Reverse Engineering of Chips

September 16, 2012 by Nakul

Author: Nakul Rao I

We have all studied VLSI, or atleast we will. So we know how chips are made, how integrated circuits are constructed. But now there is a new fast emerging field; that of reverse engineering integrated chips. Basically it’s the same as opening up your old toys to find out what exactly is inside it, how does it work, how does it compare to others. The same idea is applied to chips, but the entire process is much more complicated.

The first question that may pop into your mind is why anyone would do it. There are several answers to that question.

The most important reason is cryptography. A lot of hardware around you is responsible for the safe keeping of information. Mobile phones, smart cards, RFID tags, digital set top box and even your car keys have some aspect of cryptography involved in them at the circuit level. Most manufacturers do not use published standard algorithms such as DES/AES/RSA in their devices as these are considered to be very complex and expensive to be implemented at the circuit level. Instead manufacturers make use of their own proprietary algorithms which are weak. They rely on the fact that these are not published and without knowing the algorithm it is hard to decrypt data. Breaking such algorithms could be worth lot of money. Security algorithms such as Mifare are widely used in public systems for access control; however they have never been published. This was reversed engineered and it was found to be a very weak algorithm. It would be better if someone is able to point out to the customers that the security mechanisms that they trust so much are pretty weak due to negligence on the part of manufacturers, rather than finding it out the hard way. For instance, consider the card swipe type of locks in hotel doors. These can be easily cracked open by an Arduino which is an 8-bit microcontroller.

Reverse engineering of chips is also vital in patent infringement cases. How will you find out if a rival company is using your patented technology? It is possible by reverse engineering their chips. Several companies have cropped up that provide such services, the most notable being Flylogic and Chipworks.

So how are chips reverse engineered? Anyone familiar with VLSI would know that when chips are designed they form geometric patterns. The different logic cells and elements can be easily identified by their distinctive patterns. So first all the packaging has to be removed and then images are taken of the silicon layer by layer. The plastic and epoxy covering is removed using acetone and fuming nitric acid. That gives the actual chip. A chip can have several layers, the maximum being 13 or 14. Images must be taken of each of these individual layers. When an image of a layer is taken, it must be carefully polished. Polishing removes the last photographed layer and exposes the next layer. This process is continued until images of all the layers are obtained. The different images are then pieced together and various cells are identified from standard cell libraries. This is usually done by software. Finally the entire picture of the chip, its functional blocks and various circuit interconnections are obtained. The chip has been reversed engineered.

If a chip can be reverse engineered, it has a big impact on cryptography. If standard algorithms are not used, a hacker can look at the circuit and determine the algorithm. Even worse, he can directly get the data without worrying about the algorithm. Consider a modern day security chip. All data present in it is encrypted, say by a proprietary algorithm. But the ALU can operate only on plaintext. So the chip will include a decryption and an encryption unit. Data is encrypted before being sent to the ALU and its output is encrypted before storing. There are two weak links in the above case. The data can be tapped out when it is being sent from the decryption unit to the ALU and the plaintext is directly obtained. This idea is widely used to crack algorithms.

Another problem is with the storage of secret keys. The keys have to be stored within the chips and anyone who is able to reverse engineer these chips has access to the keys.

But does this mean that chip manufacturers have lost the war? Have the reverse engineers won? That is not exactly true. Chip manufacturers have come up with several methods to try and protect their chips from being reverse engineered.

Reverse engineering is done by removing each layer from the chip. So the manufacturers put a mesh of wiring running all over the chips top layer such that if there is no continuous path, the chip will not work i.e. the starting point and the ending point of the chip has to be connected for the chip to function. This does not provide a lot of security as the mesh layer can be removed and the two points can later be shorted.

Another important method is to use glue logic instead of using standard cell libraries. This makes identifying logic cells difficult but not impossible. Decreasing the feature size also helps since the cost of reverse engineering a chip goes up as feature size decreases.

Reverse engineering of chips is a very vast field and I have tried to give a basic introduction to this exciting field. There is still much to explore. You can find a lot more information and some amazing images in the following links.