MunYeongjin1
KimHyungseup1
LeeByeoncheol1
HanKwonsang1
KimJaesung1
KimJi-Hoon2
ChoiByong-Deok3
KyueDong
KoHyoungho1
-
(Department of Electronics Engineering, Chungnam National University, Daejeon, Korea)
-
(Department of Electronic and Electrical Engineering, Ewha Womans University, Seoul,
Korea)
-
(Department of Electronic Engineering, Hanyang University, Seoul, Korea)
Copyright © The Institute of Electronics and Information Engineers(IEIE)
Index Terms
Active shield, hardware security, invasive attack, micro-probing attempt, top metal shield
I. INTRODUCTION
In modern society, the security of information stored inside chips is very important.
In 2016, IHS Technology predicted that with the growth of the Internet of Things (IoT),
the IoT market will expand to 30.7 billion devices by 2020 and 75.4 billion devices
by 2025 (1). Most devices connected to the IoT store either personal or business information,
which includes information about health, location, finances, military affairs, and
other areas. These IoT devices communicate with one another, driving the emergence
of security integrated circuits (ICs) that protect stored data using either software
or hard-ware techniques.
IoT devices containing multiple pieces of information are more likely to be targeted
by attackers. Typically, the attacker wants to either obtain the cryptographic key
or force the security IC to give up critical data. State-of-the-art attacks on security
ICs are classified as invasive, non-invasive, or semi-invasive attacks. In this paper,
we focus on invasive attacks, also called physical attacks, including micro-probing
attempts and focused ion beam (FIB) chip editing. An invasive attack is a method of
accessing the chip package directly and either observing the IC or analyzing the internal
structure of the chip. Such attacks consist mainly of layout reconstruction along
with de-packaging, micro-probing attempts, and FIB chip editing. A layout reconstruction
attack is a procedure for obtaining the layout of a chip (2). An attacker extracts a high-resolution image of each of the chip’s layers through
an optical microscope equipped with a CCD camera while simultaneously removing the
metal layers, which can be observed through the program. In particular, intellectual
property blocks (IPs) such as ROM, RAM, EEPROM and address bus lines are easily distinguishable
(3). The reverse-engineered layout information obtained based on the acquired images
is available for both micro-probing attempts and FIB chip editing. A micro-probing
attempt is a method of reading, modifying, or forcing the data of a metal layer using
a probe station. An attacker can probe the bus line inside the chip to acquire its
data, and the state of the bus line can be modified via data injection (4,5). In addition, an attacker can use an FIB attack to either remove or connect some
circuitry to obtain important information from the chip. For example, when a circuit
related to an encryption operation is removed, the encryption will no longer be performed
as normal, and the encryption key and other information can easily be taken (6). Security ICs can be seriously threatened by these attacks, so they require on-chip
countermeasures. Micro-probing attempts and FIB chip editing attacks have also been
reported on mobile devices such as smart cards (7,8).
The use of either a passive or an active metal shield is a simple and effective means
of protecting against invasive attacks. Passive metal shields are related to the capacitive
measurement of the top mesh. However, a passive metal shield, such the one used by
Laackmann and Taddiken (9), cannot be detected, even when part of the top mesh is modified with FIB chip editing
(10). Most security ICs use active metal shields to both detect micro-probing attempts
and initialize critical information when a breach is detected. The active shield is
designed to cover the entire protection block, and it requires at least one metal
routing layer. Some smart cards use complete metal layer as an active shield, which
increases their manufacturing costs by about 15% (11). Previous studies have shown that a conventional active shield for a security IC
consisting of a top metal shield is not very effective against micro-probing attacks
(12-14). Manich and Strasser (15) studied top metal shields capable of detecting micro-probing attempts by using two
synchronized ring oscillators. The micro-probing detector proposed in Manich and Strasser
(15) can be disabled by using micro-probing to force a fixed voltage to an XOR gate after
having removed the top metal used as a path for each ring oscillator with an FIB chip
editing attack. An active shield consisting of a shift register that used a top metal
line at regular intervals was proposed in Janke and Engl (16). This method is more difficult for micro-probing attacks to defeat, but it can still
be breached by solving a system of linear equations (17). Ngo et al. (10) prevented bypass attacks by sending different data to each of the top metal lines.
