August_EDFA_Digital

edfas.org 1 7 ELECTRONIC DEVICE FAILURE ANALYSIS | VOLUME 21 NO. 3 verification techniques requires a discerning look into the inspection/attackmethodologies. Therefore, a taxonomy (Fig. 1) of physical inspection/attacks is presented based on sample preparation and the nature of the inspection/ attacks process. Physical inspection/attacks can be per- formed noninvasively, semi-invasively, or invasively. In the past, when compared to noninvasive attacks, inva- sive and semi-invasive attacks were considered a lesser threat to security due to the requirement of equipment, expertise, and execution time. But in recent years, even though new features have been added, FA equipment is becoming cheaper and more accessible. Further, FIB and scanning electron microscopy (SEM) imaging systems are available inmany academic/industry labs and can be rented for only a fewhundred dollars per hour. Therefore, a surge in physical attacks is expected in the near future. Equally important, growth is also anticipated in physi- cal inspection-based techniques to provide an effective means of security and trust verification. NONINVASIVE PHYSICAL INSPECTION/ ATTACK METHODS A noninvasive inspection/attack attempts to extract assets without tampering with the packaging or struc- ture of the chip/printed circuit board (PCB). Noninvasive attacks are executed actively or passively. Examples of active noninvasive attacks are fault injection techniques, brute force, and data remanence. Fault injection inspec- tion/attack involvesmanipulating a chip in order to cause a transient fault in an operational chip to evaluate the fault-tolerance of the device. An adversary can use fault injection to bypass the security condition check. Brute force attack is amethodological application of a large key set to extract the exact cryptomodule key. Passive attacks like side-channel analysis have been studied extensively for exposing cryptographic keys or sensitive information. In addition, side-channel signal analysis using transient and quiescent power, delay, and electromagnetic ema- nation has been widely proposed for trust verification against trojans. [1-2] INVASIVE PHYSICAL INSPECTION/ ATTACK METHODS Invasive attacks require access to the internal compo- nents of a chip or PCB. Hence, depackaging and decap- sulation are two common initial steps taken to prepare a sample. Invasive inspection/attacks leave tamper evi- dence in the chip due to the application of processes like plasma/wet etching or FIB. A successful invasive attack requires an expensive toolset like anSEM, FIBworkstation, microprobing station, high-resolutionopticalmicroscope, plasma etcher, polisher, or simple chemical lab. Prevalent forms of invasive inspection/attacks include reverse engi- neering, electrical probing, and circuit edit. REVERSE ENGINEERING Reverse engineering of an IC involves analyzing the in- ternal structure, connection for extracting design, stored information, and functionality of the chip. Subsystem- level reverse engineering is comprisedof structural and in- formationextraction (Fig. 1). ChipandPCB reverse engineer- ing are common forms of structural reverse engineering. Full-blown chip reverse engineering is comprised of five steps. 1) Decapsulation: Exposes the internal die, lead frame, and die connecting components (bond wire and ball grid arrays). Decapsulation can be completed from front side or backside. 2) Delayering: Process of removing materials layer by layer for imaging and analysis. Wet/dry plasma etching, FIB, or polishing are used for delayering the chip. 3) Imaging: After exposing a new layer, high-resolution images are collected and stitched together for extract- ing netlists. Commonly, an optical microscope or SEM is used for imaging. In recent years, x-ray synchrotron and ptychography have been used to extract circuit connec- tion information from a 14 nm node IC, nondestructiv- ely. [3] The technique is often referred to as nondestructive. However, because the samples for this type of imaging need to be as small as a few tens of microns, it is actually a destructive technique. 4) Annotation: All image features such as the active region, gates, capacitors, inductors, resistors, vias, con- tacts, andmetal lines are annotatedmanually or by using image processing software. 5) Netlist and functionality extraction: Different compo- nents of the circuit layout are identified and the intercon- nection between components is obtained to fully extract the netlist. Figure 2 shows the steps and deprocessing/ analysis methods used in chip reverse engineering. PCB reverseengineering focuseson identifyingall com- ponents on the board and the interconnection between them. PCB reverse engineering can be destructive or non- destructive. In a destructivemethod, delayering, removal of components, and imaging are performed iteratively, layer by layer. X-ray tomography is used for noninvasive imaging and extracting the internal structure of a PCB. [4] Later, the internal structure is analyzed to extract the PCB circuit connection diagram.