IC Reverse Engineering 101
Instructor:
Olivier Thomas
Dates:
31 January to 01 February 2018
Capacity:
16 Seats
Price:
1450 EURO before January 1,
1750 EURO after.
Hardware low level attacks are the basis for counterfeits creation but also for extracting legitimate devices in order to get confidential data or to change their behavior. They also can be used to access restricted software which makes their analysis possible for creating remote attacks as recently seen with IoT based DDoS attacks. Security implemented in hardware is no longer immune to analysis and ICs may be the most vulnerable component of a security system.
For several decades, hardware security relied on obfuscation and the entry barrier for Integrated Circuit (IC) hacking being money and time made it possible for chip designers to rely on this strategy. Two phenomenons changed this postulate as the money investment dropped severely and the attack timing also significantly decreased.
Analyzing hardware requires various knowledge about circuits, how they are designed, manufactured and tested. However, the skills required for performing vulnerability and/or risk analysis are accessible to those who are already familiar with software and network security.
The primary goal of this training is to provide security professionals and team leaders the skills, mindset and background information necessary to successfully perform analysis of Integrated Circuits (ICs) and evaluate the efficiency of the existing counter-measures.
Students who complete this course will be familiar with all important classes of low-level hardware attacks (shield and hardware counter-measures bypass - ROM and Flash/EEPROM dump - bus passive and active probing - Circuitry Reverse-Engineering - …) through real world examples covering the entire analysis workflow from the lab to the data analysis. The training will also describe modern analysis methods implying automation and discuss the efficiency of modern counter-measures in such a context.
Course Syllabus:
The entire course is build from experience and follow a Reverse-Engineering learning method. It is assumed here that the attendee will have no particular knowledge about microelectronics and therefore a combination of theoretical sections and black-box scenarios will be used to share knowledge. Attendees will have the opportunity to work on real Optical and Scanning Electron Microscope pictures, thus reproducing the work of an IC security analyst conducting all sorts of attacks.
The training follows the following structure:
- Integrated Circuit : Before targeting silicon attacks on any Integrated Circuit, sample preparation is needed. To be able to perform that one efficiently, it is necessary to fully understand how Integrated are constructed and packaged.
- Transistors. After looking at the complete chip, a huge zoom in will be made so as to understand its basic working unit: the transistor. Hardware attacks such as VCC, clk or laser glitch are the consequence of the physics behind transistors.
- Digital Electronics. From that point, the class will zoom out gradually. This sections gives the basis to understand digital circuits and to reverse-engineer standard cells. It will starts with combinatorial logic and will get more complex with sequential logic and simple CPU architectures. A last chapter will be dedicated to Memories with a section on how to dump ROMs from pictures of an IC.
- The manufacturing process will be briefly discussed to prepare the true Reverse-Engineering sections. Layout will be practically explained as it is the base material for any analysis.
- Failure Analysis is used by Chip Manufacturers to detect issues on their chips as soon as they can in order to fix them before it costs too much. For IC Reverse-Engineers, FA techniques are useful tools. Unfortunately, FA and RE are not the same and equipments and techniques are not used the same way according to the targeted application. In this context, it is important to give to the attendees the key concepts to understand what is happening during the sample preparation and attack phases in the lab (sample preparation, imagery, circuit modification, laser fault injection…).
- Invasive Attacks. With the accumulated knowledge, the class will be able to move on to real world example and will be given the opportunity to read Non Volatile Memories such as ROMs and Flashs. The attack definition will be the result of picture analysis and abusing the reverse-engineered digital logic. Once the basic extraction method will be covered, a more complex case will be fully studied in a black box scenario with extensive use of techniques such as layout reading and standard cell reverse-engineering from Scanning Electron Microscope pictures. Several variations will be used so as to cover different known cases.
- Counter-measure bypass: At this point in time, attendees will understand how hardware counter-measure design is a challenge.
- Fully automating the RE process. This short section will conclude the training with some words on how the analysis process can be improved but also on the risk related to IC reverse-engineering and why it really matters.
BIO
Oliver THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL.
TO REGISTER
Click here to register.