Home Page Contact Us FAQ Search
Break Microcontroller
Everything they make, we can break!

 

On a New Way to Read Data from Memory

David Samyde


Abstract
This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. What these techniques have in common is the use of semiinvasive probing methods to induce measurable changes in the analogue characteristics of the memory cells of interest. The basic idea is that when a memory cell, or read-out amplier, is scanned appropriately with a laser, the resulting increase in leakage current depends on its state; the same happens when we induce an eddy current in a cell. These
perturbations can be carried out at a level that does not modify the stored value, but still enables it to be read out. Our techniques build on a number of recent advances in semi-invasive attack techniques [1], low temperature data remanence [2, 3], electromagnetic analysis [4] and eddy current induction [5]. They can be used against a wide range of memory structures, from registers through RAM to FLASH. We have demonstrated their practicality by reading out DES
keys stored in RAM without using the normal read-out circuits. This suggests that vendors of products such as smartcards and secure microcontrollers should review their memory encryption, access control and other storage security issues with care.

Index Terms
Smartcards, tamper resistance, data remanence, electromagnetic security, semi-invasive attacks,
optical probing, eddy current attack.

1 Introduction
The goal of this work was to explore new ways of recovering data directly from the memory of smartcards and other security processors without using the read operations provided by their vendors for that purpose, thereby circumventing any access controls and reading out secret data directly.

The traditional way of reading out data from smartcard memories involved an invasive attack using mechanical probing, usually of the processor's bus [6, 7]. Such attacks involve physically depackaging the chip and reading out its internal state by making direct electrical connections to internal components using microprobes. This is becoming more dicult for a number of reasons, ranging from shrinking feature sizes to the use of hardware access control circuits for on-chip memory.

Recently, our two teams have been developing semi-invasive attacks, in which the chip is still depackaged, but where no direct electrical contact is made and the chip passivation remains intact. Examples of such attacks include optical probing [1], in which a laser is used to induce a transient fault in one or more gates in such a way as to cause information leakage; and eddy current attacks in which a similar e ect is achieved by bringing a small coil close to the surface of the chip and inducing a large transient magnetic eld [5].


Figure 1: The architecture of an SRAM cell

The natural progression from this attack technology was to investigate whether semiinvasive
techniques can be used to read out the state of a memory cell in a nondestructive way. The answer, as we shall see, is yes. We will describe the techniques in the context of CMOS RAM, but they have much wider applicability.

2 Optical Read-out of CMOS RAM
The structure of a typical SRAM cell is shown in gure 1. Two inverters are built from pairs of p- and n-channel transistors. The output of the rst inverter is connected to the input of the second, and vice versa. Two n-channel transistors are used to read data from it and write data into it. A readwrite ampli er based on a di erential structure gives access to the cell (figure 2).


Figure 2: Internal structure of a RAM (Ampliers and cells)

To analyze the structure of SRAM memory we used a red laser focused on the chip surface using a microscope. As photons from the red laser (650nm wavelength) have energy larger than the silicon band gap, they will ionize active areas inside the chip. If the photons reach the area near p-n junctions, a photocurrent will be produced due to the photovoltaic e ect. When the photons hit the p- or nchannel area, this will decrease the resistance of the channel by injecting free carriers. In each CMOS inverter, there are six p-n junctions; there are also two resistors corresponding to n- and p-channels.

The fact that enables us to read a memory cell's state is that the decrease in resistance is noticeable for closed channels, and almost negligible for open channels. Thus, by aiming the laser beam at an appropriate transistor or transistors, we can distinguish between the two possible memory states. (A similar technique was used in [1] to switch the state of memory bits; nondestrictive read-out involves using a lower-power laser beam.)

In our rst experiment, we built a map of the active areas in a microcontroller by measuring the photocurrent induced by laser scanning the chip surface. The chip was mounted on an X-Y motorized stage with 0.1m resolution. The result of the scan is shown in gure 3. The active areas can be seen as they produce higher current, but most of the chip is covered with metal layers which the laser cannot penetrate, so these areas do not produce any current. We used this picture as a reference to the results obtained from a powered chip.

