3
Abstract
Semiconductor chips are used today not only to control systems, but also to protect them
against security threats. A continuous battle is waged between manufacturers who invent new
security solutions, learning their lessons from previous mistakes, and the hacker community,
constantly trying to break implemented protections. Some chip manufacturers do not pay
enough attention to the proper design and testing of protection mechanisms. Even where they
claim their products are highly secure, they do not guarantee this and do not take any
responsibility if a device is compromised. In this situation, it is crucial for the design engineer
to have a convenient and reliable method of testing secure chips.
This thesis presents a wide range of attacks on hardware security in microcontrollers and
smartcards. This includes already known non-invasive attacks, such as power analysis and
glitching, and invasive attacks, such as reverse engineering and microprobing. A new class of
attacks – semi-invasive attacks – is introduced. Like invasive attacks, they require depackaging
the chip to get access to its surface. But the passivation layer remains intact, as these methods
do not require electrical contact to internal lines. Semi-invasive attacks stand between non-
invasive and invasive attacks. They represent a greater threat to hardware security, as they are
almost as effective as invasive attacks but can be low-cost like non-invasive attacks.
This thesis’ contribution includes practical fault-injection attacks to modify SRAM and
EEPROM content, or change the state of any individual CMOS transistor on a chip. This leads
to almost unlimited capabilities to control chip operation and circumvent protection
mechanisms. A second contribution consist of experiments on data remanence, which show that
it is feasible to extract information from powered-off SRAM and erased EPROM, EEPROM
and Flash memory devices.
A brief introduction to copy protection in microcontrollers is given. Hardware security
evaluation techniques using semi-invasive methods are introduced. They should help
developers to make a proper selection of components according to the required level of
security. Various defence technologies are discussed, from low-cost obscurity methods to new
approaches in silicon design.
