On the Impact of Placement on Integrated Circuit Reverse-Engineering
Integrated Circuit (IC) Reverse-Engineering (RE) requires delayering and imagery steps.
Those tasks are both challenging as the resulting pictures – made with a Scanning Electron Microscope (SEM) – must exhibit a high quality.
With clean detailed pictures of every layer of a chip, one can use dedicated tools to extract a gate-level netlist of the Integrated Circuit. This by itself represents some opportunities (security assessment, supply chain validation, IP infringement proofs) but also a major threat as pirate groups can study the netlist to understand how the IC works (including custom hardware functions) and therefore take control over it to dump its memories for example which can then be used to create counterfeited products.
In this case, one can ask a legitimate question about how chip designers can make the task more difficult for attackers. Preventing RE is quite challenging but as for security countermeasure, the goal is to reduce the number of potential attackers.
Here is a look at the impact of placement on IC Reverse-Engineering. To illustrate this topic, we are going to have a look at some of the most secure ICs available: the Infineon SLE78 and the NXP SmartMX2. Both are certified at level EAL 6+ inside Common Criteria Certification Scheme.
Before looking at these targets in greater details, let’s have a look at the Infineon SLE66 as a starting point. The way the digital circuitry has been placed is interesting to look at as it can cause problems to the attackers. Nothing significant however, we are only talking about process adaptations and these can easily be made.
The SLE66 has noticeable bonding pads aligned in the middle of the chip. But it also has something more. Its core (the digital circuitry) is placed on the very edge of the chip. Usually, this area is occupied by analog circuitry and bonding pads. Because of this, a reverse-engineer who would use polishing as his/her main technique for delayering could get some problem because of side effects. When polishing, the sides of the IC are polished faster than the center.
SLE78’s Infineon new secure device shows the same characteristic than its predecessor with a logic at the very edge of the IC. It will be interesting to check what functions are pushed there in order to know if that choice was intentional.
But Infineon did not stop there and the logic of the newer IC is forming a T shape object that crosses the entire chip from edge to edge in both directions. This means that on top of the delayering “issues”, there can be now an imagery issue.
When taking pictures of an IC, the reverse-engineer uses a SEM that produces several thousands of pictures per layer. This task is automated but scanning softwares usually scan a regular rectangle area.
On the SLE78, this would mean that the entire surface of the chip would have to be imaged, when the digital circuitry – which is in the end the interesting part for an attacker – is representing less than the third of this area. The overhead here is huge and can turn long SEM scans to extra long SEM scans. Once again, this could be a way to slow down attackers…
Of course, this has to be balanced as solutions exist and can be developed in a fast manner:
– SEM scanner can be easily modified to acquire random shape areas.
– Scanning several rectangle areas can also be done with then the subsequent blocks stitched before extraction. This stitch can be done at different stages depending on the used netlist extraction tools.
– Side effects can be reduced by the use of sacrificial material placed on the side of the chip. It can also be kept minimal by using a combination of other techniques such as wet and dry chemistry.
But anyway, the question here is the following: did Infineon intentionally place its digital circuitry in that way to cause problems for reverse-engineers?
This question can be extended to other chip manufacturers of course. Is digital logic irregular placement reaching the sides of the chip a common practice?
To answer that question, we must have a look at a similar chip designed by a different manufacturer. As the Infineon SLE78 reaches a common criteria EAL6+ certification, a look at another EAL6+ chip can give us some hints. There is not so much choices here so we chose to look at the SmartMX2 from NXP.
On that other IC, the digital logic is forming a compact bloc that sits in the middle of the chip. This bloc only reaches the side of the IC on one side which tends to indicate that placement does not intend to slow down attackers.
The concept of placing important features of the IC on the very edge of it do not only apply to digital circuitry. Infineon also placed some memories there when these are clearly inside on the NXP IC.
Placing memories on the edge of an IC does not always make sense as bits are not always visible and therefore imaging those is not interesting. But when the memory is a ROM, bits can be found and imaged. By placing a ROM on the edge of the device, the attackers can have difficulties to image the bits because of the side effects. Nothing that will stop them of course as they can use several chips to retrieve the information or use a very careful mixed process to avoid the side effects.
In any case, this quick look at two of the current most secure ICs shows that placement strategy can be very different from vendor to vendor. It is hard to conclude if Infineon placed its circuitry on the very edge of the die to make the life of IC Reverse-Engineers harder. For sure, from the differences between those 2 products, there are no common practices for placement inside secure ICs.
To be continued…