Our next experiment was done with an operating chip. It was programmed to allow us to upload any value into its RAM and then stop the chip operation. The result of the scanning with memory cells loaded with random data is shown in gure 4. It can be seen that memory cells have di erent states: where the cell holds a `1' the top is brighter, and where it is a `0' the bottom is. Thus the sixteen bits held in the locations scanned are

1 1 0 0
1 1 1 0
1 1 1 1
1 1 1 1


Figure 3: Laser scan of unpowered memory


Figure 4: Laser scan of powered-up memory with state

Our experiments are somewhat similar to results published by Sandia Labs [8], but with
a number of di erences. They were done without using extremely expensive laser scanning microscopes; we scanned the chip from its top side; and instead of sending constant current through the chip, we used a constant voltage supply and measured current as in a standard power analysis [9].

3 Electromagnetic attack
It is also possible to use electromagnetic induction to scan a semiconductor. In [5] we explained a low-cost attack in which we used a camera ash, a needle and some wire to insert
faults into a cryptographic processor. We built a miniature inductor by wrapping several hundred turns of ne wire around the tip of a microprobe needle. A current injected into this coil will create a magnetic eld, and the needle will concentrate the eld lines. We obtained the current from a camera, by connecting the coil where the ashbulb should have been. The test probe was then placed a few microns over the surface of the target processor. The magnetic eld creates an eddy current in the chip, and we sensed this in order to build a map of the chip.


Figure 5: A map built using eddy current
and a picture of the same area


We experimented to see whether this fault induction technique could also be used for nondestructive readout. With the same sensor we used to scan the chip, we created a small perturbation on a memory cell. Our idea was simple: to move for a very short time the polarization point of the transistors. As long as the polarization point does not return
to its initial state as the same speed in both case, it is possible to know if the transistor is locked at "0" or at "1". We therefore tried to do a timing attack. In practice we found
that the timing di erence was not enough to distinguish memory states; however, the intensity
of the current necessary to recover the initial value of the polarization point was noticeably
di erent between the zero state and the one state.

We managed to recover several bytes from static RAM and FLASH. The two architectures are very di erent when it is time to look at one cell. But as long as the transistors do not react in the same way when their polarization point is not the same, it seems to be possible to measure the di erence.

With our crude equipment, it turned out to be fairly dicult to create enough current on the chip without disturbing the content of any memory cells. In particular, read-write ampli ers are rather sensitive, and even a little perturbation of one of these components will drive the output of a whole row or column to a xed value.

We have therefore focussed our practical research on re ning the laser read-out method. However, with some combination of better equipment, improved lab technique and more sophisticated signal processing, we believe it may be practical to use electromagnetic techniques for memory read-out. It is certainly possible for us on a small scale, and needs to
be considered for high-assurance products.

Thus, although it is helpful to give a smartcard chip an opaque passivation layer, it is not sucient. A continuous metal layer would be preferable { though even this would not block attacks based on the use of infrared lasers through the rear of the chip, or the use of X-rays. For that, more active countermeasures are indicated, as we will discuss below.

4 Freezing and probing
The direct memory read-out teachiques described above are e ective but slow. They are adequate for reading out data from chips that can be stopped in the target state; however, smartcard chips typically have defences against under-clocking such as reset circuitry or even some use of dynamic logic [7].

In [3] we explained how to freeze a static RAM in order to maintain the integrity of the data once the power has been switched o . We used the same technique, but replaced the Peltier plate by a cooling spray or liquid nitrogen. Frozen RAM maintains its content for signi cantly longer { from minutes to hours. We used this method to maintain data in SRAM in order to read its content o line. In particular, we froze a static RAM and recovered a 56-bit DES key.

We tested our attack on several static random access memories from di erent silicon manufacturers, and a few ash memories. We always managed to extract data by one method or another.

5 Countermeasures
A modern high-security smartcard will have its CPU implemented using random place-and-route, so that there are no visible registers; the transistors that make up the registers are scattered across the silicon. (Of course, for performance reasons they cannot be scattered too widely.) It will also have some kind of memory encryption, so that data written to and read from the bulk memory structures are at least lightly enciphered (doing more than a few rounds of a block cipher may impose a noticeable performance penalty; see [12]). However, in current designs,
not all memory can be enciphered; the boot code and the master key have to be kept somewhere. Also, where bulk memory read-out becomes economical, ad-hoc ciphering techniques are likely to become vulnerable.

