1. Backside-attack Details

As introduced in section 1, due to the difficulty of IC front-side attacks, silicon back-side attacks have been introduced ⁽⁷⁾. In Fig. 1, a silicon substrate is removed during the back-side grinding process for a package. Following the package de-capsulation process, IC analysis on the back-side should begin. Fig. 2 shows the procedures of IC back-side analysis. Following the de-capsulation of the chip, the chip is thinned to 80~100um in order to perform the HEA. The thinning process can help find a target location using HEA. If the target is a security block like DES, when the chip is performing a DES operation, the location is highlighted because the electrons are moving a lot. Following the identification of the target location, the FIB operation is performed. Then, a probing pad is made to the DES block’s data line, and we can get the signals of DES operation. As we can see, regarding the process of a back-side attack, like the thinning process, it is difficult to make any structure or add a protection circuit. The back-side grinding is a normal process for semiconductor manufacturing, and it is hard to skip this process and make a protection circuit on the silicon back-side.

2. Previous Silicon-backside-protection Methods

As discussed in the previous section, the silicon-backside-attack is more effective than a front-side attack, and difficult to protect against. In this section, the previously searched protection methods for silicon backsides are presented.

$\textit{A. Private Circuits II: Keeping Secrets in Tamperable Circuits}$ ⁽⁸⁾

This idea aims to make it difficult for the attacker to find the valuable data line to probe. As described in Fig. 3, in order to protect against probing attacks, newly-invented XOR and AND gates have been introduced. The encoded XOR or AND is used to avoid a probing attack. In order to obtain the right result, the input should be two times more than the original bit as the output will be doubled. Performing a probing attack is more difficult because making a probing pad is time-consuming and costly. It seems that this method can be a good candidate for protecting against back-side attacks, but making one encoded XOR needs more than six logical gates, so the size of the logic gate area should be increased.

$\textit{B. Backside Polishing Detector}$ ⁽⁹⁾

This idea comes from the semiconductor 3D package method of using TSV(Through-Silicon $V_{ia}$) ⁽¹⁰⁾. As we can see from the previous section, a backside attack relies on the process of backside grinding. The TSV structure involves making a hole to interconnect the chips after backside grinding. Fig. 4.

TSV holes are filled with a dielectric substance and measured by a capacitance meter. If the measured value of capacitance is not normal or different from those of the other TSV holes, a chip will give an alarm to the CPU and invoke protection actions. TSV is normally used for interconnecting the silicon, so making many TSV holes to increase the coverage is difficult.

$\textit{C. Magnetic detection of back-side layer}$ ⁽¹²⁾

This invention uses magnetic fields and magnetic sensors to detect backside attack intrusions. If the magnetic part is removed or damaged, the magnetic sensor can detect the intrusion. This invention requires the magnetic field generation part and sensing part. The magnetic field can be used by a permanent magnet or an electron magnetic, regardless, making an electron magnetic on the integrated circuit or attaching a permanent magnet is costly and also increases the size of the chip. Additionally, a security chip is usually used for an IC card and passport, and this invention is not ideal for these applications.

3. Summary of Silicon-backside-protection Methods

Table 1 shows a summary of the existing silicon-backside-protection methods. According to the table, we found a correlation between cost and protection area. In order to obtain good protection coverage, an increased size is needed to protect the silicon backside area, and this results in a higher monetary cost.

A) Private Circuits II needs a large size of area, due to six times more gates being needed for one gate; the design is not difficult but applying it to all areas needs to be considered. B) Backside Polishing Detector has small size due to the fact that it only has capacitor, but it uses TSV, so applying it to protection areas is limited, but its design is not difficult. C) Magnetic detection of the back-side layer needs the full area of chip to make a magnetic detection area, but the protection area is not fully covered because of the fact that the magnetic sensor cannot be located throughout the entire chip. Additionally, magnetic detection and making a sensor are not easy.

1. Design Considerations

From the previous section, the protection method’s main weak point is the size and protection area. From the weakness of these suggestions, these requirements are summarized as follows:

(a) Minimum area should be used for design in order to minimize production cost.

(b) Design of silicon-backside-protection layer (logic part) should not be visible on the backside or the top level of the metal layer.

(c) Protection area should be maximized to avoid back side attack

2. Suggested Solution

The suggested solution involves two main ideas, the first one is using an unused metal layer of the chip which is mainly used for security chip (smart card IC) ⁽¹⁴⁾. The second one is the use of capacitance between two metal lines, which can layer an unused metal layer. In order to sense differences between capacitors, a ring oscillator is used for detection. Fig. 8 shows the layout of the security chip without metal-3 and metal-4 layers to more clearly see the location of each block. Normally, ASIC is used for CPU and control logics, so the metal layout uses up to the metal-3 layer, and the metal-4 layer is used as a chip protection layer and cannot be used for metal routing. In the case of memories such as EEPROM, ROM, and RAM, they use up to the metal-2 layer for routing and the metal-3 layer is used as a dummy protection layer (dummy metal shield or passive shield) – Fig. 7 and 8.

