# Applications of optical analysis in Reverse-Engineering

Presented by: Mir Tanjidur Rahman Dr. Navid Asadi

Physical Inspection and AttacKs on ElectronicS (PHIKS)



PHOTON IS OUR BUSINESS







# Evaluating the security of Field Programmable Gate Arrays (FPGAs) as case studies







# Field Programmable Gate Array (FPGA)











# Security of FPGAs

- **Bitstream:** configuration data containing Intellectual Property (IP) and secrets for reconfigurable hardware
- The bitstream can be loaded in the field (adversarial environment)
- Threats: cloning, reverse-engineering, tampering or spoofing









# Case Study: Attacking Bitstream Encryption of FPGAs





**All Rights Reserved** 



5

# **Photon Emission Analysis**







# **Mechanism of Photon Emission**

- As carriers are accelerated by electric fields they gain kinetic energy, which is then released via generating photons.
- In CMOS transistors this hot-carrier lacksquareluminescence takes place at the drain edge where the source-drain electric field is most intense and predominantly in n-type transistors as electrons are more easily accelerated than holes.
- In the case of CMOS-inverter, the vast majority of photons are generated when the input switches from 0 to 1 >> data dependent
- The photon generation rate is governed primarily by the supply voltage and the switching frequency of the transistor under observation.









# **Backside Access**

upside down on a custom PCB



## Altera MAX V CPLD (180 nm)





### Older package technologies like QFPs should be decapsulated and soldered



# Altera Cyclone IV FPGA (60 nm)





- A Combinatorial Logic: AND, OR, NOT, XOR, etc.
- Sequential Logic: Counter, Shift Register, State Machines, etc.
- Presence of Clock buffers in **Sequential Logic**







Altera MAX V (180 nm)

#### **All Rights Reserved**



9

# Example (1): Emission of a Ring-Oscillator

- Identical Switching Frequency by all LEs
- Switching frequency independent and generally higher than clock frequency
- Applications: TRNG and **Internal Clocks**









Altera MAX V (180 nm)



# Example (2): Emission of a Binary Counter

- n-bit counter = n clocked registers
  + some combinatorial logic
- Identical switching frequency of the clock for all registers
- Applications: Delay and Timing circuits such as asynchronous protocols









Altera MAX V (180 nm)



# Impact of Technology size on Photon Emission

- Lower supply voltage for smaller technologies >> less photon emission rate
- Smaller technology >> harder to resolve a transistor
- Large space between transistors in LUTs >> resolving of transistors still possible for the attacker





# 60nm







# **Core Localization in NVIDIA AI CHIP**









# **Core Localization in NVIDIA AI CHIP**









# **Core Localization in NVIDIA AI CHIP**









# **Optical Contactless Probing**







# **Optical Contactless Probing**



- by electrical field and current.
- altered by voltage/current —> probing of electrical signals on the node
- detecting node switching with this frequency





• Changes in the absorption coefficient and the refractive index of device in active area

• Electro-Optical Probing (EOP) or Laser Voltage Probing (LVP): Optical beam intensity

• Electro-Optical Frequency Mapping (EOFM) or Laser Voltage Imaging (LVI): Feeding the reflected signal to a detector with a narrow band frequency filter while scanning the laser—>







# **Plaintext Extraction**

Research



Tajik, S., Lohrke, H., Seifert, J. P., & Boit, C. "On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs," In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 





# **Experimental Setup**

- Device under Test (DUT): Skoll Xilinx Kintex 7 development board
  - Chip's technology: 28 nm ullet
  - No chip preparation (e.g., depackaging, silicon ulletpolishing, etc.)
- Optical Setup: Hamamatsu PHEMOS-1000
  - Laser wavelength: 1.3  $\mu$ m ullet
  - Laser spot size: >1  $\mu$ m  $\bullet$









# Localizing Decryption Core using EOFM

### **AES Core**



# Oldokaatitiitityforeeoryptedobiststeem



All Rights Reserved



### Main Core





# **Frequency Analysis of Regular Bitstream**









# Locating the plaintext data



### Locations in AES output port

Research





# Locating the plaintext data



### Locations in AES output port

Research









# **Extracting Plaintext Data using EOP**

CCLK [V] EOP Plaintext Bit 0 [a.u.] EOP Plaintext Bit 2 [a.u.]









# Logic Locking: Active IP Protection Mechanism

## Goal

- Locking functionality of IP by inserting additional logic
- key programmed in trusted facility after fabrication

## Classification

- Combinational Logic Locking: Locking design w ith logic gates
- Finite State Machine (FSM) Locking: Locking w ith state transition graph modification









Finite State Machine Locking



# **Core-Components of Logic Locking**

Components mandatory for functionality of a logic locked chip 









# **Time-line for Logic Locking so Far**



- Adversary  $\rightarrow$  Only untrusted foundry?
- Vulnerable only to algorithm approach?
- What about other capabilities of adversary?  $\rightarrow$  Failure analysis tools







