Gunter Ollmann, Microsoft
As reverse engineering tools and hacking techniques have improved over the years, software engineers have been forced to bury their secrets deeper down the stack – securing keys and intellectual property first in software, then drivers, on to custom firmware and microcode, and eventually as etchings on the very silicon itself.
For the hackers involved, the skills and tooling needed to extract and monetize these secrets come with ever increasing hurdles and cost. Yet, seemingly as a corollary to Moore’s Law, each year the cost of the tooling drops by half, while access (and desire) doubles. Today, with access to multi-million dollar semiconductor labs that can be rented for as little as $200 per hour, skilled adversaries can physically extract the most prized secrets from the integrated circuits (IC) directly.
Understanding your adversary lies at the crux of every defensive strategy. This session reviews the current generation of tools and techniques used by professional hacking entities to extract the magic numbers, proprietary algorithms, and WORN (Write Once, Read Never) secrets from the chips themselves.
As a generation of bug hunters begin to use such tools to extract the microcode and etched algorithms from the IC’s, we’re about to face new classes of bug and vulnerabilities – lying in (possibly) ancient code – that probably can’t be “patched”. How will we secure secrets going forward?
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunting
1.
2.
3.
4. History of Reverse Engineering
“Secrets” originally
embedded in software
• Obfuscation battles
• Anti-debugger technologies
• Just-in-time decryption
Decompilers & debuggers
• Kept pace and overcame
techniques
• Easy access to tools &
training
Barrier/cost to attack very
low
Move “secrets” to firmware
• Raise barrier to entry/hack
• Require physical access to
device (maybe)
• Closer tie in to hardware
functions
Firmware extraction
• Firmware updates online
• Static analysis of firmware
• Growing pool of (free) tools
Some Advantages:
• Physical barriers (in addition to
any software/coding barriers)
• Requires different toolset for
hacking
• Tools more expensive (than
software)
Some Disadvantages:
• Locked in to hardware
development cycles
• Higher cost of updating (if
able)
5. Hardware Hacking
• Initially all about communications monitoring
• Protocol decoding and/or emulation
• Attack the interfaces first
• If it’s accessible, try it
• If it’s not accessible, dismantle a little and try it
• Smartcard, Serial, JTAG, USB, I2C, Ethernet, etc.
• Broad toolbag
• Software tools,
• Oscilloscopes,
• Logic analyzers,
• Probes and sniffers…
11. Getting smaller – 10nm
• Qualcomm Snapdragon 835 has
a die size of 72.3 mm2
• Samsung Galaxy S8
• 10nm at the gate level
• Dual shallow trench isolation
(STI) and extra processing
necessary to enable a dummy
poly single diffusion break
(SDB).
12.
13. How RE used to be
done
• Optical imaging
• Tape together the photos
• Crawl around on the floor
14. Blame MAME
• Multiple Arcade Machine Emulator
• Project to preserve decades of “vintage”
gaming software history
• Recovery of game ROM’s from original circuit
boards and chips
• Reverse engineering the boards/ROM’s
• Code extraction from Mask ROM
• The CAPS0ff project
• http://caps0ff.blogspot.com/
15.
16. Physical Barriers
to IC Reversing
• Escalating battle between engineer and reverser
• Variety of techniques grows yearly:
• Change metals between layers to defeat acids
• Doping of silicon to prevent x-rays and infra-red
• Photo-sensitive fuses
• Active meshes covering “secrets”
• Obfuscation and false trails
• Make things smaller…
17. Semiconductor RE
Methodology
• It all begins with “studying” the chip
• Secret extraction is usually performed in “5
easy steps”
• Decapsulation
• Delayering
• Imaging
• Image analysis
• Data extraction
18. Method Pro Con
Chemical Wet High etch rates: Sulfuric or Nitric acid
Great when die small compared to
package
Doesn’t work on ceramic packages
Acids damage frame/bond wires
Curved/isotropic etch
Dry Can remove any material
Good selectivity over etch zones
Slow for ceramic
Contamination affects evenness of etch
Mechanical Grinding and
Polishing
Even removal
Easy to use
Bad for selectivity over etch zones
Milling Remove material in a specific area
Three axis material removal
Accuracy dependent upon tool (and
CNC skills)
Thermal Shock Fast and inexpensive
Easy to perform
High risk of die damage
Bad for selectivity over zones
Nanoscale
Fabrication
High Current FIB High accuracy in material removal (nm)
Good selectivity over etch zones
Expensive and requires experience
Slow milling rate (30µm3/s)
Plasma FIB High accuracy in material removal (nm)
Fast & good selectivity over etch zones
Expensive and requires experience
Laser
Ablation
Laser Accurate material removal (µm)
Faster milling rate (500+ over Plasma FIB)
Expensive and requires experience
30. Backside Analysis
Imaging
• Increased use of metallized layers
• Capable of blocking microscopes in key areas
• Added complexity in the delayering process
• Pure silicon is transparent to near-
infrared
• Backside analysis of the chip
• Getting more difficult
• Dopants added to the substrate can alter the
electronic characteristics of the wafer
“Biased, Backside Failure Analysis Techniques for Small Plastic Packages” - Steve Brockett and Ting Xiong
31.