In this paper, the data passing through a top metal line cannot be predicted by an
attacker because a block cipher operating in chained block cipher (CBC) mode is used.
However, it is possible to acquire information from the security IC by probing ends
of the top metal line that the random data is obtained on one side and the same data
is applied to the other side via operating a micro-probing attempt, as shown in Fig. 1. Briais et al. (5) implemented an intricate spaghetti-routing in a dense wire mesh. The mesh consisted
of two metal layers and made it almost impossible to track the random signal injected
into the top metal line without the layout reconstruction technique. The use of more
than two metal lines as an active shield, however, increases manufacturing costs.
Moreover, the constraints provided by the metal layers become a limiting factor in
the circuit design.
Fig. 1. Types of physical attacks on a secure IC with an active shield.
Many research studies have been performed on both passive and active metal shields
(10, 12, 13, 18). However, no shield has yet been proposed to prevent both micro-probing attempts
and FIB attacks, including top-metal removal and bypass attacks. In this article,
a new active metal shield structure named the “reconfigurable top metal shield” that
solves the current security issues related to state-of-the-art attacks is presented.
Its main features are as follows:
·The top metal shield protects against both FIB chip editing and bypass attacks because
the top metal lines are reconfigured at random.
·Two asynchronous ring oscillators are used to detect micro-probing attempts.
·It consists of only a top metal layer.
The rest of this paper is organized as follows. Section II presents the reconfigurable
top metal shield structure that has both FIB chip editing detection and micro-probing
attempt detection modes. In addition, simulation results of the proposed top metal
shield are presented. In Section III, both an FIB chip editing attack and a micro-probing
attempt are implemented using an FIB instrument and a probe station, respectively,
to test the shield. Finally, in Section IV, conclusions are drawn and discussed.
II. RECONFIGURABLE TOP METAL SHIELD
1. Shield Architecture
The reconfigurable top metal shield consists of two parts:
·The FIB chip editing detection part, which is composed of an external random number
generator (RNG), re-routing switch arrays in multiplexer (mux) arrays 1 and 2, a top
metal shield, and detection logic. After comparing the TX generated by both the RNG
and the RX passing through the top metal shield, the detection logic generates a D_OUT
signal if the TX and RX signals are different.
·The micro-probing attempt detection part, which is composed of two oscillators, four
multiplexer in mux arrays 1 and 2, a top metal shield, and detection logic. The top
metal shield and detection logic blocks are shared with the FIB chip editing detection
part. When an attacker attempts to micro-probe the top metal shield, the delay of
one of ring oscillators is increased by the probing capacitance. If the phase difference
between the two ring oscillators is greater than 90°, the detection logic generates
both D_OUT and reset signals.
The structure of the top metal shield proposed in this paper represents a simple and
effective countermeasure against both micro-probing attempts and FIB chip editing
attacks. The top metal layer consists of a mesh structure.
2. FIB Chip Editing Detection Mode
The structure of the FIB chip editing detection mode is shown in Fig. 2. Whenever this mode is active, the micro-probing attempt detection mode is inactive.
Both ends of the top metal line are connected to the re-routing switch array that
receives the same 5-bit signal from the RNG. The re-routing switch creates non-overlapping
P1 and P2 signals by utilizing the random signal received from the RNG. The TX1 and
TX2 signals generated by the external RNG pass through both the top metal line and
the re-routing switch arrays. If the top metal line is not tampered with by external
attacks, the TX and RX signals are the same regardless of the re-routing switch array’s
sw[4:0] signal. Whenever the top metal line is either removed or bypassed by an FIB
chip editing attack, both top metal shield removal and bypass attacks are detected,
because the top metal line connection is reconfigured according to the states of the
re-routing switch array’s sw[4:0] signal. If the two pairs of TX and RX signals differ,
the detection logic generates the D_OUT signal.