More attention should be paid to techniques such as the use of logic with builtin alarm propagation [10]. At a very least, it seems prudent to include low-temperature alarm sensors in smartcards, as well as sensors for ionising radiation of various kinds from infrared through X-rays.

As feature sizes shrink, the opportunity should be seized to beef up memory encryption to the maximum extent consistent with allowable memory latency. The use of selftimed circuits can also help, as it makes it harder for an attacker to know when to freeze a circuit for analysis. Techniques for alarmed o -chip storage of cryptographic keys, as in [11], also bear further study. In the G3Card project, we have developed prototype smartcard microcontrollers based on
self-timed redundant logic with built-in alarm propagation, which can deal with many of the
concerns raised by the attack techniques described in this paper [12].

6 Conclusion
If valuable data are present in the clear in memory for just one clock cycle in a location
that an attacker can deduce, and the state can be frozen (whether physically, using low temperature, or by some other means such as stopping the clock), then it is likely to be possible for an attacker to read this data out using optical or electromagnetic probing techniques.The investment in skills and equipment required to carry out such attacks is
signi cantly lower than that needed for full invasive attacks. Hardware countermeasures
will be necessary for any processors required to resist capable hardware attacks.

 
Semiconductor/Microcontroller Manufacturers:
Actel Corp
Advanced Micro Devices
Allegro Micro
Alliance
Altera
Analog Devices
Asiliant Technologies
Atmel
Catalyst Semiconductor
Conexant Systems
Chips & Technologies
Cirrus Logic
Cypress
Dallas Semiconductor
Fairchild semiconductor
Flextronics
Fujitsu Microelectronics
Hitachi
Hitachi Semiconductor
Hyundai
ICT
Infineon Tech
Integrated Device Technology
Intel
Intel Semiconductor
Intersil
ISSI
Lattice Semiconductor
Linear Technology
Logic Devices
LSI Logic
Matsushita
Maxim
Micrel
Microchip
Motorola
Motorola Semiconductor
National Semiconductor
NEC
Orbit Semiconductor
Pericom Semiconductor
Philips
Philips Semiconductor
Rabbit Semiconductor
Rohm
Samsung
Scenix
Sharp
Siemens AG
Sony
SST
ST
ST PSM Division
Synergy Semiconductor
Texas Instrument
Toshiba
Toshiba Semiconductor
Winbond
Xicor
Xilinx
Zilog

XC9302522M XC95216 PQ160 20C XC9536-6VQ XC9536XL-10CQ64PC44 XC9572XL10TQ100 XC9536-15VC44C XC95288-8HQ208I XC9201D09AKR XC95108-7PQ160C0685 XC95108TMPC84AEM XC9536-10VQ331C XC9536PC44-15C7C XC95108-TQ160 XC9572TM-7PC84 XC95108PQ100-15 XC95216 PQ160AM QFP XC95108-20PQ100 XC95216-15HQ208C XC95144TQ144-107 XC9302252M XC95288XLTQ144AEP XC95093DL XC95144-7PQ160C.. XC9572TMPQ100-15C XC9216A18CMRN XC9514415PQ160-15I XC95108-7TQ100C XC99660P XC95144XLTQ100-10I XC9536-10VQ422C XC95144XVTQ144AEP7C XC9572-TMT XC95108PQ160WF#5 XC9536PC44AMM15C XC95288XLTM-7CBG256 XC9510820P XC95144XL TQ100 7C XC9572-10C XC95216PQ1 XC9572-10PC841 XC9572XL-5VQ44C0696 XC9536XL PC44 7C XC95144-10YQ144C XC98105-10PQ160C XC9572XL-10VQ44Q XC9572XLTMVQ64AEN XC95288XV FG256AFP XC95288XV7FG256C XC95288XL PQ208 XC9513A-3PP175 XC9572XL10TQ100C XC912BC32CFU8R2 XC9536-5VQG44C XC9536 10V XC95216-6HQ208I XC95144XL-10TQ144C(3.3V) XC95144XL-120TQ144C XC95108TM(ó) XC9536TMVQ44-7C XC95144XLT XC9572PC84A-15I XC95725PC44AEM XC95108-10CPQ100 XC95144-15PQ100C­. XC9514415PQ100C XC95721OPC84C XC95288XL-10PQ XC9536XL VQ64 10C XC9536XLTM XC9572XLTQ100AEM XC9572TM-PQ100AEM XC9572-10TQG100C XC95216TMPQ160BCJ XC9536PQ160AEM-20I XC9572XL10TQ100-10C XC9216A156MR(300KHZ) XC95144XL-TQ

