Mobile QR Code QR CODE

  1. (The authors are with CIST (Center for Information Security Technologies) Korea University, Seoul, 136-075, Korea )

Integrated circuit attack, silicon-backside protection, secure design, secure shield, passive shield, active shield, connected car, abnormally detection


As the protection methods used in security IC have been developed more and more, performing invasive attacks has become increasingly difficult (2). As shown in Fig. 1, the structure of a security IC consists of a protection layer, like the silicon surface protection layer published in JSTS (3). This protection layer is attached to a silicon surface in order to make invasive attacks more difficult. The metal-4 layer is protecting layer with some signals in the metal lines. If an attacker wants to get the important data signals from the metal-3 layer, he would bypass the metal-4 layer with some efforts. To make it difficult to bypass the metal-4 layer, the IC designed with protective circuit. Nevertheless, IC analysis tools are introducing a new attack method. The HEA (Hot Electron Analysis) tool shows electrons moving on the IC (4). When an IC is performing some operation, it leads to electron movement which can be captured by HEA. If an attacker wants to analyze the security operation of a hardware DES (Data Encryption Standard), they can locate the IC with HEA and induce an IC operation of DES and measurement. After that, the attacker can obtain the location of the DES on the IC and start analysis for hacking or can start performing some fault injection attack (5).

In order to perform an invasive attack, identifying the location of the attack point is quite time-consuming. (6) With the use of HEA, an attack can easily identify this location, thereby saving time.

Comparing IC front-side attacks with back-side attacks, finding the location of a front-side attack is easier. However, there are many protection methods applied to front-side attacks, so performing FIB (Focused Ion Beam) and making a probing attack is time-consuming. Thanks to IC analysis tools, performing an invasive attack on the IC back-side is more practical for an attacker. However, from an IC manufacturer’s view, protecting the IC back-side is more difficult and cost-consuming. In order to solve this issue, this paper proposes an effective solution to increase the protection coverage.

Fig. 1. Vertical structure of security IC that has a silicon-surface- protection layer.


This paper’s contents are as follows: Silicon-backside-protection skills are described in section 2, including the research results and patents relevant to the proposed silicon-backside-protection method; the proposed silicon-backside-protection solution is described in section 3; the proposed solution's performance measurement is described in section 4, and the conclusion is presented in section 5.


1. Backside-attack Details

As introduced in section 1, due to the difficulty of IC front-side attacks, silicon back-side attacks have been introduced (7). In Fig. 1, a silicon substrate is removed during the back-side grinding process for a package. Following the package de-capsulation process, IC analysis on the back-side should begin. Fig. 2 shows the procedures of IC back-side analysis. Following the de-capsulation of the chip, the chip is thinned to 80~100um in order to perform the HEA. The thinning process can help find a target location using HEA. If the target is a security block like DES, when the chip is performing a DES operation, the location is highlighted because the electrons are moving a lot. Following the identification of the target location, the FIB operation is performed. Then, a probing pad is made to the DES block’s data line, and we can get the signals of DES operation. As we can see, regarding the process of a back-side attack, like the thinning process, it is difficult to make any structure or add a protection circuit. The back-side grinding is a normal process for semiconductor manufacturing, and it is hard to skip this process and make a protection circuit on the silicon back-side.

Fig. 2. Procedures for backside attack.


2. Previous Silicon-backside-protection Methods

As discussed in the previous section, the silicon-backside-attack is more effective than a front-side attack, and difficult to protect against. In this section, the previously searched protection methods for silicon backsides are presented.

$\textit{A. Private Circuits II: Keeping Secrets in Tamperable Circuits}$ (8)

This idea aims to make it difficult for the attacker to find the valuable data line to probe. As described in Fig. 3, in order to protect against probing attacks, newly-invented XOR and AND gates have been introduced. The encoded XOR or AND is used to avoid a probing attack. In order to obtain the right result, the input should be two times more than the original bit as the output will be doubled. Performing a probing attack is more difficult because making a probing pad is time-consuming and costly. It seems that this method can be a good candidate for protecting against back-side attacks, but making one encoded XOR needs more than six logical gates, so the size of the logic gate area should be increased.