Fig. 2. FIB chip editing detection mode structure.
An example of the operation of the FIB chip editing detection mode is shown in Fig. 3. The blue line indicates the path of the TX1 signal when a sw[4:0] signal generated
from the RNG is input to the re-routing switch arrays. This paper assumed that the
fourth and fifth top metal lines are bypassed. Fig. 3(a) shows the path of the TX1 signal when a sw[4:0] signal of 1b'10110 is generated in
the RNG. In this case, the same TX1 signal passes through the fourth and fifth top
metal lines, and a bypass attack is not detected temporarily. If the sw[4:0] signal
generated by the RNG, however, changes to 1b'10010, as shown in Fig. 3(b), the TX1 signal passes through fourth top metal line and the TX2 signal passes through
fifth top metal line. As a result, a bypass attack is detected. No absolute equipotential
path exists, because the top metal line’s connection is changed continuously by the
random 5-bit signal. Previous studies generated different signals for each top metal
line to prevent FIB chip editing attacks (10,16). Compared with the active shields proposed in those studies, the proposed reconfigurable
top metal shield effectively reduces the number of generated signals and can detect
FIB chip editing attacks using only 7 signals.
Fig. 3. Paths of TX1 signal in FIB chip editing detection mode when re-routing switch
arrays receive (a) sw[4:0] = 10110, (b) sw[4:0] = 10010.
The simulation results for the FIB chip editing detection mode are shown in Fig. 4. A simulation was performed in which two arbitrary top metal points were bypassed
using an FIB attack. The TX and RX signals were the same before the bypass attack,
so no detection signal was generated. A bypass attack enabled signal was generated
after 2 ms. The re-routing switch arrays on the reconfigurable top metal shield caused
the TX and RX signals to differ. Therefore, a bypass attack can be detected using
the pulse frequency of the D_OUT signal.
Fig. 4. Simulation results of FIB chip editing detection mode (a) bypass attack enabled,
(b) TX1, (c) RX1, (d) D_OUT.
3. Micro-probing Attempt Detection Mode
The micro-probing attempt detection mode structure is illustrated in Fig. 5. Whenever the micro-probing attempt detection mode is active, the FIB chip editing
detection mode is inactive. In addition, both ring oscillators pass through different
top metal lines, and the lines used for these paths are periodically switched by four
multiplexer. The basic security concept is the detection of the capacitance that occurs
from a micro-probing attempt. Each top metal line has the same parasitic resistance
and parasitic capacitance values in a result of the layout parasitic extraction. When
an attacker attempts to micro-probe the top metal shield, probing capacitances of
several fF to tens of fF are added to the probed metal lines, as was the case in previous
studies (11, 19, 20). The added probing capacitance causes a phase difference between the two ring oscillators.
If this phase difference is greater than 90°, the detection logic generates D_OUT
and reset signals to resynchronize the ring oscillators.
Fig. 5. Micro-probing attempt detection mode structure.
The simulation results of the micro-probing attempt detection mode are shown in Fig. 6. A simulation was performed in which arbitrary top metal points were probed using
a micro-probe station. In this simulation, the actual parasitic components of the
top metal shield layout were calculated using the layout parasitic extraction. The
parasitic capacitance extracted from one line of the top metal shield was approximately
90 fF, and the parasitic resistance was measured at approximately 51.5 Ω. Phase differences
between the two ring oscillators rarely occur without a micro-probing attempt. Each
of the oscillators in this simulation essentially had a 968 ns delay. To compensate
for problems that occurred in the process, the detection logic automatically generated
a periodic reset signal to synchronize the two oscillators. A micro-probing attempt
enabled signal was generated after 5 μs. The parasitic capacitance created by micro-probing
of approximately 100 fF was attached to the top metal line of the ring oscillator,
including the RING_OUT2 signal. The delay time of one of the ring oscillators increased,
and a phase difference occurred due to the parasitic capacitance added to the top
metal line. The delay of the ring oscillator with the probing capacitance of approximately
100 fF increased to 976 ns. When the phase difference between the two ring oscillators
reached 90°, the D_OUT signal was output and the oscillators were resynchronized,
as shown in Fig. 6. During the simulation, micro-probing attempts could be detected in as little as
30 μs.
