-packaging involves removal of the
chip package by dissolving the resin covering the silicon using fuming acid. The
next step involves layout reconstruction using a systematic combination of
microscopy and invasive removal of covering layers. During layout
reconstruction, the internals of the chip can be inferred at various granularities.
While higher-level architectural structures within the chip such as data and
address buses, memory and processor boundaries, etc., can be extracted with
little effort, detailed views of lower-level structures such as the instruction
decoder and ALU in a processor, ROM cells, etc., can also be obtained. Finally,
techniques such as manual microprobing or e-beam microscopy are typically
used to observe the values on the buses and interfaces of the components in
a de-packaged chip.
Physical attacks at the chip level are relatively har to use because of
their expensive infrastructure requirements (relative to other attacks).
However, they can be performed once and then used as precursors
to the design of successful non-invasive attacks. For example, layout
reconstruction is needed before performing electromagnetic radiation
monitoring around selected chip areas. Likewise, the knowledge of
ROM contents, such as cryptographic routines and control data, can
provide an attacker with information that can assist in the design of a
suitable non-invasive attack.
using probes to eavesdrop on inter-component communications. However, for a
system-on-chip, sophisticated microprobing techniques become necessary. The
first step in such attacks is de-packaging. De-packaging involves removal of the
chip package by dissolving the resin covering the silicon using fuming acid. The
next step involves layout reconstruction using a systematic combination of
microscopy and invasive removal of covering layers. During layout
reconstruction, the internals of the chip can be inferred at various granularities.
While higher-level architectural structures within the chip such as data and
address buses, memory and processor boundaries, etc., can be extracted with
little effort, detailed views of lower-level structures such as the instruction
decoder and ALU in a processor, ROM cells, etc., can also be obtained. Finally,
techniques such as manual microprobing or e-beam microscopy are typically
used to observe the values on the buses and interfaces of the components in
a de-packaged chip.
Physical attacks at the chip level are relatively har to use because of
their expensive infrastructure requirements (relative to other attacks).
However, they can be performed once and then used as precursors
to the design of successful non-invasive attacks. For example, layout
reconstruction is needed before performing electromagnetic radiation
monitoring around selected chip areas. Likewise, the knowledge of
ROM contents, such as cryptographic routines and control data, can
provide an attacker with information that can assist in the design of a
suitable non-invasive attack.
This comment has been removed by the author.
ReplyDelete