In order to use this area for backside attack protection, two serpentine pattern type capacitors are used ⁽¹⁵⁾. To minimize the cost of manufacturing, passive shield layer is used for layout the capacitor sensors. This passive shield is used for not showing the metal layers under the passive shield. This layer is utilized for capacitors patterns. –Fig. 9

This pattern is working as a capacitor and the combination of the ring oscillator and frequency counter, the main role of which is sensing the value of its changes to detect the intrusion of bask-side attack. –Fig. 10

Two serpentine patterns - between these patterns, there is an insulator. If this insulator is changed or damaged during the back side attack process – back side grinding or making hole using FIB machine to probe metal lines, the value of capacitor is changed and make frequency varies. Or if part of this pattern is removed or fragile, the probing needle will sometimes be touched, leading to a change in the value of capacitance and giving the change of frequency of the ring oscillator. The counter value is always compared by the comparator. The compared value is not the same as the normal case or usual, and it gives an alarm to the CPU to act against a backside attack. –Fig. 11

In order to locate the capacitor, the unused area of the metal-3 layer and a dummy metal shield are used. Fig. 12. shows the locations of the capacitors which can be the layout on the metal-3 level. RAM and ASIC areas use metal 3 routing, and there is a small area that can be used for this type of capacitor. Therefore, RAM and ASIC area cannot be covered full area because of this area use the metal-3 layer for routing. If there is more important or security information is located this area, a designer can added more sensors in this area while the size of chip increased. Or a designer want to cover fully with sensors, one metal layer is added for full protection but the manufacturing cost is increased. The detailed cost of manufacturing is discussed in ⁽³⁾. EEPROM and ROM area has metal-3 shield against front-side attack, this metal-3 layer is utilized for capacitor sensor, therefore this area is fully covered [Fig. 12]. In the next section, the coverage will be calculated based on this routing and the size overhead will be calculated as well.

1. Size Estimation

Comparing the size of the proposed method’s circuit, 65nm logic technology ⁽¹⁶⁾ and the CMOS circuit design layout and simulation ⁽¹⁵⁾ are referenced. The ring oscillator has five transistors and its registers and capacitors are in the metal-3 layer to detect an attack. The counter design uses an 8-bit counter which has eight Flip-Flops, and one Flip-Flop has 20 transistors ⁽¹⁷⁾. The size of one transistor is 0.1 ${\mathrm{\mu}}$m$^{2}$, so the size of the 8-bit counter is 16 ${\mathrm{\mu}}$m$^{2}$. The comparator design uses 20~transistors and its size is 2 ${\mathrm{\mu}}$m$^{2}$. In Table 4, the estimated size of the suggested solution is shown.

A secure microcontroller like the one above has a size of 2 mm * 2.8 mm = 5.6 mm$^{2}$. Therefore, the estimated overhead of the proposed solution is 0.0073% (1).

2. Coverage Estimation

The EEPROM and ROM area can be almost 100% covered, because this area is using the metal-1 and metal-2 (assuming that the routing path is included in the ASIC). ASIC area as well as RAM and other areas can be covered around 50% because they are using metal-3 for routing and can place the sensing capacitor on the 50% area. If we assume that ROM and EEPROM’s areas are almost half, the coverage of the suggested solution is 87.5% (2) and Table 3.

In the case of the backside polishing detector ⁽⁹⁾, EEPROM and ROM areas cannot be covered, and only the specific area where the detector is located can be covered because it uses all metal layers and silicon layers to implement. If designer want to increase the coverage, the size of the chip will increased and impact the cost of production.

In Table 4, the result of the suggested solution and other protection methods are compared. The aims of this paper, increasing the protection area and minimizing the area for the circuit, are both achieved.

3. Implementation and Measurement

The suggested solution operates very low frequency, so does not to impact other metal layer signal and not impacted by those signals. Nowadays, semiconductor manufacturing process has the trimming test process to adjust the capacitor value to make the aimed frequency to fit it to aimed frequency. So, even though there is a small difference in frequency due to capacitance variation during manufacturing, it can be trimmed to right frequency to check and detect the change of capacitance value to due back side attack. Trimming test uses few bits to adjust the value to aimed frequency. These bits are located at counter. Under the testing process the counter value is not the aimed value, these bits are set and reset to adjust the counter value to targeted value. Trimming test approach is reducing the cost of analog circuit for manufacturing and also helps to reduce the cost of fabrication of suggested solution ⁽¹⁸⁾.