Fig. 6. Simulation results of micro-probing attempt detection mode (a) micro-probing
attempt enabled, (b) RING_OUT1, (c) RING_OUT2, (d) Phase difference of the two signals,
(e) D_OUT.
III. EXPERIMENTAL RESULTS
We verified our presented idea, reconfigurable top metal shield, in a standard 0.18
μm 1P6M CMOS process. Fig. 7 shows the test setup for the reconfigurable top metal shield.
Fig. 7. Test setup with reconfigurable top metal shield.
1. FIB Chip Editing Detection Results
We carried out an FIB attack on the reconfigurable top metal shield using a dual-beam
focused ion beam (DB-FIB) NOVA200. A bypass attack was implemented based on FIB chip
editing, as shown in Fig. 8. Two adjacent top metal lines were disconnected and then reconnected using a metal
deposition. Fig. 9 shows the experimental results of the FIB chip editing detection mode before the
bypass attack. The TX1 and RX1 signals always output the same value, and there was
no detection signal. The D_OUT signal’s glitch was removed from the detection logic
and, consequently, did not cause any problems. The experimental results of the FIB
chip editing detection mode after the bypass attack are illustrated in Fig. 10. When an arbitrary TX1 signal was applied from an external signal generator, the
RX1 signal passed through the top metal line differed from the TX1 signal. As a result,
the reconfigurable top metal shield proposed in this study is an effective countermeasure
against various attacks based on FIB chip editing.
Fig. 8. Implementation of bypass attack using FIB (a) before bypass attack, (b) after
bypass attack.
Fig. 9. Experimental results of FIB chip editing detection mode before bypass attack
(a) TX1, (b) RX1, (c) D_OUT.
Fig. 10. Experimental results of FIB chip editing detection mode after bypass attack
(a) TX1, (b) RX1, (c) D_OUT.
2. Micro-probing Attempt Detection Results
The experimental environment of the micro-probing attempts made in this study is illustrated
in Fig. 11. These attempts were implemented using a probe station with a resolution of 3 μm.
The micro-probe and oscilloscope were connected to read the data from the top metal
line, and the passivation layer above the reconfigurable top metal shield was removed.
Fig. 11. Experimental environment for micro-probing attempt mode.
The implementation of the micro-probing attempt is illustrated in Fig. 12, and the experimental results of the micro-probing attempt detection mode are shown
in Fig. 13. Both ring oscillators in the fabricated chip operated almost synchronously before
the micro-probing attempt took place, and the D_OUT signal rarely occurred. These
erroneous D_OUT signals can be eliminated by using counter logic at the systematic
level. The D_OUT signal that occurred after the micro-probing attempt had taken place
is illustrated in Fig. 13(b). The micro-probing capacitance caused a phase difference between the two ring oscillators,
which generated a detect signal. In chapter 2, the micro-probing attempt simulation
was performed with the probing capacitance set to about 100 fF. As a result of measuring
the probing capacitance, however, the probing capacitance of several pF was obtained
by LCR meter. As the probing capacitance increases, the frequency of the D_OUT signal
increases, but the reconfigurable top metal shield proposed in this study effectively
detected micro-probing attempts.
Fig. 12. Implementation of micro-probing attempt.
