Security evolution in silicon chips

Hardware security begins with embedded systems for industrial controllers. Thirty years ago such systems were built with separate components like CPU, ROM, RAM, I/O buffers, serial interfaces and other communication and control interfaces. Examples include control boards inside industrial controllers (Figure 1), printers, game consoles and home appliances. In the beginning there were almost no protection against cloning of such devices except law and economics. For example, ROMs were made with low-cost mask technology and cloning would involve either replacing them with EPROMs which are usually 3-10 times more expensive, or ordering Mask ROMs which would take time and require large capital investments. Another approach was used in game consoles where simple ASICs (Application-Specific Integrated Circuits) were widely used (Figure 2). Such ASICs were mainly carrying out I/O functions to replace tens of simple logic components, thus reducing the cost of the board and at the same time protecting against competitors who had to use larger and more expensive solutions. In fact these ASICs did not carry much security and their functionality could be understood in a few hours with a simple analysis of the signals using an oscilloscope or doing an exhaustive search over all possible combinations on their pins. From the late seventies, microcontrollers offered a very good replacement for CPU-based controller boards. They not only had internal memory and populated I/O interfaces, but some sort of security protection against unauthorised access to the internal memory contents. Unfortunately, early microcontrollers did not offer non-volatile storage facility and important data had to be stored in a separate chip outside the microcontroller (Figure 3) thus allowing the attacker to easily access them. Some low cost attacks on USB dongles used for software protection were published recently. The next step in security evolution was to place the EEPROM data storage chip next to the microcontroller inside the same plastic package (Figure 4). To attack such a chip is not easy; a professional would decapsulate the sample and either microprobe the data chip or bond it into a separate test package. Both methods require equipment which cannot be afforded by a low- budget attacker. Such an attacker could try to use homemade microprobers (bonding pads on old chips are relatively large) or exploit a software bug to get access to the data. Some microcontrollers do not have any special hardware security protection at all. Their protection is based on obscurity of the proprietary programming algorithm. It might be the case that the read-back function was deliberately disguised, or replaced with a verify-only function. Usually such microcontrollers do not offer very good protection and some examples are presented in Chapter 4. In fact, the verify-only approach could be very powerful if implemented properly, as it is in some smartcards. The next step in increasing the security protection was in adding a hardware security fuse that disables the access to data. The easiest implementation, which does not require the complete redesign of the microcontroller structure, was for the fuse to control the read-back function of the programming interface (Figure 5). The drawback of this approach was in making it easier to locate the security fuse and perform an invasive attack. For example, the state of the fuse could be changed by connecting the output from the fuse cell directly to the power supply or ground line. In some cases it might be enough to just disconnect the sense circuit from the fuse cell by cutting the wire from it with a laser cutter or focused ion beam (FIB) machine. It might be possible to succeed in non-invasive attack as well, because a separate fuse would certainly behave differently from the normal memory array. As a result it might be possible to find such a combination of external signals under which the state of this fuse would not be read correctly thus allowing the access to the information stored in the on-chip memory. Some examples of these attacks are given in Chapter 4. Semi-invasive attacks could bring the attacker to success even faster but will require decapsulation of the chip to get access to the die. A well known example of such attacks is erasing the security fuse under a UV light; these attacks are discussed in Chapter 6. The next step was to make the security fuse part of the memory access circuit, so that any external access to the data is disabled if the fuse is set (Figure 6). Usually the fuse is located very close to the main memory or even shares some control lines with it. Also it is fabricated with the same technology as the main memory array making it harder to locate and reset. Non- invasive attacks could still exist but would require much time and effort to find. At the same time, semi-invasive attacks might still work. Certainly it would take more time for an attacker to find the security fuse or the part of the control circuit responsible for the security monitoring, but this could be easily automated. Performing invasive attacks could be more difficult as most of the work would need to be done manually, so it will certainly increase the cost and time of the attack. A further improvement involved using a part of the main memory to control access to the data from outside. This was implemented either by latching the information stored at a certain address at power-up and treating it as a security fuse, or by using passwords to grant access to

the memory. For example, in the Texas Instruments MSP430F112 microcontroller, the read- back operation can be called only after the correct 32-bytes password is entered [25]. Without that, only the chip erase operation is available. Although such protection seems to be more effective than previous offerings, it has some drawbacks which could be exploited in low-cost non-invasive attacks such as timing attacks and power analysis. More details on these attacks are presented. If the state of the security fuse is sampled from the memory during power-up or reset, it could present some room for the attacker to play with power glitches, trying to force the circuit to get the wrong state of the memory.

decrypt ic embeded firmware, decrypt mcu hex/bin file, decrypt chip protected code, decrypt microcontroller eeprom data