$\textit{B. Backside Polishing Detector}$ (9)

Fig. 3. Newly invented XOR and AND gates which protect the circuit against probing attacks.


Fig. 4. TSV (Through Silicon Via) wire bonding and package technology (11).


Fig. 5. Principle of backside polishing detector.


This idea comes from the semiconductor 3D package method of using TSV(Through-Silicon $V_{ia}$) (10). As we can see from the previous section, a backside attack relies on the process of backside grinding. The TSV structure involves making a hole to interconnect the chips after backside grinding. Fig. 4.

TSV holes are filled with a dielectric substance and measured by a capacitance meter. If the measured value of capacitance is not normal or different from those of the other TSV holes, a chip will give an alarm to the CPU and invoke protection actions. TSV is normally used for interconnecting the silicon, so making many TSV holes to increase the coverage is difficult.

$\textit{C. Magnetic detection of back-side layer}$ (12)

This invention uses magnetic fields and magnetic sensors to detect backside attack intrusions. If the magnetic part is removed or damaged, the magnetic sensor can detect the intrusion. This invention requires the magnetic field generation part and sensing part. The magnetic field can be used by a permanent magnet or an electron magnetic, regardless, making an electron magnetic on the integrated circuit or attaching a permanent magnet is costly and also increases the size of the chip. Additionally, a security chip is usually used for an IC card and passport, and this invention is not ideal for these applications.

Fig. 6. Principle of magnetic detection of backside layer.


Table 1. Summary of protection methods

Protection Methods


Area for


Protection area

Design complexity

A) Private Circuits II


Specific area


B) Backside Polishing Detector


Specific Area


C) Magnetic detection of back-side layer


Specific Area


3. Summary of Silicon-backside-protection Methods

Table 1 shows a summary of the existing silicon-backside-protection methods. According to the table, we found a correlation between cost and protection area. In order to obtain good protection coverage, an increased size is needed to protect the silicon backside area, and this results in a higher monetary cost.

A) Private Circuits II needs a large size of area, due to six times more gates being needed for one gate; the design is not difficult but applying it to all areas needs to be considered. B) Backside Polishing Detector has small size due to the fact that it only has capacitor, but it uses TSV, so applying it to protection areas is limited, but its design is not difficult. C) Magnetic detection of the back-side layer needs the full area of chip to make a magnetic detection area, but the protection area is not fully covered because of the fact that the magnetic sensor cannot be located throughout the entire chip. Additionally, magnetic detection and making a sensor are not easy.


In this section, a more practical method for overcoming the previously mentioned weak-points is introduced. With this suggested solution, the protection area will be increased and the manufacturing cost will be minimized.

1. Design Considerations

From the previous section, the protection method’s main weak point is the size and protection area. From the weakness of these suggestions, these requirements are summarized as follows:

(a) Minimum area should be used for design in order to minimize production cost.

(b) Design of silicon-backside-protection layer (logic part) should not be visible on the backside or the top level of the metal layer.

(c) Protection area should be maximized to avoid back side attack

2. Suggested Solution

The suggested solution involves two main ideas, the first one is using an unused metal layer of the chip which is mainly used for security chip (smart card IC) (14). The second one is the use of capacitance between two metal lines, which can layer an unused metal layer. In order to sense differences between capacitors, a ring oscillator is used for detection. Fig. 8 shows the layout of the security chip without metal-3 and metal-4 layers to more clearly see the location of each block. Normally, ASIC is used for CPU and control logics, so the metal layout uses up to the metal-3 layer, and the metal-4 layer is used as a chip protection layer and cannot be used for metal routing. In the case of memories such as EEPROM, ROM, and RAM, they use up to the metal-2 layer for routing and the metal-3 layer is used as a dummy protection layer (dummy metal shield or passive shield) – Fig. 7 and 8.

In order to use this area for backside attack protection, two serpentine pattern type capacitors are used (15). To minimize the cost of manufacturing, passive shield layer is used for layout the capacitor sensors. This passive shield is used for not showing the metal layers under the passive shield. This layer is utilized for capacitors patterns. –Fig. 9

Fig. 7. Layout of security chip without metal-3 and metal-4 layers.


