Scott Best, Technical Director of Anti-Counterfeiting Products at Rambus, recently penned an article for Semiconductor Engineering that details why it is critical to scale anti-tamper protection to meet escalating threats.
What is an anti-tamper protection?
As Best notes, anti-tamper tends to be one of the industry’s “catchall phrases” encompassing any countermeasure on a security chip. However, a more precise definition states that anti-tamper protection is any collection of countermeasures which serve to thwart an adversary’s attempt to monitor or affect the correct operation of a chip or a security core within a chip.
More resources on anti tamper protection:
- Read» Understanding Anti-Tamper Technology: Part 1
- Watch» Anti-Tampering Technologies: On-demand webinar
Categories of tampering attacks
According to Best, the semiconductor industry should consider a hierarchy of anti-tamper countermeasures that parallel the type, effort, and expense of tampering attacks. Starting at the lowest effort and building up, the categories of attacks the industry should safeguard against include:
- Non-invasive: Typically passive, the attacker monitors the operation of the chip but does not attempt to modify its normal operation.
- Semi-invasive: An attacker induces electrical failures within the chip and monitors the resulting effects.
- Fully-invasive: Often destructive attacks where an attacker bypasses shields and modifies signal connectivity.
- Reverse engineering: Destructive analysis of the chip aimed at obtaining the non-volatile memory (NVM) contents or recovering netlist algorithms.
“The approach an adversary takes depends on their goals, level of sophistication, and budget,” Best states. “In nearly every case, however, attackers are at the very least attempting to learn the secret keys stored on the chip.”
One of the benefits of analyzing the threat in this hierarchical manner is that it can help with planning the anti-tamper protection and defenses for a chip appropriate to the motivation and funding of the attacker.
“For instance, if a chip is going into a military platform that could fall into the hands of a state-actor adversary, then it should be hardened against the full range of tampering attacks,” he adds.
Non-Invasive Attacks
Non-invasive attacks include protocol/software attacks, side-channel attacks, glitch injection and environmental attacks.
“In protocol and software attacks, the adversary manipulates the normal inputs into the chip to effect insecure behavior. In side-channel attacks, an adversary gleans the keys when they are inadvertently leaked via EM emissions or power supply fluctuations,” Best elaborates. “Differential Power Analysis (DPA) is a prime example of a side-channel attack. [Meanwhile], glitching is a ham-handed noise injection onto a secure chip’s power supply [to] cause an internal bit flip that might put the chip in an unsecured state. [Lastly], environmental attacks attempt to take the chip outside its tolerated range of operation with conditions such as under voltage or freezing temperatures with the same goal of a bit flip leading to a security failure.”
As Best observes, countermeasures for non-invasive attacks are as varied as the attacks themselves. For protocol and software attacks, for example, there are best-known practices when it comes to how a chip accepts inputs that simply must be followed. As for side-channel attacks, in most cases they can be algorithmically prevented.
“For instance, a single linear operation can be split into several operations, each masked by a random value so any leakage looks like random noise. Guarding against glitch attacks can be done with fully-internal circuits that regulate core logic so that it is immune to external power supply noise,” he explains. “Thwarting environmental attacks, one can add sensors and alarms that trigger on out of bounds conditions, and ‘canary’ circuits that fail first and signal secure processes to halt. This prevents a secure computation from competing incorrectly and leaking its key.”
Semi-Invasive Attacks
Semi-invasive attacks, says Best, include overclocking, fault injection (FI) and back side IR emission. Similar to environmental attacks, overclocking pushes a circuit outside its operational envelope to cause a failure in a security process.
“FI is the ‘scalpel’ counterpart to glitching’s ‘sledgehammer.’ An IR laser or EM probe is used to make a very targeted attack. Back side IR emission entails imaging the back side of the chip in the IR spectrum to read out the contents of transistor-based memory such as registers and SRAM,” he adds.
Protecting against this set of semi-invasive attacks builds on the foundation of safeguards already mentioned. More specifically, employing wholly-internal clock generators can be used to protect from overclocking, while algorithmic protections can help prevent FI attacks.
“And since FI IR laser attacks are done through the back of the chip, back side metallization can protect from both FI and back side IR emission attacks, or at least increase their level of effort to that of fully invasive attacks.”
Fully-Invasive Attacks
As Best points out, fully-invasive attacks use repurposed state-of-the-art failure analysis technologies to achieve their adversarial aims. This category of attack includes laser voltage probing (LVP) and focused ion beam (FIB) attacks. LVP, says Best, can be thought of as ‘contactless probing’ with an adversary able to measure any signal, such as the those on the data bus connecting non-volatile memory (key storage) and a security processor. FIB can disable alarms, escalate privileges, and induce key leaks by ‘editing’ circuits.
According to Best, fully-invasive attacks are the most difficult to guard against, as it is akin to protecting a circuit from being debugged.
“Back side metallization can help mitigate the effectiveness of LVP. In addition, a high-bitrate random number generator (RNG) can be used to ‘split’ any important data into two ‘shares’ such that an LVP attack against either share would only see random noise. With hybrid packaging techniques, some advanced forms of ‘tamper evident PUFs’ that combine with front and back side metal shields can be used as a FIB countermeasure,” he adds.
Reverse Engineering
Lastly, reverse engineering is a no-holds-barred attack to understand a chip’s design and operation. Indeed, the attacker removes the chip from its package and takes a high-resolution picture of the topmost layer with a scanning electron microscope (SEM).
“The chip’s top layer is then removed via plasma etching or similar process, exposing the underlying layer which is then SEM imaged,” Best explains. “[This] process is repeated until all layers, including the P and N implants that form the transistor structures, have been imaged. The aggregated images are analyzed against known circuits to produce a functional model resulting in a full netlist and a hierarchical RTL of the design.”
Circuit camouflage technology, says Best, complicates the reverse engineering process with the integration of multiple “lookalike cells” into a chip’s design. These cells are either optically indistinguishable from the standard cells used throughout the design, or they may appear like nothing the reverse engineer has ever seen.
“Camouflaged cells can also be enabled to perform logic functions that are different than what would be expected by visual analysis,” he elaborates. “Together, these approaches introduce errors into the reverse-engineering process, resulting in an incorrect netlist recovered from the silicon.”
Conclusion
When it comes to anti-tamper protection, Best emphasizes, it is critical to identify the opponent and include at least one degree of additional countermeasure that is beyond their skill or budget.
“Whether hacker, counterfeiter, or well-funded state actor, their motivation and resources will vary, as will the attack types they can bring to bear. The job of the security designer is to build in enough countermeasures to keep secrets just out of an attacker’s reach. Security experts at companies like Rambus can help designers find that right mix for securing their chips against an environment of escalating risks,” he concludes.
Keep on reading» Hardware Root of Trust: Everything you need to know
Leave a Reply