Beruflich Dokumente
Kultur Dokumente
Abstract 1 Introduction
This paper explains a new family of tech- The goal of this work was to explore new
niques to extract data from semiconductor ways of recovering data directly from the
memory, without using the read-out circuitry memory of smartcards and other security pro-
provided for the purpose. What these tech- cessors without using the read operations
niques have in common is the use of semi- provided by their vendors for that purpose,
invasive probing methods to induce measur- thereby circumventing any access controls
able changes in the analogue characteristics of and reading out secret data directly.
the memory cells of interest. The basic idea
is that when a memory cell, or read-out am- The traditional way of reading out data
plifier, is scanned appropriately with a laser, from smartcard memories involved an inva-
the resulting increase in leakage current de- sive attack using mechanical probing, usually
pends on its state; the same happens when of the processor’s bus [6, 7]. Such attacks
we induce an eddy current in a cell. These involve physically depackaging the chip and
perturbations can be carried out at a level reading out its internal state by making di-
that does not modify the stored value, but rect electrical connections to internal compo-
still enables it to be read out. Our tech- nents using microprobes. This is becoming
niques build on a number of recent advances more difficult for a number of reasons, rang-
in semi-invasive attack techniques [1], low ing from shrinking feature sizes to the use of
temperature data remanence [2, 3], electro- hardware access control circuits for on-chip
magnetic analysis [4] and eddy current induc- memory.
tion [5]. They can be used against a wide
range of memory structures, from registers Recently, our two teams have been develop-
through RAM to FLASH. We have demon- ing semi-invasive attacks, in which the chip is
strated their practicality by reading out DES still depackaged, but where no direct electri-
keys stored in RAM without using the normal cal contact is made and the chip passivation
read-out circuits. This suggests that vendors remains intact. Examples of such attacks in-
of products such as smartcards and secure clude optical probing [1], in which a laser is
microcontrollers should review their memory used to induce a transient fault in one or more
encryption, access control and other storage gates in such a way as to cause information
security issues with care. leakage; and eddy current attacks in which a
similar effect is achieved by bringing a small
Keywords. Smartcards, tamper resis- coil close to the surface of the chip and induc-
tance, data remanence, electromagnetic se- ing a large transient magnetic field [5].
curity, semi-invasive attacks, optical probing,
eddy current attack. The natural progression from this attack
Figure 1: The architecture of an SRAM cell Figure 2: Internal structure of a RAM (Am-
plifiers and cells)
technology was to investigate whether semi-
invasive techniques can be used to read
out the state of a memory cell in a non- tance is noticeable for closed channels, and
destructive way. The answer, as we shall see, almost negligible for open channels. Thus,
is yes. We will describe the techniques in the by aiming the laser beam at an appropriate
context of CMOS RAM, but they have much transistor or transistors, we can distinguish
wider applicability. between the two possible memory states. (A
similar technique was used in [1] to switch the
state of memory bits; nondestrictive read-out
involves using a lower-power laser beam.)
2 Optical Read-out of CMOS
In our first experiment, we built a map
RAM
of the active areas in a microcontroller by
measuring the photocurrent induced by laser
scanning the chip surface. The chip was
The structure of a typical SRAM cell is
mounted on an X-Y motorized stage with
shown in figure 1. Two inverters are built
0.1µm resolution. The result of the scan is
from pairs of p- and n-channel transistors.
shown in figure 3. The active areas can be
The output of the first inverter is connected
seen as they produce higher current, but most
to the input of the second, and vice versa.
of the chip is covered with metal layers which
Two n-channel transistors are used to read
the laser cannot penetrate, so these areas do
data from it and write data into it. A read-
not produce any current. We used this pic-
write amplifier based on a differential struc-
ture as a reference to the results obtained
ture gives access to the cell (figure 2).
from a powered chip.
To analyze the structure of SRAM mem-
Our next experiment was done with an op-
ory we used a red laser focused on the chip
erating chip. It was programmed to allow us
surface using a microscope. As photons from
to upload any value into its RAM and then
the red laser (650nm wavelength) have energy
stop the chip operation. The result of the
larger than the silicon band gap, they will ion-
scanning with memory cells loaded with ran-
ize active areas inside the chip. If the photons
dom data is shown in figure 4. It can be
reach the area near p-n junctions, a photocur-
seen that memory cells have different states:
rent will be produced due to the photovoltaic
where the cell holds a ‘1’ the top is brighter,
effect. When the photons hit the p- or n-
and where it is a ‘0’ the bottom is. Thus the
channel area, this will decrease the resistance
sixteen bits held in the locations scanned are
of the channel by injecting free carriers. In
each CMOS inverter, there are six p-n junc-
tions; there are also two resistors correspond-
ing to n- and p-channels. 1 1 0 0
1 1 1 0
The fact that enables us to read a mem- 1 1 1 1
ory cell’s state is that the decrease in resis- 1 1 1 1
Figure 5: A map built using eddy current and
a picture of the same area