Reversing stealthy dopant-level circuits

被引：35

作者：

Sugawara, Takeshi ^{[1
]}

Suzuki, Daisuke ^{[1
]}

Fujii, Ryoichi ^{[1
]}

Tawa, Shigeaki ^{[1
]}

Hori, Ryohei ^{[2
]}

Shiozaki, Mitsuru ^{[2
]}

Fujino, Takeshi ^{[2
]}

机构：

[1] Mitsubishi Electric Corporation, Japan

[2] Ritsumeikan University, Japan

来源：

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | 2014年 / 8731卷

基金：

日本科学技术振兴机构;

关键词：

Chip reverse engineering; LSI failure analysis; Passive voltage contrast; Stealthy dopant-level trojan;

D O I：

10.1007/978-3-662-44709-3_7

中图分类号：

学科分类号：

摘要：

A successful detection of the stealthy dopant-level circuit (trojan), proposed byBecker et al. atCHES 2013 [1], is reported.Contrary to an assumption made by Becker et al., dopant types in active region are visible with either scanning electron microscopy (SEM)or focused ion beam (FIB) imaging. The successful measurement is explained by an LSI failure analysis technique called the passive voltage contrast [2]. The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device [3]: an anti-reverse-engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with (1) an optical microscope, (2) SEM, and (3) FIB. As a result, the four possible dopant-well combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/pwell are distinguishable in the SEMimages. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, however, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16-times expensive than that of a metal layer in terms of the number of images. © 2014 International Association for Cryptologic Research.

引用

页码：112 / 126

页数：14

共 15 条

[1]

Becker G.T., Regazzoni F., Paar C., Burleson W.P., Stealthy Dopant-Level Hardware Trojans, CHES 2013. LNCS, 8086, pp. 197-214, (2013)

[2]

Rosenkranz R., Failure Localization with Active and Passive Voltage Contrast in FIB and SEM, Journal of Materials Science: Materials in Electronics, 22, 10, pp. 1523-1535, (2011)

[3]

Shiozaki M., Hori R., Fujino T., Diffusion Programmable Device: The Device to Prevent Reverse Engineering, IACR Cryptology ePrint Archive 2014/109, (2014)

[4]

Nohl K., Evans D., Starbug, Plotz, H.: Reverse-Engineering a Cryptographic RFID Tag, Proceedings of the 17th USENIX Security Symposium, (2008)

[5]

Torrance R., James D., The State-of-the-Art in IC Reverse Engineering, CHES 2009. LNCS, 5747, pp. 363-381, (2009)

[6]

Slashdot, Stealthy Dopant-Level Hardware Trojans

[7]

Tarnovsky C., A (In)security of Commonly Found Smart Cards, Invited Talk II, CHES, (2012)

[8]

Boit C., Security Risks Posed by Modern IC Debug and Diagnosis Tools, Keynote Talk I, A 10th Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2013, (2013)

[9]

Kang S.M., Leblebici Y., CMOS Digital Integrated Circuits Analysis & Design, McGraw-Hill, (2002)

[10]

Reverse engineering integrated circuits with degate

← 1 2 →