XC9216A25CMR XC95144XLTQ100-10C XC9536XL-10PC44C­. XC9572PC84AEM15C XC95216PG160 XC9572 TQ100 10C XC9572-10TQ/100C XC9313WI XC957215PC44I XC95216-5BG352C XC95144-15PQ100I C95144PQ16010C XC95144-7TQC-0672 XC953615VQ44C0262 XC95144TQ100AMM XC9301402M XC95198-10PC84C XC95288XL-10PQ208C XC9572XLTM 10I XC9536XLPC44BEN0201 XC94339FN XC95216-1BG352C XC9802B423 XC95144XL-10CS144 XC95108 TM . XC9572XLVQ64C XC95108TM XC9201 SER XC95144-7TQ100CES XC9572XL-TQ XC95288TM-15HQ208C XC9572015PC84C XC95144XL-7CS144 XC9572PC8415I XC9572XLTQ XC9572-TQ100-TC XC9572 TQ100 15C XC95288-2BG352C XC95108-10/15PC84C XC9572XL-10CS48C XC9536-7PC44C XC9536XV-7PC44I XC95366PC44C

XC9536VQ44AEM-15C XC9510CSL XC95144-10TPQ100C XC95288XLTQ144B XC9216A30CMRN XC9572XL-10VQG44C XC95288-HQ208 XC95108TM PQ100-15I XC9536XLVQ64AEN XC95288QC208 XC95144XLTQ144-10C XC95288XLFG25610I XC9518TM XC95144XL-7TQ100C XC9302382M XC9572XL10 XC951447C XC95144-10PQ160C XC95288XV-7CS280C XC9536TM-15IVQ44AS XC9572/100 XC9752-15PC84C XC9514PQ160C XC9572-10PC84C  XC9572XL-7TQ100C0768 XC95288XL-7FG256C0695 XC95144XL-5CSG144C0962 XC95216PQ160-2 XC95108-PQ160-15(PQFP-160) XC95108PQ160 XC95144TM TQ100-10C XC9536XLPC44CMN XC9572XL-7CSG48I0952 XC95288-4BG352I XC9572 TQ100 10I XC95108TM-10PQ160C XC95144XL-10TQ100CXILINX0 XC95288XL-10FG256C XC95316-5PC44C XC95288XL-7BG256C0672 XC95144XL-5TQ100C0100 XC95108 TQ100 10C

