May_EDFA_Digital

edfas.org ELECTRONIC DEV ICE FA I LURE ANALYSIS | VOLUME 23 NO . 2 10 In recent years, different security-sensitive compo- nents in modern ICs showed their susceptibility against optical attacks. PEA and LFI have already been used for exposing the cryptographic keys stored in the on-chip NVM like ROM, EEPROM, and Flash. [19,20] Therefore, the common assumption about the existence of tamper- and read-proof NVM is no longer valid. Critical information like firmware, algorithms, sensitive data, and device configuration is stored in the embedded NVM. Hence, protecting the embedded NVM from the optical attack approach canprimarily reduce the attack surface available for the adversary. Secured key storage, such as physical unclonable function (PUF), OTP memory (for example, efuse, antifuse), can also be read using optical analysis. For example, an adversary can de-process the IC with FA tools and localize the efuse on the die, followedbyOBIRCH analysis for reading the efuse value. [21] PUF generates keys from the intrinsic properties of the device. [3] PUF has demonstrated vulnerabilities against several non- and semi-invasive attacks, like photonic emission analysis and laser fault injection. Besides, thermal laser stimulation can read the output of SRAM PUF after the clock of the circuit is turned off. [22] In SOC architecture, cache memory is an attractive attack target for an adversary as cache memory is used for storing immediately used data temporarily. Static random-access memory (SRAM) is widely used in differ- ent secured SOCs as cache memory. The objective of an adversary is to use optical attack, such as PEA, as side- channel information, for exposing SRAM memory con- tents. Time-integrated, and time and spatial-resolved measurement of SRAM emission can be extracted with PEA and PICA, respectively. Therefore, a combination of spatial information from PEA and temporal information fromPICA enables an adversary to extract cachememory location as well as the contents. [2,23] Furthermore, the state of an SRAM gate can also be changed using the LFI attack. [24] The RDLs and TSVs of the interposer and 3D type advance packaging carry sensitive input-output infor- mation during the circuit’s operation and functionality. Moreover, in advanced packaging, the chips are placed in a flip-chip orientation exposing them to backside attacks. Although, in electrical probing, without access to the netlist of a chip, localizing the input-output is a challenging task for an attacker. However, an attacker can localize the input-output in the package and flip-flop in the chip if they do the proper sample preparation and have access to a laser scanning microscope (LSM). Then, they can learn the frequency of the die fromthe datasheet or other publicly available documents. [25] Thereafter, they can use EOFM to localize the flip-flop and optically probe the flip-flops or logic gates with EOP. Furthermore, EOFM and PEA also facilitate locating the secured circuitry, such as AESmodule, [6] cores, cache location, [18] and signal propagation path. [6, 23] Fig. 6 (a) Optical probing from the chip frontside. (b) Optical probing from the chip backside. (a) (b) SECURITY ASSESSMENT OF IC PACKAGING AGAINST OPTICAL ATTACKS (continued from page 8)