Chip design discovery is easier than you think

The inscrutable black surface of a chip does not seem to give much information away much to the observer. But information on what is inside is just waiting to leak out, despite secrecy supposedly being an important competitive weapon in electronics.

This is even the case for design teams that have attempted to lock away software by storing it in embedded non-volatile memory and setting the security fuses so the code cannot be read out. Many companies choose to protect their designs using trade secrets, rather than patents because, with a published patent, the knowledge is guaranteed to be in the open. Why take the risk, when it is often hard to track down infringers because it means having to reverse engineer other vendors' parts? The process of detecting an infringement is not getting any easier because of the cat-and-mouse game being played between engineering teams and reverse-engineering specialists such as Chipworks and Semiconductor Insights. The same ongoing war means trade secrets are not easy to secure when faced with a competitor that has the money or resources to open up the chip. The legal situation around reverse engineering has been complicated by legislation such as the US Digital Millennium Copyright Act (DMCA). This forbids reverse engineering, except for research or interoperability on software. However, in the same country, reverse engineering is not only legal, but is also protected by law in the 1984 Semiconductor Chip Protection Act on the basis that the act prevents direct copying and, to make use of the derived information, a cloner would probably infringe the patents covering the circuitry – assuming that the developer has chosen to go down that route. The steps involved in reverse engineering a chip are straightforward, if intricate, to carry out. According to Randy Torrance, engineering manager at Chipworks, taking the package off a chip is a technique that has not changed much in close to 20 years – use a bath of strong acid and watch the epoxy and polyimide melt away. Delayering takes a lot more skill as you have to be able to shave off nanometre thick layers of metal and dielectric at the bottom of the stack without removing too much and take a high-resolution picture at each stage. In the past ten years, the dielectric and metal chemistries have changed a lot. But one big change – to copper for metal interconnect – has made some aspects of reverse engineering easier. Copper is pretty tough to remove chemically without disrupting the material around it. So chipmakers simply polish off excess metal using an abrasive pad and solvents. This chemical mechanical polishing (CMP) process yields incredibly flat surfaces. So, as long as the delayering process has good depth control – and you have a good idea of the height of each level of interconnect – there is a very good chance of recovering the mask pattern at each layer, assuming you have access to an scanning electron microscope. Around the 130nm generation, features on the surface of the wafer became too small to see clearly using optical microscopes. A set of reverse-engineered mask layers does not tell you a great deal about a circuit, although regular structures such as SRAMs can be identified clearly. The next step is a semi-automated process of understanding how the chip's structures are converted into transistors and metal connections. The result is a big, flat netlist. From there, it is a laborious process of analysing circuit patterns to build up a picture of the virtual components the synthesis tool generated, such as multiplexers and registers. Some of this can be automated. Chipworks, for example, has written a tool that will recognise common circuit elements once they have been identified manually. Once the netlist has been deconstructed into a schematic made up of working virtual components and connections – so that false paths and dummy parts have been eliminated – it becomes possible to simulate its behaviour and work out whether that matches the hardware's real-world operation. Where software is involved, this has to be extracted as well. Mask-programmed read-only memories (ROMs) are pretty straightforward: the ones and zeroes are encoded in the metal patterns. Flash and other electrically programmable memories are much, much tougher to deal with. In principle, there are techniques that can recover data from memory cells by looking at secondary electron emissions as they are read. In practice, this is hard to pull off successfully. The alternative is to convince the chip to give up its secrets. The chip will almost certainly be designed to not provide a path to the outside world from a memory used to store private keys and data. But there is often a side channel: the test circuitry. The fundamental idea of test is to expose as many internal nodes as possible to an external tester. Scan-based testing makes it possible to simply scan out memory contents if the circuitry allows it. Very often, makers of secure chips will test the chip in the assembly plant and then use fuses to disconnect the test-access ports from the memory stores that need protection. Or they may have designed the test regime so that on-chip circuitry will test a memory and simply provide a pass/fail signal to the scan-based tester. However, it might be possible to reconnect test to the sensitive parts. This is where reverse engineers resort to focused ion beam microsurgery to make tiny alterations to the circuitry of a working chip. Using the layout, the engineers use the ion beam to dig down into a working chip and snip some of its wires. If they pick the right ones, encryption keys and supposedly protected software can be read out. Companies want to make it tougher to reverse engineer chips. They want to protect trade secrets or to guard against hacks on the cryptographic infrastructure that lies behind a growing number of internet-based systems. Or they may want to hide their own infringement: something that is becoming more common according to Semiconductor Insights. The net result is an increase in countermeasures. One approach is to embed shield networks in the metal layers, generally used to protect against focused ion beam surgery. If you cut through one of the shield wires by accident, the chip will erase or corrupt the secure code memories when it is next powered up for analysis. For some types of reverse engineering, a hacker does not even have to dig down into the device. Many cryptographic applications use standard protocols – and many of these have to for interoperability reasons. Someone with a knowledge of the algorithm in use can simply monitor a chip's behaviour to uncover the supposedly secret cryptographic keys stored inside. Circuits are leaky things, generating information through heat, stray electrons and the power they consume. Not only that, cryptographic algorithms use a combination of computationally intensive and simple operations in known ways. Because they often run on low-performance, low-power processors, it is possible to see the sequence of operations involved in the exponentiation of the large integers used by many common protocols, simply by looking at device's activity. Cryptographic processors often process the secret exponent one bit at a time. A squaring operation is performed on each bit – what happens next depends on the result. If it is zero, there is no need to multiply it, so the processor does not bother. But if it is a one, the processor will use a relatively power-hungry multiplication. Assuming not much else is going, just the change in current can signal this. Power-saving techniques, such as clock–gated circuitry, make the situation worse. However, the crypto engine may be buried inside a much larger device, making the power signature harder to read. But it is not game over for the hacker. This is where differential power analysis (DPA) comes in. This statistical technique samples the behaviour of the device over a relatively long period of time (see fig 1). By guessing partial keys and applying this information to the sampled data, it is possible to use correlation to show up spikes in the data that indicate a correct guess. Without circuit protection, the technique is devastatingly effective. Image courtesy of Frank Kagan Gürkaynak/ETHZ. A DPA-based attack performed by specialist Cryptography Research on a sample AES implementation that comes with a Side-channel Attack Standard Evaluation Board designed by the Japanese National Institute of Advanced Industrial Science and Technology took just 10,000 individual measurements. Using less than 5ms of actual cryptographic computation time, it took one minute of real time to extract a complete 16byte key. The key to DPA countermeasures is to hide the differences in circuit activity from an observer. For example, leakage reduction – in which the operation sequences are made less dependent on key values or intermediates – helps. Randomising the order in which data is manipulated can also defeat the correlation techniques used in DPA. Fixed time algorithms that have no data-dependent delays will eliminate data-related timing signatures – this repairs some of the damage caused by low-power circuit design, although it may also lead to less efficient power usage. For this reason, chip designers are working on near-threshold crypto engines that save energy by taking advantage of the quadratic dependence of transistor power consumption on supply voltage. In electronics, spies are everywhere. Although some of these techniques may seem as though they only apply to the world of financial transactions and military systems, the readiness of some companies to clone devices and of hackers to break security protocols means more designers will have to deal with the dark underbelly of reverse engineering.