XC9572XLTQ100AMN XC95216-15C XC9572XL-10PC44CTSTDTS XC95108PQ100AEM15C XC9572-7VQ64C XC9572-7PC84C XC9572PC44-15 XC95144TM-10PQ160C XC95144PQ100-10 XC95216PQ160-150 XC9572SL10VQ64 XC95144XL7TQG100C XC95108TM-20PC84C XC95144XL-10TQ100C144C XC95108(TM)-10PC84C XC9212 XC9572-100PQ100C XC95108XL-10TQ100CDC99 XC95144 10 XC9572-7 XC9536 PC44 15I ×Ö XC95144XV- XC9572XL/T XC9536(TM)-PC44-10I XC9572TQ-100 XC9536VQ44AE XC95144-70 XC95216-8PQ160C XC957L-10T XC95144-TQ100AE XC95144-10TQ144C XC95144PQ160-10 XC9536XL V XC9536VQ44-10C*** XC9572XL-10VQ64C0696 XC95108TMPC84-20C XC95108XL-10PC84C XC9572XL-5CSG48C0962 XC9572XLTM-VQ64-7C XC95216 HQ208 10C XC95216-7P XC95144XL-10ITQ100 XC9536 PC44 µÖ XC95216-3BG352I XC95108PC84-20I XC9572XL-7VQ64C0962 security microprocessor unlock crypto processor XC9572XLTMTQ100AEMTQ100BMNO XC9572XL-VQ64AEN001 XC9527XL-7VQ64C XC95144TM-7PQ160C XC95144XL 10TQ144C XC9572-10PQ100CPROG XC9301482M XC95108PQ100AMM15C XC951108 P XC9536TM-15IVQ64 XC95216-HQ208 XC95144-10PQ-100C XC9572-PC44AMM-10C XC9572-15TQ100C-0685 XC9536PC4415 XC95288TM-15IBG352 XC9536XL-7CSG48C0962 XC95144XLTQ100-10C-10I XC9572XLTQ100B XC95288 PQ208 20I XC9572XL-7C-0672 XC95288XL-TQ144 XC95216/HQ208ASJ15C XC95144-10PQ100C¨068© XC95144XL-7TQ100I XC9514XL XC9536XLVQ64 TQFP XC9536XL-101PC44C XC9536XL-7VQ XC95108-10PQ160C  XC953615PC XC9572PC44 XC9572PC84AKJ-15C XC95216-10PQ160I XC95108-10PQ100I XC95108-20C-068 XC9536VQ44-10 XC9536-VQ44AEM XC9144PC44 XC95288XLTMBG256-7C XC95288XL-7TQ100C XC9536XL-1 XC9536TMPC44-15C XC9536XLPC44 XC95288XL7TQG144C XC9536TM-71015PC44CI XC95216-3HQ208C XC9536-5VQ64C-0685 XC95108-7VQ100C XC95288BG352-15I XC9536-10VQ44C0587 XC9536XLVQ447I XC9572-10VQG44C XC9572PQ100AEM10C XC95144XLTMTQ1447 XC95216 BG352 10C XC9536(TM)PC44 XC9572XL-10CSG48C XC95108TQ100AEM XC9536VQ44C  XC95108TMPC84AEM-15C XC95144XLTQ144BEN10C XC9572XL-7VQG44C0952 XC9572XL-7CSG48C0952 XC95144XL-144-7C deprotection bus encryption cryptography secure

XC95108PQ100A XC9572-7CPQ100 XC9536VQ44A XC95144XL-TQ100BEN XC9521615PQ160C XC95144-TMPQ160-10C XC96288XL-10TQ144I XC95144XL7TQ100I0962 XC9572-10C44C XC9572XL VQ44 10C XC95144XL-5CS144C0952 XC9536-PC44ASJ9917 XC95108TQ100AEM7I XC95288XL-10TQ144I0696 XC9572PC44ASJ10C XC9536XL-7LCS48C XC9536XLVQ64AEN-7C XC951447PQ160 XC9536-15C XC95216-5BG352I XC9116 XC95144XL TQ144 10C XC9572 PC44 15-0685 XC95144XL TQ100AEN XC92314DH XC9301542M XC9536-5C-0685 XC95288XV-10FG256I XC95108PQ100AEM-10C XC9536-10VQ44C(PROG) XC9536TMPC-15I XC9536-5VQ64C XC9572XL TM XC9302392M XC95288XL-10VQ144C XC95108PQ160AEM20C XC9572 PC84 10I XC9213B103 XC9572TM TQ100AEM XC9536TMPC44C XC9536XL-10TQ100C XC9536SL XC9536XL-10 VQ44C XC951087C XC95144XL TQ100 XC95144-20PQ160C XC9572XLTVQ64C XC95288 20C XC9536-10PC44C. XC9536TM-10PC44 XC9536-15PC4 XC956XL-10VQ44C XC95144XL-7TQ144CES XC9536-10VQ334C XC95144-10PC160I XC9502B093 XC95144XL-107Q144 XC95216-2HQ208I XC95288XL-6TQ144C0696 XC9572XL-10PC44C-0672 XC9536TM-7VQ44C XC95093DR XC9572TM-7CPC44 XC9572-15TQ1001 XC9572TMPC XC9572XV-5PC44C XC9572TM-VQ64AE XC9536-15JC XC9536 10P XC95108TM-PQ160 XC9572PQ100-15C XC9572XL-15PQ100C XC95216HQ208-10 XC95721TM XC9536XL-10PC44CES XC936P44-15C XC9572-7PC44A XC9536XLCS48-10C XC95108-7TQG100C XC95261-15 XC95216TMPQ160-20C code recovery antifuse retrieve code fuse blown Tamper resistant eeprom program memory extract deprotect Source code XC95108TMQ100AEM XC95288XL-10PQ208CO XC9572XLTMPL-PL44 XC9572-10VQ64 XC95144XL-TTQ100C XC95216-PQ XC957 XC9536XL-10VQ44I0651 XC9575TMTQ100-10C XC9572(TM)-15PC84C XC95144XL TQ144 10C XC9536TM1OPC44 XC95108PQ160C XC9572XL10TP100C XC95216HQ208C XC95108-15Q100C XC99536-15 XC9528820C XC95144XL-TQ100 XC95108XLTQ100-10C XC9572-15PC44C(PROG) XC9572XL-VQ64BMN XC9572XL-10CVQ44 XC95144XL-10-TQ144 XC95288XL-10CS280C0696 XC95288XL PQ208-10I XC95144-10TQ144C-0672 XC9536XL-10VQG44C

