comprehensive laser sensitivity profiling and data ...math-sa-sara0050/space16/slides/space... ·...
TRANSCRIPT
Universidad Politécnica de Madrid
Doctoral Thesis Dissertation
Comprehensive Laser Sensitivity Profiling and Data Register Bit-Flips For Fault Injection in 65 nm FPGA
Wei He1,2, Jakub Breier1,2, Dirmanto Jap1,3, Shivam Bhasin1,2,Hock Guan Ong2,4, Chee Lip Gan2,4
1 Physical Analysis and Cryptographic Engineering (PACE)2 Temasek Laboratories3 School of Physical & mathematical Sciences4 School of Materials Science & EngineeringNanyang Technological University (NTU), Singapore
SPACE 2016, Hyderabad, India.Dec 16, 2016.
2SPACE 2016, Hyderabad India.
1. Context
2. Chip Preparation
3. Laser Sensitivity Profiling
4. Conclusions
Presentation Outline
3SPACE 2016, Hyderabad India.
CONTEXT
4SPACE 2016, Hyderabad India.
Fault Injection Background
The main purpose of injecting faults is to observe the error in responsescaused by the intentionally triggered faults for various analyses
• Fault tolerance and robustness of system• Assistant means for reverse engineering• Break SCA countermeasures• Sensitive computation errors in hardware cryptosystem for retrieving
secrets (e.g., DFA, safe-error, FSA, collision, round reduction, etc.)
Possible hardware environment for fault analysis
• Microcontroller• Smart card• ASIC• Programmable chip (FPGA, CPLD, etc.)
5SPACE 2016, Hyderabad India.
Possible Perturbation Solutions:
• Power Supply: Power Glitch, Under-Powering[J Blomer, et al: Fault based crytanalysis… 2003]
• Clock:Clock Glitch,Over-Clocking[M Agoyan, et al: On critical paths and .., 2010]
• Temperature Rise: slowing downing electrons/holes mobility[Hamid, H.B.E., et al: The sorcerer’s apprentice .., 2004]
• EM Turbulence: Eddy current caused by intense magnetic filed froma high voltage transient pulse in near-field
[A Dehbaoui, et al: Injection of transient faults…, 2012]
• Optical Impact:Laser, Intense White Light[SP Skorobogatov, et al: Optical fault induction attacks…, 2003]
Hardware Fault Injection Background
6SPACE 2016, Hyderabad India.
Fault Mechanism in Digital Logic
Transient fault
• Direct impact on Logic gate• Signal delay in combinatorial logic chain (SET)
Permanent fault (not permanent physical damage)
• Value flips in storage element (SEU)• Input turbulence from external phenomenons (laser, EM,voltage,
clock) dropped inside the “latching window” or..• Direct value flips on the storage cells (electron charge/discharge)• Possible on RAM, look-up-table, stored bitstream, etc., in FPGAs
7SPACE 2016, Hyderabad India.
CHIP PREPARATION
8SPACE 2016, Hyderabad India.
Challenges in FPGA Laser Perturbation (1/3)
Chip package• The die of FPGA chip is sealed in a case for better protection and
keeping persistent internal environment.• Chip must be at least partially decapsulated for effective laser
injection. (not necessary for EM injection)
The mainstream package can be classified into two styles• “Bonded-Wire”: Metal layers up, covered by polymer
(Lower logic/signal density, higher interconnect delay/noise, low-cost)• “Flip-Chip”: Silicon substrate up, normally covered by a metal lid
(Reduced signal/power-ground inductance, Higher signal density,smaller die size, expensive)
Polymer and dummy material
SubstrateFPGA resource array FPGA resource arraySubstrate
Thermal Interface Material (TIM)
Metal cover (Lid-heat spreader) is removed
(a) Bonded-Wire Package (b) Flip-Chip Package
9SPACE 2016, Hyderabad India.
Challenges in FPGA Laser Perturbation
Decapsulation solution for different package styles varies.
• For the “Bonded-Wire” package, chemical acid can be used to resolve the polymer layer to expose the metal layer.
Metal layers are difficult to be penetrated by pulse laser, so laser faultperturbation from frontside of FPGAs is not possible (constant lasercan cause permanent damage to chip).
However, it helps to measure the size of basic unit in FPGA logic array.
*Spartan-6 FPGA on Cmode-S6
Sectional view Front view
10SPACE 2016, Hyderabad India.
Previous Laser Fault injection
11SPACE 2016, Hyderabad India.
Towards Backside Laser Injection
Decapsulation solution for different package styles varies.
• For the “Flip-chip” package, precise equipment is relied on formechanically milling down the substrate layer.
• Original substrate thickness of Virtex-5 on Genesys boad is about300 μm. After process, it is reduced to 130 μm.
12SPACE 2016, Hyderabad India.
Backside Polishing Tool
Polishing Steps:1. Coarse polishing bit2. Fine polishing bit3. Colloidal polishing (~5μm)4. Colloidal polishing(~3μm)5. Fine Colloidal polishing(~100nm)
Parameters includes: Force, polishing bit rotating speed, polishing speedand duration depend on sample
Ultratec-1 ASAP backside polisher
13SPACE 2016, Hyderabad India.
Rationale For Backside Polishing Tool
milled down layer
front-side (multiple metal layers)
300 um
130 um
back-side (substrate)
diode pulse laser
objective lens
high-energy laser core
objective lens
• Thick substrate weakens the beam and limits the amount of charges in active layer• Thinned surface lead to better focusing of the beam• This process can be avoided for a strong laser source
14SPACE 2016, Hyderabad India.