32. 3D X-Ray Microscopes
• New generation of IC analysis tools
• X-Ray rendering of 3D structures
at 70 nm
• Non destructive and can be used
on fully intact IC packages
33.
34.
35.
36.
37.
38. Micro Probing
• Probing individual conductors and devices
• Selectively inject and measure the effects
of real-time currents and voltages on
individual semiconductor devices
under varying conditions
• locate and identify specific
weaknesses that will allow
data to be extracted
39. Micro Probing
• Requirements vary per chip
• Specialized buffers and drive circuits
• Customized per chip / optimized per chip line
• Avoid chip security mechanisms or altering behavior
• Probing needles often < 0.1 microns
• Reducing voltages and slowing
down the chip
• Study capacitance dynamics
• Purpose-built logic analysis systems
• Study proprietary chip languages
40. Glitching
• Applying unexpected or non-standard inputs to
certain transistors in the chip
• Can be made to execute a number of
unexpected or wrong instructions
• Systematic process to identify and label areas of
the integrated circuit and to identify weaknesses
• Process includes:
• Electrical, mechanical or specific light frequencies
• A combination of strategically placed needles
used to induce cascading electrical glitches
• Manipulation of ground lines and higher voltages
41.
42. Simulation Software
• IC Image layers are aligned and vectorized
• 3D CAD software used to map vias, label
memory/code areas, etc.
• Seasoned extraction engineer analyzes
the drawing
• Annotate the components, wires, and
devices
• New generation of circuit virtualization
• Perform glitching and “patching”
50. What’s possible?
Imaging techniques capable of:
Reading bits at the metal level (e.g. Mask ROM)
Reading bits at the silicon level (e.g. storage memory)
Reading gate arrays to evaluate etched algorithms
Virtualized simulation of chip functions
Probing techniques capable of:
Extracting stored code and memory dumps from any part of the IC
Bypassing and usurping any physical block of functionality (e.g. random number
generation, crypto engines, etc.)
Regulating power (and bits) to any part of the chip, algorithm, or “code”
51. “Non-destructive” Access
Imaging process is traditionally destructive
Changing with newer x-ray and microwave-based technologies
Better virtualization of vectorized images = destruction doesn’t matter
Imaging is a means to an end
Key/skill lies in finding optimal routes to data/code “in situ”
Processes of placing vias, laying tracks, probe sequencing, etc. can be
automated and repeated for copies of the same chip
Once a chip has been “hacked”, repeated data manipulation often very
quick and easy
52. Attacks Against Mass Produced Devices
High margin devices:
Economics focused on customer retention
Example: “Genuine XXXXX Toner Cartridges”
Includes chips for authenticating compatibility policies
Attacker must:
Extract protocols, functionality, and algorithms,
Extract keys and sensitive parameters,
Commercialize an attack
Defenses:
• Use device specific keys and
revoke/update when compromised
• Use sophisticated crypto algorithms
• Software-encrypted algorithm stored
in memory that erases chips memory
• Optical sensors that erase the chips
memory
53. Backdoors
Extracted secrets/code of target chip
FPGA to replicate functionality
Replicate package
Modification of code
Extra keys/secrets added
Change/depreciate crypto functions
Replace random number generator
Hunting for backdoors in chip images?
Needle in haystack, but auto labeling and virtualization increasing
success
54. Defending against Chip RE
Attackers often probe and exploit component interfaces
Design with assumption that interfaces and intermediate data are insecure
Design uniformity is useful for obfuscation of interfaces
Electrical uniformity is useful for limiting side-channel attacks
Resistive grids are of limited use against probing
Not sufficient to secure software components from software attacks
and hardware components from hardware attacks
Symbiosis of software and hardware stored code/secrets
Don’t assume that data disappears when powered off
Electron decay slowed by reducing temperature
55. The Threat Going Forward
Barrier for entry is high, but dropping quickly
SIM, FIB, Probe station, etc.
$500k+ for starters
Renting equipment $300+ hour
IC code is immobile
Very little (historically) has been security audited – and is generally poor
Stored procedures and code bases now open to review/assessment
Extraction of cell-phone Java engines, container security, and proprietary
code bases “downloaded” and exploitable vulnerabilities are being found
Unpatchable critical vulnerabilities
Blackeye for vendor… or costly product recall???
https://www.researchgate.net/publication/221058794_The_state-of-the-art_in_semiconductor_reverse_engineering
How RE used to be done: https://www.researchgate.net/profile/Dick_James/publication/221058794/viewer/AS:142410457817088@1410964708086/background/10.png
http://csmantech.org/OldSite/Digests/2001/PDF/10B_5_Brockett.pdf – “Biased, Backside Failure Analysis Techniques for Small Plastic Packages” - Steve Brockett and Ting Xiong