没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
Technical Report
Number 630
Computer Laboratory
UCAM-CL-TR-630
ISSN 1476-2986
Semi-invasive attacks –
A new approach to
hardware security analysis
Sergei P. Skorobogatov
April 2005
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom
phone +44 1223 763500
http://www.cl.cam.ac.uk/
c
2005 Sergei P. Skorobogatov
This technical report is based on a dissertation submitted
September 2004 by the author for the degree of Doctor of
Philosophy to the University of Cambridge, Darwin College.
Technical reports published by the University of Cambridge
Computer Laboratory are freely available via the Internet:
http://www.cl.cam.ac.uk/TechReports/
ISSN 1476-2986
3
Abstract
Semiconductor chips are used today not only to control systems, but also to protect them
against security threats. A continuous battle is waged between manufacturers who invent new
security solutions, learning their lessons from previous mistakes, and the hacker community,
constantly trying to break implemented protections. Some chip manufacturers do not pay
enough attention to the proper design and testing of protection mechanisms. Even where they
claim their products are highly secure, they do not guarantee this and do not take any
responsibility if a device is compromised. In this situation, it is crucial for the design engineer
to have a convenient and reliable method of testing secure chips.
This thesis presents a wide range of attacks on hardware security in microcontrollers and
smartcards. This includes already known non-invasive attacks, such as power analysis and
glitching, and invasive attacks, such as reverse engineering and microprobing. A new class of
attacks – semi-invasive attacks – is introduced. Like invasive attacks, they require depackaging
the chip to get access to its surface. But the passivation layer remains intact, as these methods
do not require electrical contact to internal lines. Semi-invasive attacks stand between non-
invasive and invasive attacks. They represent a greater threat to hardware security, as they are
almost as effective as invasive attacks but can be low-cost like non-invasive attacks.
This thesis’ contribution includes practical fault-injection attacks to modify SRAM and
EEPROM content, or change the state of any individual CMOS transistor on a chip. This leads
to almost unlimited capabilities to control chip operation and circumvent protection
mechanisms. A second contribution consist of experiments on data remanence, which show that
it is feasible to extract information from powered-off SRAM and erased EPROM, EEPROM
and Flash memory devices.
A brief introduction to copy protection in microcontrollers is given. Hardware security
evaluation techniques using semi-invasive methods are introduced. They should help
developers to make a proper selection of components according to the required level of
security. Various defence technologies are discussed, from low-cost obscurity methods to new
approaches in silicon design.
4
Acknowledgements
I would like to thank my supervisor Ross Anderson for his help throughout my research and for
encouraging my initial experiments with Static RAM data remanence which in the end reveal
much wider problem with data remanence in a wide range of semiconductor memory devices.
Without his help and promotion my initial discovery of fault injection attacks would not have
become so widely known. His help in proofreading my papers was invaluable. I would like to
thank Markus Kuhn for his helpful discussions and Richard Clayton for his help in
proofreading. I am grateful to the Department of Materials Science and Metallurgy for allowing
access to a FIB machine and fume cupboard, and in particular to Dae-Joon Kang and Nadia
Stelmashenko. I would like to thank Hyun-Jin Choi for his help in FIB work. I am very grateful
to Specialised Electronic Systems for their help in modelling the fault injection attacks and laser
scanning technique. I would like to thank my father Peter Skorobogatov for his helpful
discussions on semiconductor physics. The purchase of some equipment used was made
possible through the TAMPER hardware security laboratory support provided by NDS and
Hitachi. I would like to thank Radiolinija for allowing me access to their semiconductor testing
equipment necessary for some of my research. My research was supported by a European
G3Card project I took part in. I would like to thank Simon Moore who was the local
coordinator of this project in the Computer Laboratory.
5
Disclaimer
I do not accept any responsibility or liability for loss or damage occasioned to any person or
property through using material, instructions, methods or ideas contained herein, or acting or
refraining from acting as a result of such use. The reader must be aware of the danger involved
in some operations and refer to health and safety warnings for each particular product used. In
case of any doubt please seek for professional advice.
The potential hazard involves:
• Chemicals used for decapsulation and deprocessing. They contain very strong acids and
alkalines and could cause severe burns to eyes and skin. Adequate protective goggles
and gloves must be worn.
• Class 3B laser products used for depassivation and class 3R laser products used for laser
scanning and fault injection (visible and invisible laser radiation). Avoid eye and skin
exposure to direct and reflected radiation. Lasers can cause permanent damage to eyes
and severe burns to skin. Appropriate protective goggles must be worn.
• UV light used for erasing on-chip memories. Avoid eye and skin exposure, as these can
damage eyes and skin. Appropriate protective goggles must be worn.
剩余143页未读,继续阅读
资源评论
wanganl
- 粉丝: 1
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功