Device under Test: Virtex 5 FPGA
15SPACE 2016, Hyderabad India.
• Substitution-Permutation Network (SPN)• 64 bit plaintext input• 80 bit key size• 4 bit S-Box• 31 encryption rounds
Lightweight block cipher: PRESENT-80
Target Block Cipher
pLayer4 bitS-box 0
S-box 15registersbitxor
64 bit
64 bit
64 bit
64 bit
64 bit
round controllerciphertext
plaintext
round keys
16SPACE 2016, Hyderabad India.
LASER SENSITIVITY PROFLING
17SPACE 2016, Hyderabad India.
Implementation Strategy
Laser surface scan to entire FPGA chip to find the sensitive region.Diode pulse laser based laser station is used.
• Chip size is around 1.2x1.2 cm2
• Several Present-80 are implemented together in parallel to occupythe available logic resources as much as possible.
• Ciphertexts for each PRESENT is checked and tagged to find relationship between affected area and affected PRESENT instance.
• Each PRESENT instance restricted to one CLB column pair. • Coarse grain scanning for localizing CLB columns• Next, fine grained scan to focus on individual CLB and Slices.• Used for estimating size of slices and flip-flops.
18SPACE 2016, Hyderabad India.
Impact of Substrate Thinning
Fault Plot
Valid Fault Invalid Fault
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 10,000 11,000 12,00
X
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
5,000
5,500
6,000
6,500
7,000
7,500
8,000
8,500
9,000
9,500
10,000
10,500
11,000
11,500
12,000
Y
Substrate Intact Substrate Thinned
19SPACE 2016, Hyderabad India.
Coarse Grain Scan: For CLB Column Mapping
• No faults in bitstream configuration, BRAM, DSP (latter two unused)• Faults from same cipher localized to indicate CLB Columns.• Successfully identified and mapped the CLB columns to the physical dimensions of
the chip. • Also BRAM = 4 CLB columns, DSP= 2 CLB columns
20SPACE 2016, Hyderabad India.
Fine Grain Scan: CLB Column Scan
• Focus on single PRESENT i.e. single CLB column with 10 CLB used (i.e 20 Slices)• Able to observe faults from all 20 slices• Single CLB column shows overlapped faults owing to large spot size• Estimated
• Inter-CLB distance ≈ 60∼80 μm,• Column Width ≈ 7∼15 μm,• Height ≈ 2500μm
02968 1 76534
02968 1 76534
02968( ) 1 76534 ( )
02968 1 76534
02968, 1 ( 76534 ,
02968 1 ) 76534
02968 1 76534
02968 ( ) 1 76534 ( )
02968 1 , 76534
02968 , 1 76534 ,
Fault Plot
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20
5,781 5,782 5,783 5,784 5,785 5,786 5,787 5,788
X (µm)
2,735
2,736
2,737
2,738
2,739
2,740
2,741
2,742
2,743
2,744
2,745
2,746
2,747
2,748
2,749
2,750
2,751
2,752
2,753
2,754
2,755
2,756
2,757
2,758
2,759
2,760
2,761
2,762
2,763
2,764
2,765
Y (µ
m)
overlapped fault region, sensitive
for both slices.
faults from
slice_A
faults from
slice_B
One CLB Column Single CLB Scan
21SPACE 2016, Hyderabad India.
Single Slice Scan: Injecting Bit-Flips
• Scanned very small area of 6 × 13 μm2 • Equivalent bit-sets (3378) and bit-resets (3084)• Position closer to Flip-Flop A resulting in non-uniform distribution• Higher probability of single-bit flips which is a desired model• Estimated
• Inter-FF distance ≈ 227 nm,
Fault Distribution
Fault Model
22SPACE 2016, Hyderabad India.
Success Rate
• Minimum laser power vs probability of successful injection• Power varied from 0-100%• Selected a responsive injection point• Minimum Laser power ≈ 82%• For ≈ 100% success, laser power >96%
Success Rate
74 76 78 80 82 84 86 88 90 92 94 96 98 100
Power (%)
0
10
20
30
40
50
60
70
80
90
100
% o
f fa
ults
23SPACE 2016, Hyderabad India.
Central Fault Region
• Weird faults from central region• Inconsistent fault models and much lower power required (17-25%) • No bitstream modification register reset• RO response shows temporary power down (soft-reset)• Possible cause: embedded health sensors
Fau lt P lo t
6,0406,060
6,0806,100
6,1206,140
6,1606,180
6,2006,220
6,2406,260
6,2806,300
X
6,180
6,200
6,220
6,240
6,260
6,280
6,300
6,320
6,340
6,360
6,380
6,400
6,420
6,440
6,460
6,480
6,500
6,520
Region A
Region B
Remote faults
RO Response to CLB Fault
RO Response to Central Fault
24SPACE 2016, Hyderabad India.
CONCLUSIONS
25SPACE 2016, Hyderabad India.
Conclusions
• Successful backside laser fault in 65 nm FPGA was performed.• Results enhanced by mechanical substrate thinning.• Successful identification of critical architecture and internal component
information. • Gives key information on device architecture which helps:
• Plan countermeasures• Exploit device properties to strengthen sensitive targets.
Further Work:
• Extend to smaller technologies.• Investigate faults from central region.
Conclusions and Future Work
26SPACE 2016, Hyderabad India.
Thanks for your attention
Questions ?