# **Threat Model & Potential Adversary**





#### > Threat model is approach exploited by an adversary to access the protected assets, i.e, locking key

| Adversary                                  | Asset Holding                                 |
|--------------------------------------------|-----------------------------------------------|
| SoC Integrator                             | 1.Soft/Hard IP<br>2.GDS II file               |
| 3 <sup>rd</sup> Design Service<br>Provider | 1.IP Design<br>2.GDS II file                  |
| Foundry                                    | 1. GDS II file                                |
| Assembly and<br>Distributor                | 1. Unlocked chip                              |
| End User                                   | 1.Unlocked chip<br>2.Documentation of<br>chip |

Partial reverse engineering and suitable failure analysis tool is sufficient for attack





# **Case Study –II: Flip-flop Probing**



Avalanche FPGA development board > 28 nm technology Microsemi MPF300 Polarfire chip





## Microsemi die image collected with 1300nm laser





# **Reverse Engineering DUT**



### **Probing Registers in DUT**

- Activity shows for two different frequency
- > White dot corresponds to registers









# **Proof-of-Concept Implementation**



- > K1, k2  $\rightarrow$  key-input (key-register)  $\rightarrow$  constant v alue stored
- > a, b, c  $\rightarrow$  user input (general purpose register)  $\rightarrow$  variable stored value









# **Exposing Key-register and Key Value**



Register and clock activity when input connected to ground





### Register and clock activity when input connected to active



# **Exposing Key-register and Key Value**

#### Simple image registration, subtraction, or image co-relation can automate the whole process























- The real limiting factor for an attacker is not the technology size, but the distance of a probing location of interest to the next location, (Optical Resolution and spot size)
- the separation between locations carrying different streams of data can actually be much larger than the technology size.











# Laser Stimulation









# **Thermal Laser Stimulation (OBIRCH)**

- The chip is scanned with a 1.3  $\mu$ m  $\bullet$ laser beam from the backside
- The current changes in response to the local thermal stimulations
- Measured current is monitored by  $\bullet$ a current amplifier >> a proportional analog voltage is generated
- Analog voltage is fed into image acquisition hardware while scanning the laser









# SRAM readout using TLS (1)

- Thermal stimulation leads to  $\bullet$ thermal gradient at the source/drain of the transistors
- Different materials lead to Seebeck  $\bullet$ voltage generation









# SRAM readout using TLS (2)



The Seebeck voltage changes current flow  $\odot$ through the "off" transistors >> leakage current increases









• Reaction of different areas of SRAM cells to TLS, depending on the stored value









Research



Lohrke, H., Tajik, S., Boit, C., & Seifert, J. P. "Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale **FPGAs**," accepted for CHES 2018 F







# **Experimental Setup**

- **Device under Test (DUT):** Avnet Kintex UltraScale **Development Board**
- Chip's technology: 20 nm
- No chip preparation (e.g., depackaging, silicon polishing, etc.) required
- **Optical Setup:** Hamamatsu PHEMOS-1000
- Laser wavelengths: 1.1 and 1.3  $\mu$ m
- Laser spot size: approximately 1  $\mu$ m









# Localizing the Configuration Logic



#### Xilinx Kintex UltraScale in flip chip iguration I Logic Image acquisition with a laser package scanning microscope







# Localizing BBRAM using Laser Stimulation

### Laser Stimulation of



#### In all experiments!









# Localizing the key bits in BBRAM by TLS



# Set 255 bits to "0" and one bit to "1". Shifting the bit "1" eight times by one bit



**All Rights Reserved** 



1 bit



# Localizing the key bits in BBRAM



# Set all 256 bits to "1" and reset all bits to "0" again.









# Countermeasures against Optical Attacks







# **Circuit Based Solution: Dummy Gate**



In physical layout, dummy gate and data gate will be placed at lower distance than optical resolution

 $\succ$  Necessary to localize exact transistor connected to key  $\rightarrow$  security by maximizing



**All Rights Reserved** 



≁t

# **Concealing Gate: EOFM Protection**



• Two transistors operating at same frequency and switching at same direction, i.e., either  $1 \rightarrow 0$  or vice versa, is difficult to differentiate. (see A2 implementation) • Two transistors operating at same frequency but with opposite switching direction will be easy to distinguish, though the transistors may be placed lower than optical resolution distance. (see A1 implementation)





# **Concealing Gate: EOFM Protection**



•  $P_{C1}$  mask  $P_{T1}$  activity by merging the edges of  $P_{T2}$  (Fig A) or







# $P_{C2}$ (Fig. B). If distance between $P_{C1}$ and $P_{C2}$ is less than optical resolution, the PT1 transistor can be assumed to be protected.



# **Concealing Gate: EOFM/EOP Protection**

#### EOFM Data with Concealing Gate







#### EOP Data with Concealing Gate









#### 2TFF = 1





(b)

(c)



# Nanopyramid to Camouflage Circuit Activity



 Laser scattering is applicable for any aser based attack approach
 No additional power or area









# **Material Based Solution: Literature Review**



### Etched/Void Via

- - Removable by polishing







# **Device Based Solution: Literature Review**









# **Circuit Based Solution: Literature Review**



Additional area and optimization required

 $\succ$  Mostly ineffective against thermal laser  $\rightarrow$  focused on laser fault detection