XC95288XL10BG256C XC95288XL-TQ144BEN XC9572XL-7VQ64C0768 XC95288XL6PQG208C0952 XC9572XL-TQ100:10C XC951O8PQ1OOAEM15C XC95288XL PQ208 10I XC9572XL-10TQG100C XC9536VQ4415I XC95288XL-ANY XC9572XL PC44 10C XC95144XLTQ100-5C XC9536XL PC44 10C XC9536XLVQ445C XC95144-7PC XC9536 VQ64 15C XC95108-7TQ100C0167 XC9572XL-10V XC9536-10VQ44C­. XC9572-10PC84C XC9536XL -10VQ44 XC95216PU1 XC9572TM-71015PC44 XC95216(TM XC95216TM-7CPQ160 XC9572PC44C XC9536XLVQ64AEN-5C XC92516-10PQ160C XC95288XL-2TQ144I XC9572TQ100ASJ-7C XC9511WP XC95108 PC84-20 XC9536XL-5-VQ44C XC9572-10/15PC84C/I XC9514XL-10VQ44C XC95144TMPQ100AEM10C xc9536tmVQ44AE XC95216-9PQ160C XC9572-TQ100AM XC95288XL-PQ208C XC9572XL-VQ6410C XC95288TM BG356-10I XC95144-7PQ160I XC994401P XC9572XL-10TQ100C.. XC95288X2- XC95216PQ160AEM15I XC95144XL-1510TQ100C XC95288XLPQ2087C XC95108-10TQ100I  break crack mcu attack hack Microcontroller

XC95288XL-10I XC95144XL TQ144 7I XC945B XC9536XL PC44 10C XC9572TM PQ100-15I XC95144XL-10TQ1OO XC9572XL-5VQ44C0952 XC9572TMPC84-10I XC9536(tm)-15PC44I XC95144XL-TQ144-10C XC95108-10PC84C  XC9536 PC44AEM XC9572XLTM-10C XC95144XL-10CSG144C XC9521615P XC95216PQ160AKM XC95144XL-10TQ100C0733 XC95108-PQ100AEM XC95108PC84AEM10I XC9516 XC95288-16 XC9801B323 XC95114XL-7TQ100C XC95144XL-7CSG144I0952 XC95144TMPQ160AEM XC95108XL-10TQ100C XC95144XL-10TQ1000 XC9572XLSE Code protection remove XC9215A32CMR XC9536XL-10LCS48C XC95216-10HQ20> XC9572XLTM-7IVQ64 XC9509A XC9536-5 P XC951447TQ100CES XC95288XL6BG256C XC9572XL/VQ64 XC9536XLTM1OIVQ64 XC95144XL PQ160-10C XC957XLVQ64 XC9536XL10PC44C. XC95288XL-7TQ144C XC95721XL-7/10VQ64C XC95288XV6TQ144C XC95108-15PD84C XC9572XL-- XC95108PI84-15 XC9572XV-1 XC953610VQ44C0689 XC9536-7C XC9302362M XC9572PR100-10I copy protection protection removal XC95144XLTCS144C0696 XC95144XLTQ144-7C+ XC9536PC44C XC9536-15VQ44I XC9536 VQ44 XC95144-15TQ100 XC95108-7PQ100C XC9572XLTQ100AEN XC95108-20PC84C-0685 XC95288XL-6CS280C XC9572XL TQ100-15C XC95108 PQ160 7C XC95096AR XC9572TM15PQ100I XC9E-003S XC9302402M