HANDS-ON TRAINING 

IC REVERSE ENGINEERING & ATTACKS

*****

I. COURSE DESCRIPTION

The primary goal of this training is to provide security professionals and team leaders the skills, mindset and background information necessary to successfully perform analysis of Integrated Circuits (ICs) and evaluate the efficiency of the existing counter-measures. It is designed to give to Integrated Circuit professionals a deep understanding of the complete Reverse-Engineering and Attack chain to help them build more secure designs but also to give to newcomers a detailed overview for a fast ramp-up. Students who complete this course will be familiar with all important classes of low-level hardware attacks (shield and hardware counter-measures bypass – ROM and Flash/EEPROM dump – bus passive and active probing – …) through real world examples covering the entire analysis workflow from the lab to the data analysis. The training will describe modern analysis methods involving automation and discuss the efficiency of modern counter-measures in such a context. Our Hands-on training combines theoretical lectures and practical assignments so students are ready to analyze any Integrated Circuit at different level from SEM pictures and layout information to schematics. A full one-day lab session will complete the picture with demonstrations of how we obtain our base material to conduct our Risk Assessments among other services. The complete Reverse-Engineering workflow will be demonstrated, including Reversing the Integrated Circuit construction, finding the different cores and memories, delayering samples to targeted layers and using a SEM for performing high resolution imagery. ***** Register for one of our next sessions: November 2021 *****                 

II. DETAILS

  1. Topics covered during the course

2-DAYS 101 TRAINING « IN CLASS » Texplained Reverse-Engineering & Attacks 101 training is built to give a complete understanding of Integrated Circuits while explaining the different threats that they face. The different chapters are organized so as to let the attendees discover each new topic in a progressive manner that reflects the Reverse-Engineering specific mindset. This proposed learning curve aims at letting the attendees complete the training by strategizing an Invasive Attack involving Reverse-Engineering, circuit modification and micro-probing. Finally, the IC RE & Attacks training is also useful to discuss the current state of Integrated Circuits and embedded counter-measures security.

  1. INTRODUCTION
  1. RECOMMENDED READING
  1. INTEGRATED CIRCUIT
    • Target Identification
    • Examples of IC Packages
    • Bonding Wires
    • Structure of an IC
  1. TRANSISTORS
    • Physical Construction
    • Mode of Operation
    • Usage
    • CMOS Logic
    • Abusing Transistors
  1. DIGITAL ELECTRONICS
    • COMBINATORIAL LOGIC
      • The Inverter
      • Building Truth Tables and Finding the Function
      • Simplifying Boolean Equations
      • Sequential Logic Building Blocs
      • Building Functions
      • Cascading
      • Datagram
    • SEQUENTIAL LOGIC
      • CPU Architecture Basics
      • Registering Data
      • Register Transfer Layer
    • MEMORIES
      • CPU Architecture Basics
      • Memories Architecture
      • Memory Types
  1. MANUFACTURING PROCESS
    • Manufacturing Steps
    • Planarization
    • Main Processes
    • Layout
    • Stick Diagrams
    • Finding the Digital Circuit
  1. FAILURE ANALYSIS
    • Regular Use of FA Equipments
    • FA for Reverse-Engineering
    • The RE Process
    • DEPROCESSING / DELAYERING
      • Depackaging
      • Cross-sections
    • PRINCIPLE
      • Tilt setup
      • Naming Convention
      • Deprocessing Theory
    • WET CHEMICALS
    • DRY CHEMICALS
    • CMP
    • IMAGERY
      • Optical Imagery
      • SEM Imagery
    • CIRCUIT MODIFICATION
      • Repackaging
      • FIB Circuit Edit
      • Micro-Probing
  1. INVASIVE ATTACKS
    • FIRST STEP
      • Overview Analysis
    • READING ROM
    • READING FLASH
      • LINEAR CODE EXTRACTION
        • CPU Architecture Basics
        • LCE Principle
        • Simple LCE
        • Using Charge Pump for Reliability
        • Controlled LCE
    • INVASIVE ATTACKS INVOLVING REVERSE ENGINEERING
      • REVERSE-ENGINEERING STANDARD CELLS
        • Creating an Attack Scenario – Game
  1. SHIELD / MESH
  1. AUTOMATING THE REVERSE ENGINEERING
    • Example
    • Impact on Common Criteria

The training includes practicing sessions with 22 assignments. 1-DAY DEMO SESSION IN OUR LAB Our Hands-On training is going one step further than the standard IC RE & Attacks 101 by giving attendees a look at how professional Reverse-Engineering laboratories are preparing samples and images that will be exploited by hardware security teams. Instead of sequentially presenting machines and equipments, a project oriented approach will be followed. This way, the Reverse-Engineering specific constraints and quality criteria will also be part of the demonstration.

  1. MAKING YOUR OWN CHIP-ID
    • SAMPLE PREPARATION
      • Depackaging
      • Substrate Sample Preparation
      • Cross-Section Sample Preparation
    • IMAGERY
      • Top + Substrate Sample Optical Scans
      • Substrate Scanning Electron Microscope (SEM) Scan
      • Cross-Section SEM Inspection and Annotation
    • ANALYSIS
      • Finding Core, Analog Circuitry and Memories from SEM Scans
      • Recovering Data about Chip Construction
  1. DELAYERING
    • Reaching a Specific Layer
    • Sample SEM Inspection and Scan
  1. ROM RAW BINARY EXTRACTION
    • Shallow Angle Polish (SAP) Sample Preparation
    • SAP sample SEM Inspection to Find Out Where ROM Bits Are
    • Bits Extraction Tool Demo
  1. Who should attend
  • Digital Forensic investigators
  • Integrated circuit and failure analysis engineers
  • Engineers involved in securing hardware platforms against attacks
  • Researchers who want to understand the nature of many hardware attacks
  • Team leaders
  • Hardware hackers who want to become familiar with attacks on integrated circuits
  • Parties involved in hardware reverse-engineering and Vulnerability analysis
  1. Minimum software to install

None. Students will be provided assignments on paper as well as the training material as a .pdf file

  1. Duration of the training

This training is a 3-days session. ***** Register for one of our next sessions: November 2021   *****          

III. TRAINERS

pastedGraphic_2.png Olivier THOMAS Reverse Engineering Mentor Oliver THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits.

Then, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and CTO at Texplained SARL.

pastedGraphic_3.png Antony MOOR Lab Expert Tony MOOR’s studies focused mainly on Chemistry and he was first exposed to the semiconductor hardware industry as a Physical Failure Analyst in Atmel’s FAB9 in North Tyneside, England.

It was here that he learned the skills and techniques required to prepare and image semiconductor devices in fine detail in order to isolate failures in processes, assist in yield enhancement and also to aid new process development. For the following decade, Tony then applied his skills and knowledge in the field of reverse engineering evolving a laboratory to become a self-sufficient reverse engineering facility. Methods used included Focused Ion Beam (FIB), Scanning Electron Microscopy (SEM), Dual-Beam (FIB/SEM), High precision mechanical delayering, wet/dry chemical delayering and optical imaging. Tony now manages the lab and develops/refines the techniques required to output the highest quality images possible for any given semiconductor device. ***** Register for one of our next sessions: November 2021   *****