Fig. 8. Metal-3 level view: metal passive shield area for un-used (no routing) metal-3 layer which is located under the metal-4 layer.


Fig. 9. Design of each back attack detectable inverter (capacitor sensor) which used for ring oscillator with two serpentine patterns.


This pattern is working as a capacitor and the combination of the ring oscillator and frequency counter, the main role of which is sensing the value of its changes to detect the intrusion of bask-side attack. –Fig. 10

Two serpentine patterns - between these patterns, there is an insulator. If this insulator is changed or damaged during the back side attack process – back side grinding or making hole using FIB machine to probe metal lines, the value of capacitor is changed and make frequency varies. Or if part of this pattern is removed or fragile, the probing needle will sometimes be touched, leading to a change in the value of capacitance and giving the change of frequency of the ring oscillator. The counter value is always compared by the comparator. The compared value is not the same as the normal case or usual, and it gives an alarm to the CPU to act against a backside attack. –Fig. 11

Fig. 10. Five-stage ring oscillator to generate clock frequency with five back attack detectable inverter.


Fig. 11. Suggested design of silicon backside protection method using unused metal layer.


In order to locate the capacitor, the unused area of the metal-3 layer and a dummy metal shield are used. Fig. 12. shows the locations of the capacitors which can be the layout on the metal-3 level. RAM and ASIC areas use metal 3 routing, and there is a small area that can be used for this type of capacitor. Therefore, RAM and ASIC area cannot be covered full area because of this area use the metal-3 layer for routing. If there is more important or security information is located this area, a designer can added more sensors in this area while the size of chip increased. Or a designer want to cover fully with sensors, one metal layer is added for full protection but the manufacturing cost is increased. The detailed cost of manufacturing is discussed in (3). EEPROM and ROM area has metal-3 shield against front-side attack, this metal-3 layer is utilized for capacitor sensor, therefore this area is fully covered [Fig. 12]. In the next section, the coverage will be calculated based on this routing and the size overhead will be calculated as well.

Fig. 12. Metal-3 level view: metal-3 shield replaced with capacitor sensor.


Table 2. Estimated size of suggested solution











138 $\mu \mathrm{m}^{2}$





138 $\mu \mathrm{m}^{2}$





69 $\mu \mathrm{m}^{2}$





69 $\mu \mathrm{m}^{2}$





414 $\mu \mathrm{m}^{2}$


The main target of this paper is increasing the protection coverage and reducing the size of the protection method in order to minimize the manufacturing cost. This section compares the suggested solution to other methods in terms of size overhead and protection coverage against back-side attacks.

1. Size Estimation

Comparing the size of the proposed method’s circuit, 65nm logic technology (16) and the CMOS circuit design layout and simulation (15) are referenced. The ring oscillator has five transistors and its registers and capacitors are in the metal-3 layer to detect an attack. The counter design uses an 8-bit counter which has eight Flip-Flops, and one Flip-Flop has 20 transistors (17). The size of one transistor is 0.1 ${\mathrm{\mu}}$m$^{2}$, so the size of the 8-bit counter is 16 ${\mathrm{\mu}}$m$^{2}$. The comparator design uses 20~transistors and its size is 2 ${\mathrm{\mu}}$m$^{2}$. In Table 4, the estimated size of the suggested solution is shown.

Table 3. Estimated overhead and coverage comparison of suggest solution with backside polishing detector

Protection Methods



C) Backside Polishing Detector



(84 ppm)

Suggested Solution



(73 ppm)

A secure microcontroller like the one above has a size of 2 mm * 2.8 mm = 5.6 mm$^{2}$. Therefore, the estimated overhead of the proposed solution is 0.0073% (1).

\begin{align} \tag{1} \begin{array}{l} \textit{Overhead}\left[\% \right]\\ =\frac{\textit{Detector}\_ Size}{\textit{Total}\_ Chip\_ Size}*100\left[\% \right]\\ =\frac{414um^{2}}{2mm*2.8mm}*100\left[\% \right]\\ =0.0073\% \end{array} \end{align}