Fig. 13. Experimental results of micro-probing attempt detection mode. (a) D_OUT signal
before micro-probing attempt, (b) D_OUT signal after micro-probing attempt
V. CONCLUSIONS
A novel countermeasure against physical attacks using randomly reconfigurable top
metal shield was presented. The proposed circuit includes both an FIB chip editing
detection circuit and a micro-probing attempt detection circuit. The FIB chip editing
detection circuit consists of both an RNG and re-routing switch arrays that can detect
state-of-the-art FIB chip editing attacks effectively. The micro-probing attempt detection
circuit detects micro-probing attacks via the phase difference between two ring oscillators
that are conditionally synchronized. The IC protection methods presented in previous
studies were vulnerable to attacks based on state-of-the-art invasive techniques,
micro-probing attempts, and FIB chip modification techniques. The reconfigurable top
metal shield proposed in this paper is simple, utilizing only a single top metal layer,
and it can detect invasive attacks effectively. Through evaluation based on implementation
of invasive attack in simulation and experiment, the reconfigurable top metal shield
has been identified as a promising countermeasure for state-of-the-art invasive attacks.
ACKNOWLEDGMENTS
This work was supported by Samsung Research Funding Center of Samsung Electronics
under Project Number SRFC-IT1601-01. This research was also supported by IDEC.
REFERENCES
Lucero S., Mar., 2016, IoT Platforms - Enabling the Internet of Things, Complimentary
Whitepaper, IHS Technology
Blythe S., Fraboni B., Lall S., Ahmed H., de Riu U., Feb., 1993, Layout reconstruction
of complex silicon chips, Solid-State Circuits, IEEE Journal of, Vol. 28, No. 2, pp.
138-145
Kömmerling O., Kuhn M. G., 1999, Design principles for tam-perresistant smartcard
processors, USENIX Workshop of Smartcard Technology (WOST), pp. 9-20
Skorobogatov S., 2011, Physical attacks on tamper resistance: progress and lessons,
2nd ARO Special Workshop on Hardware Assurance
Briais S., Cioranesco J.-M., Danger J.-L., Guilley S., Naccache D., Porteboeuf T.,
2012, Random active shield, Workshop FDTC, pp. 103-114
Anderson R., 2001, Security Engineering: A Guide to Building De-pendable Distributed
Systems, 1st ed., John Wiley & Sons, Inc.
Ray V., 2009, FREUD Applications of FIB: Invasive FIB Attacks and Countermeasures
in Hardware Security Devices, East-Coast Focused Ion Beam User Group Meeting
Tarnovsky C., 2008, Security failures in secure devices, Black Hat DC
Laackmann P., Taddiken H., Nov., 2004, Apparatus for protecting an integrated circuit
formed in a substrate and method for protecting the circuit against reverse engineering,
US Patent 6,798,234
Ngo X. T., Danger J., Guilley S., Graba T., Mathieu Y., Najm Z., Bhasin S., Feb.,
2017, Cryptographically Secure Shield for Security IPs Protection, Computers, IEEE
Transactions on, Vol. 66, No. 2, pp. 354-360
Manich S., Wamser M. S., Sigl G., 2012, Detection of probing attempts in secure ICs,
Hardware-Oriented Security Trust, HOST 2012, IEEE International Symposium of, pp.
134-139
Tarnovsky C., 2013, Tarnovsky Deconstruct Processor, https://www.youtube.com/watch?v=w7PT0nrK2BE
Shi Q., Asadizanjani N., Forte D., Tehranipoor M., 2016, A layout-driven framework
to access vulnerability of ICs to microprobing attacks, Hardware-Oriented Security
Trust, HOST 2016, IEEE International Symposium of, pp. 155-160
Derouet O., Oct., 2012, Integrated circuits including reverse engineering detection
using differences in signals, US Patent 8,296,845
Manich S., Strasser M., Nov., 2013, A Highly Time Sensitive XOR Gate for Probe Attempt
Detectors, Circuits and Systems II: Express Briefs, IEEE Transactions on, Vol. 60,
No. 11, pp. 786-790
Janke M., Engl K., Jun., 2012, Integrated circuit and method of protecting a circuit
part to be protected of an integrated cir-cuit, US Patent 8,195,995
INVIA , Active shield IP (Digital IP and Analog IP that Detects Invasive Attacks).,
http://invia.fr/detectors/active-shield.aspx
Cioranesco J., Danger J., Graba T., Guilley S., Mathieu Y., Naccache D., Ngo X. T.,
2014, Cryptographically secure shields, Hardware-Oriented Security Trust, HOST 2014,
IEEE International Symposium of, pp. 25-31
Wan M., He Z., Han S., Dai K., Zou X., Aug., 2015, An invasive-attack-resistant PUF
based on switched-capacitor circuit, Circuits and Systems I: Regular Papers, IEEE
Transactions on, Vol. 62, No. 8, pp. 2024-2034
MPI CORPORATION , MPI T5200-SE (200 mm Manual Probe System with ShielDEnvironment
for accurate and reli-able DC/CV, RF and mmW measurements, http://www.mpi-corporation.com
Author
Yeongjin Mun received his B.S. and M.S. degree in Electronics Engi-neering from Chungnam
National University, Daejeon, Republic of Korea, in 2016 and 2018. His current research
interests are the design of CMOS analog and mixed-mode integrated circuits.
