Gunter Ollmann, Microsoft As reverse engineering tools and hacking techniques have improved over the years, software engineers have been forced to bury their secrets deeper down the stack – securing keys and intellectual property first in software, then drivers, on to custom firmware and microcode, and eventually as etchings on the very silicon itself. For the hackers involved, the skills and tooling needed to extract and monetize these secrets come with ever increasing hurdles and cost. Yet, seemingly as a corollary to Moore’s Law, each year the cost of the tooling drops by half, while access (and desire) doubles. Today, with access to multi-million dollar semiconductor labs that can be rented for as little as $200 per hour, skilled adversaries can physically extract the most prized secrets from the integrated circuits (IC) directly. Understanding your adversary lies at the crux of every defensive strategy. This session reviews the current generation of tools and techniques used by professional hacking entities to extract the magic numbers, proprietary algorithms, and WORN (Write Once, Read Never) secrets from the chips themselves. As a generation of bug hunters begin to use such tools to extract the microcode and etched algorithms from the IC’s, we’re about to face new classes of bug and vulnerabilities – lying in (possibly) ancient code – that probably can’t be “patched”. How will we secure secrets going forward?

4. History of Reverse Engineering
“Secrets” originally
embedded in software
• Obfuscation battles
• Anti-debugger technologies
• Just-in-time decryption
Decompilers & debuggers
• Kept pace and overcame
techniques
• Easy access to tools &
training
Barrier/cost to attack very
low
Move “secrets” to firmware
• Raise barrier to entry/hack
• Require physical access to
device (maybe)
• Closer tie in to hardware
functions
Firmware extraction
• Firmware updates online
• Static analysis of firmware
• Growing pool of (free) tools
Some Advantages:
• Physical barriers (in addition to
any software/coding barriers)
• Requires different toolset for
hacking
• Tools more expensive (than
software)
Some Disadvantages:
• Locked in to hardware
development cycles
• Higher cost of updating (if
able)

5. Hardware Hacking
• Initially all about communications monitoring
• Protocol decoding and/or emulation
• Attack the interfaces first
• If it’s accessible, try it
• If it’s not accessible, dismantle a little and try it
• Smartcard, Serial, JTAG, USB, I2C, Ethernet, etc.
• Broad toolbag
• Software tools,
• Oscilloscopes,
• Logic analyzers,
• Probes and sniffers…

8. Intel 8008 Chip
• 45 Years old - "© Intel 1971“
• Ancestor to the x86 processor family
• 3098 transistors @ 0.5 MHz
• 10µm fabrication

9. Intel 8008 Chip
• Power & Data rails
• 8-bit Arithmetic/Logic Unit (ALU)
• 14-bit address bus
• 16 KB of memory

10. Intel 8008 Chip
• Block Diagram
• User’s Manual

11. Getting smaller – 10nm
• Qualcomm Snapdragon 835 has
a die size of 72.3 mm2
• Samsung Galaxy S8
• 10nm at the gate level
• Dual shallow trench isolation
(STI) and extra processing
necessary to enable a dummy
poly single diffusion break
(SDB).

13. How RE used to be
done
• Optical imaging
• Tape together the photos
• Crawl around on the floor

14. Blame MAME
• Multiple Arcade Machine Emulator
• Project to preserve decades of “vintage”
gaming software history
• Recovery of game ROM’s from original circuit
boards and chips
• Reverse engineering the boards/ROM’s
• Code extraction from Mask ROM
• The CAPS0ff project
• http://caps0ff.blogspot.com/

16. Physical Barriers
to IC Reversing
• Escalating battle between engineer and reverser
• Variety of techniques grows yearly:
• Change metals between layers to defeat acids
• Doping of silicon to prevent x-rays and infra-red
• Photo-sensitive fuses
• Active meshes covering “secrets”
• Obfuscation and false trails
• Make things smaller…

17. Semiconductor RE
Methodology
• It all begins with “studying” the chip
• Secret extraction is usually performed in “5
easy steps”
• Decapsulation
• Delayering
• Imaging
• Image analysis
• Data extraction

18. Method Pro Con
Chemical Wet High etch rates: Sulfuric or Nitric acid
Great when die small compared to
package
Doesn’t work on ceramic packages
Acids damage frame/bond wires
Curved/isotropic etch
Dry Can remove any material
Good selectivity over etch zones
Slow for ceramic
Contamination affects evenness of etch
Mechanical Grinding and
Polishing
Even removal
Easy to use
Bad for selectivity over etch zones
Milling Remove material in a specific area
Three axis material removal
Accuracy dependent upon tool (and
CNC skills)
Thermal Shock Fast and inexpensive
Easy to perform
High risk of die damage
Bad for selectivity over zones
Nanoscale
Fabrication
High Current FIB High accuracy in material removal (nm)
Good selectivity over etch zones
Expensive and requires experience
Slow milling rate (30µm3/s)
Plasma FIB High accuracy in material removal (nm)
Fast & good selectivity over etch zones
Expensive and requires experience
Laser
Ablation
Laser Accurate material removal (µm)
Faster milling rate (500+ over Plasma FIB)
Expensive and requires experience