2. Coverage Estimation

The EEPROM and ROM area can be almost 100% covered, because this area is using the metal-1 and metal-2 (assuming that the routing path is included in the ASIC). ASIC area as well as RAM and other areas can be covered around 50% because they are using metal-3 for routing and can place the sensing capacitor on the 50% area. If we assume that ROM and EEPROM’s areas are almost half, the coverage of the suggested solution is 87.5% (2) and Table 3.

\begin{align} \tag{2} \begin{array}{l} \textit{Coverage}\left[\% \right]\\ =\frac{\textit{Sensors}\_ Area}{\textit{Total}\_ Chip\_ Size}*100\left[\% \right]\\ =87.5\% \end{array} \end{align}

In the case of the backside polishing detector (9), EEPROM and ROM areas cannot be covered, and only the specific area where the detector is located can be covered because it uses all metal layers and silicon layers to implement. If designer want to increase the coverage, the size of the chip will increased and impact the cost of production.

In Table 4, the result of the suggested solution and other protection methods are compared. The aims of this paper, increasing the protection area and minimizing the area for the circuit, are both achieved.

Table 4. Comparison of suggested solution to other protection methods.

Protection Methods


area for


Protection area

Design complexity

A) Private Circuits II(3)


Specific area


B) Backside Polishing Detector (4)


Specific Area


C) Magnetic detection of back-side layer(5)


Specific Area


Suggested Solution


Almost Full Area


3. Implementation and Measurement

The suggested solution operates very low frequency, so does not to impact other metal layer signal and not impacted by those signals. Nowadays, semiconductor manufacturing process has the trimming test process to adjust the capacitor value to make the aimed frequency to fit it to aimed frequency. So, even though there is a small difference in frequency due to capacitance variation during manufacturing, it can be trimmed to right frequency to check and detect the change of capacitance value to due back side attack. Trimming test uses few bits to adjust the value to aimed frequency. These bits are located at counter. Under the testing process the counter value is not the aimed value, these bits are set and reset to adjust the counter value to targeted value. Trimming test approach is reducing the cost of analog circuit for manufacturing and also helps to reduce the cost of fabrication of suggested solution (18).


In this paper, a practical silicon-backside-protection method using capacitors which meets the requirements of increasing the coverage and minimizing the size is proposed. In the cases of security chips, new attack methods are developed every day. Chip manufacturers also work hard to make good protection methods. One of the dilemmas is cost. Normally, a security chip is more expensive than other non-secure chips for the above reason. Still, if the manufacturing cost is higher than that of the competitor’s, a manufacturer can lose their competitiveness. To keep the manufacturing competitiveness, a practical method is always needed. In addition, failure analysis tools for integrated circuits are one of the new challenges for security chip developers; the back-side attack is one of the relevant cases. However, a practical protection method against back-side attack has now been introduced. New invasive attacks for secure chips will continue to be found. In order to achieve more secure chips, endless efforts to design new protection methods in a practical manner should not be stopped.


This paper was result of the research project supported by SK Hynix Inc. and the authors would like to thank Synopsys providing TCAD tool.