Hyungseup Kim received his B.S. degree in Electronics Engineering from Chungnam National
University, Daejeon, Republic of Korea, in 2014, where he is currently pursuing his
Ph.D. degree. His current research interests are the design of CMOS analog and mixed-mode
integrated circuits.
Byeoncheol Lee received his B.S. degree in Electronics Engineering from Chungnam National
University, Daejeon, Republic of Korea, in 2017, where he is currently pursuing his
M.S. degree. His current research interests are the design of CMOS analog and mixed-mode
integrated circuits.
Jaesung Kim received his B.S. degree in Electronics Engineering from Chungnam National
University, Daejeon, Republic of Korea, in 2018, where he is currently pursuing his
M.S. degree. His current research interests are the design of CMOS analog and mixed-mode
integrated circuits.
Kwonsang Han received his B.S. degree in Electronics Engineering from Chungnam National
University, Daejeon, Republic of Korea, in 2018, where he is currently pursuing his
M.S. degree. His current research interests are the design of CMOS analog and mixed-mode
integrated circuits.
Ji-Hoon Kim is an Associate Professor of Department of Elec-tronic and Electrical
Engineering at Ewha Womans University, Seoul, Korea. He received his BS and PhD in
electrical engineering and computer science from KAIST in 2004 and 2009, respectively.
In 2009, he joined Samsung Electronics, Suwon, Korea, where he worked on the SoC architecture
design for next-generation cellular modems. His current interests include embedded
processors, low-rate wireless personal area network modems, and ultra-low-power SoC
designs for Internet of Things (IoT) devices.
Byong-Deok Choi received the B.S, M.S, and Ph.D degrees in electronics engineering
from Hanyang Univer-sity, Seoul, Korea, in 1994, 1996, and 2002, respectively. In
2001, He joined System IC R & D Center, LG Electronics, Inc. Seoul, Korea, where he
was engaged in the development of driver and controller LSIs for organic LEDs, PDPs
and TFT-LCDs. Since March 2005, he has been with Hanyang University, Seoul, Korea
as an assistant professor in the Division of Electrical and Computer Engineering.
Dr. Choi received Best Student Paper Award in 2003 from SID (Society for Information
Display). He has authored and co-authored over 20 international journals and conference
papers. His research interests include secure SoC, low-power circuit and analog circuit
design.
Dong Kyue Kim received the B.S., M.S. and Ph.D. degrees in Computer Engineering from
Seoul National University in 1992, 1994, and 1999, respectively. From 1999 to 2005,
he was an assistant professor in the Division of Computer Science and Engineering
at Pusan National University. He is currently a full professor in the Department of
Electronic Engineering at Hanyang University, Korea. His research interests are in
the areas of security SoC, crypto-coprocessors, and information security
Hyoungho Ko received his B.S. and Ph.D. degrees in the School of Electrical Engineering
at Seoul National University, Korea, in 2003 and 2008, respectively. He was with Samsung
Electronics as a senior engineer from 2008 to 2010. In 2010, he joined the Department
of Electronics, Chungnam National University, Daejeon, Korea, where he is currently
an associate professor. His main research interest is CMOS analog integrated circuit
design and secure SoC design.