19. Decapsulation
• Simple epoxy etching via acids

28. Visibility
• Different tools:
• Optical microscopy
(500x - 1,500x magnification)
• FIB
(250x - 800,000x magnification)
• SEM
(70x - 1,000,000x magnification)

30. Backside Analysis
Imaging
• Increased use of metallized layers
• Capable of blocking microscopes in key areas
• Added complexity in the delayering process
• Pure silicon is transparent to near-
infrared
• Backside analysis of the chip
• Getting more difficult
• Dopants added to the substrate can alter the
electronic characteristics of the wafer
“Biased, Backside Failure Analysis Techniques for Small Plastic Packages” - Steve Brockett and Ting Xiong

32. 3D X-Ray Microscopes
• New generation of IC analysis tools
• X-Ray rendering of 3D structures
at 70 nm
• Non destructive and can be used
on fully intact IC packages

38. Micro Probing
• Probing individual conductors and devices
• Selectively inject and measure the effects
of real-time currents and voltages on
individual semiconductor devices
under varying conditions
• locate and identify specific
weaknesses that will allow
data to be extracted

39. Micro Probing
• Requirements vary per chip
• Specialized buffers and drive circuits
• Customized per chip / optimized per chip line
• Avoid chip security mechanisms or altering behavior
• Probing needles often < 0.1 microns
• Reducing voltages and slowing
down the chip
• Study capacitance dynamics
• Purpose-built logic analysis systems
• Study proprietary chip languages

40. Glitching
• Applying unexpected or non-standard inputs to
certain transistors in the chip
• Can be made to execute a number of
unexpected or wrong instructions
• Systematic process to identify and label areas of
the integrated circuit and to identify weaknesses
• Process includes:
• Electrical, mechanical or specific light frequencies
• A combination of strategically placed needles
used to induce cascading electrical glitches
• Manipulation of ground lines and higher voltages

42. Simulation Software
• IC Image layers are aligned and vectorized
• 3D CAD software used to map vias, label
memory/code areas, etc.
• Seasoned extraction engineer analyzes
the drawing
• Annotate the components, wires, and
devices
• New generation of circuit virtualization
• Perform glitching and “patching”

44. IC’s costing cents?

50. What’s possible?
 Imaging techniques capable of:
 Reading bits at the metal level (e.g. Mask ROM)
 Reading bits at the silicon level (e.g. storage memory)
 Reading gate arrays to evaluate etched algorithms
 Virtualized simulation of chip functions
 Probing techniques capable of:
 Extracting stored code and memory dumps from any part of the IC
 Bypassing and usurping any physical block of functionality (e.g. random number
generation, crypto engines, etc.)
 Regulating power (and bits) to any part of the chip, algorithm, or “code”

51. “Non-destructive” Access
 Imaging process is traditionally destructive
 Changing with newer x-ray and microwave-based technologies
 Better virtualization of vectorized images = destruction doesn’t matter
 Imaging is a means to an end
 Key/skill lies in finding optimal routes to data/code “in situ”
 Processes of placing vias, laying tracks, probe sequencing, etc. can be
automated and repeated for copies of the same chip
 Once a chip has been “hacked”, repeated data manipulation often very
quick and easy

52. Attacks Against Mass Produced Devices
 High margin devices:
 Economics focused on customer retention
 Example: “Genuine XXXXX Toner Cartridges”
 Includes chips for authenticating compatibility policies
 Attacker must:
 Extract protocols, functionality, and algorithms,
 Extract keys and sensitive parameters,
 Commercialize an attack
Defenses:
• Use device specific keys and
revoke/update when compromised
• Use sophisticated crypto algorithms
• Software-encrypted algorithm stored
in memory that erases chips memory
• Optical sensors that erase the chips
memory

53. Backdoors
 Extracted secrets/code of target chip
 FPGA to replicate functionality
 Replicate package
 Modification of code
 Extra keys/secrets added
 Change/depreciate crypto functions
 Replace random number generator
 Hunting for backdoors in chip images?
 Needle in haystack, but auto labeling and virtualization increasing
success

54. Defending against Chip RE
 Attackers often probe and exploit component interfaces
 Design with assumption that interfaces and intermediate data are insecure
 Design uniformity is useful for obfuscation of interfaces
 Electrical uniformity is useful for limiting side-channel attacks
 Resistive grids are of limited use against probing
 Not sufficient to secure software components from software attacks
and hardware components from hardware attacks
 Symbiosis of software and hardware stored code/secrets
 Don’t assume that data disappears when powered off
 Electron decay slowed by reducing temperature

55. The Threat Going Forward
 Barrier for entry is high, but dropping quickly
 SIM, FIB, Probe station, etc.
 $500k+ for starters
 Renting equipment $300+ hour
 IC code is immobile
 Very little (historically) has been security audited – and is generally poor
 Stored procedures and code bases now open to review/assessment
 Extraction of cell-phone Java engines, container security, and proprietary
code bases “downloaded” and exploitable vulnerabilities are being found
 Unpatchable critical vulnerabilities
 Blackeye for vendor… or costly product recall???