Mayes Keith E, Konstantinos Markantonakis, 2008, Smart cards, tokens, security and applications, New York: Springer, Vol. 2, No. 3DOI
Torrance Randy, Dick James, 2009, The state-of-the-art in IC reverse engineering., Springer, Berlin, HeidelbergDOI
Kyungsuk Yi, Park Minsu, Kim Seungjoo, 2016, Practical silicon-surface-protection method using metal layer., Journal of Semiconductor Technology and Science, Vol. 16, No. 4, pp. 470-480Google Search
Song Xu, 2016, IC security evaluation against fault injection attack based on FPGA emulation., International Conference on Field-Programmable Technology (FPT).IEEEDOI
April 2019, Application of Attack Potential to Smartcards Similar Devices Version 3.0, Joint Interpretation LibraryGoogle Search
April 2019, Application of Attack Potential to Smartcards Similar Devices Version 3.0, Joint Interpretation LibraryGoogle Search
Helfmeier C., Nedospasov D., Tarnovsky C., Krissler J. S., Boit C., Seifert J. P., 2013, November, Breaking and entering through the silicon, In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security ACM, pp. 733-744DOI
Ishai Y., Prabhakaran M., Sahai A., Wagner D., 2006, May, Private circuits II: Keeping secrets in tamperable circuits, In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg., pp. 308-327DOI
Manich S., Arumi D., Rodriguez R., Mujal J., Hernandez D., 2015, Backside polishing detector: a new protection against backside attacks. A: Conference on Design of Circuits and Integrated Systems, DCIS'15 - XXX Conference on Design of Circuits and Integrated Systems, pp. 1-6Google Search
Knechtel , Johann , et al , 2017, Large-scale 3D chips: Challenges and solutions for design automation, testing, and trustworthy integration., IPSJ Transactions on System LSI Design Methodology, Vol. 10, pp. 45-62DOI
11 Search
Victor Zieren, Robertus A. M., Wolters Nxp B.V., US patent- US20100283456 Magnetic detection of back-side layerGoogle Search
John Walker, Itsik Mantin, US patent - US 7,966,666 Chip attack protectionGoogle Search
Wolfgang Rankl, Wolfgang Effing, , SmartCard Handbook 4th Edition, ISBN: 978-0-470-74367-6Google Search
Baker R. Jacob, 2019, CMOS: circuit design, layout, and simulation, Wiley-IEEE pressGoogle Search
Bai , Peng , 2004, A 65nm logic technology featuring 35nm gate lengths, enhanced channel strain, 8 Cu interconnect layers, low-k ILD and 0.57/spl mu/m/sup 2/SRAM cell., IEDM Technical Digest. IEEE International Electron Devices Meeting,IEEE, 2004DOI
Sheshadri Vijay Benakanakere, 2010, UPSET TRENDS IN FLIP-FLOP DESIGNS AT DEEP, Diss. Vanderbilt UniversityGoogle Search
Bullag Rex F., Rolando C. Ortega, Sorina B. Bullag, 2014, Adaptive trimming test approach—The efficient way on trimming analog trimmed devices at wafer sort., 36th International Electronics Manufacturing Technology Conference. IEEEDOI


Kyungsuk Yi

Kyungsuk Yi received his B.S degree in Control and Instru-mentation engineering in Chungang University (CAU) of Korea, in 1993 and also received his M.S degree in Information Security from Ajou University of Korea, in 2005.

He is currently working toward the Ph.D. degree in Information Security, Korea University, Korea.

His research interests are mainly on Information Assurance, Hardware Security and Reverse Engineering.

E-mail :

Minsu Park

Minsu Park received his B.S degree in Computer Network from Silla University of Korea, in 2010 and also received his M.S. and Ph.D. degree in Information Security from Korea University, Korea, in 2013 and 2018.

He is currently working at LG Electronics as an information security specialist.

His research interests include Information Assurance, IoT Security, Digital Forensic and Usable Security.

E-mail :

Sungyong Cha

Sungyong Cha received his B.S degree in Computer Science at Korea Military Academy in 2004 and a M.S degree in Electrical Engineering at SUNY Buffalo in the United States in 2008.

Also, he received a Ph.D. degree in Information Security from Korea University in 2019. He is currently working at Korea Ministry of National Defense in cybersecurity area.

His research interests include Information Assurance, C4I, Risk Management and SDLC.

E-mail :

Seungjoo Kim

Seungjoo Kim received his B.S., M.S. and Ph.D. from Sungkyunkwan University (SKKU) of Korea, in 1994, 1996 and 1999, respectively.

Prior to joining the faculty at Korea University (KU) in 2011, He served as Assistant & Associate Professor at SKKU for 7 years. Before that, He served as Director of the Cryptographic Technology Team and the (CC-based) IT Security Evaluation Team of the Korea Internet & Security Agency (KISA) for 5 years.

He is currently a Professor in the Graduate School of Information Security Technologies (CIST).

Also, He is a Founder and Advisory director of a hacker group, HARU and an international security & hacking conference, SECUINSIDE.

Prof. Seungjoo Kim’s research interests are mainly on cryptography, Cyber Physical Security, IoT Security, and HCI Security.

He is a corresponding author.

E-mail :