From travish@dejanews.com Sat Nov 15 03:29:23 1997 Date: Mon, 08 Sep 1997 16:28:05 -0500 From: Travis Hassloch To: best-of-security@cyber.com.au Subject: BoS: Tamperproofing of Chip Cards Resent-Date: Thu, 11 Sep 1997 02:12:19 +1000 (EST) Resent-From: best-of-security@cyber.com.au I found this in our database. I've never seen it before. I found it pretty interesting, despite being somewhat old. Truncation in original. * * * * * TAMPERPROOFING OF CHIP CARDS Ross J. Anderson Cambridge University Computer Laboratory Pembroke Street, Cambridge CB2 3QG Email: ross.anderson@cl.cam.ac.uk Abstract There are two ways of attacking smartcards - destructive reverse engineering of the silicon circuit (including the contents of ROM), and discovering the memory contents by other means; a well equipped laboratory can do both. Persistent amateurs have often managed the latter, and may shortly be able to do the former as well. 1 Reverse engineering the chip A recent article[1] gives a good introduction to how reverse engineering can be carried out in a moderately well equipped academic microelectronics laboratory (there are three such in the UK, and perhaps two hundred academic or industrial facilities worldwide which can carry out such work). We will start off by summarising it and giving some background. 1.1 How attacks are done The authors of the article cited above worked at the Cambridge University microelectronics lab, which is part of the department of physics. They got interested in reverse engineering chips five years ago to help an industrial client locate manufacturing defects. They built an apparatus which consists of a slightly modified electron beam lithography machine (this functions in effect as an electron microscope) and a PC with an image processing system (a DCT chip and locally written software). They then developed techniques for etching away a layer at a time without doing too much damage. Conventional wet etching causes too much havoc with half micron chips, so dry etching is used in which gases such as CF4 or HF strip off layers of silica and aluminium in turn. One of their innovations is a technique to show up N and P doped layers in electron micrographs. This uses the Schottky effect: a thin film of a metal such as gold or palladium is deposited on the chip creating a diode effect which can be seen with the electron beam. Finally, image processing software has been developed to spot the common chip features and reduce the initially fuzzy image of the metal tracks into a clean polygon representation. There are also routines to get images of successive layers, and of adjacent parts of the chip, in register. The system has been tested by reverse engineering the Intel 80386 and a number of other devices. The 80386 took two weeks; it takes about six instances of a given chip to get it right. The output can take the form of a mask diagram, a circuit diagram or even a list of the library cells from which the chip was constructed. This is typical of the kind of attack which an academic lab can mount. Even more sophisticated attacks, invented at Sandia National laboratories and recently published[2], involve looking through the chip. Light-Induced Voltage Alteration is a non- destructive technique that involves probing operating ICs from the back side with an infrared laser to which the silicon substrate is transparent. The photocurrents thus created allow probing of the device's operation and identification of logic states of individual transistors. Low-Energy Charge Induced Voltage Alteration relies on a surface interaction phenomenon that produces a negative charge-polarization wave using a low- energy electron beam generated by a scanning electron microscope. This allows imaging the chip to identify open conductors and voltage levels without damage, although it does not operate through metalization layers. Of course, even more sophisticated techniques may be available in classified government facilities. 1.2 The threat to smartcard systems Smartcards typically have a few kilobytes of ROM, which being metal can be read with the above techniques; a few hundred bytes of RAM, which being cleared between transactions stores no long term secrets; and a few kilobytes of EEPROM, which typically holds the user data and key material. The techniques described above are not directly relevant to reading out EEPROM. However any laboratory at the level under consideration would be able to determine EEPROM contents using microprobe techniques. More simply, a reverse engineering operation would pinpoint the physical location of the write protect bit, which could then be reset using ultraviolet light. As mentioned, the number of organisations worldwide which can do electron beam lithography is of the order of 100-200. These potential attackers include a number of universities, all the big chip makers and the governments of the USA, Canada, the UK and China. Of these, the US and Chinese governments appear to have the greatest experience at chip breaking. For a respectable firm to join this club costs about $2m - $1.5m for the electron beam lithographer and ancilliary equipment, plus a year's salary for about five professionals to get it all going (typically a physicist to deal with the ion beams, a chemist to deal with packaging, two computer people to write software, and a chip person to run the whole operation). The number of club members may rise as more and more firms, especially in the Far East, start producing ASICs. However it is not likely that electron beam lithography will ever become a really widespread technology. The total number of sites with the capability to do regular hi-tech attacks might rise to about 1000 at most. An outsider without $2m still has a number of options. For ex- ample, there are three universities in the UK alone which possess the necessary equipment (Cambridge, Edinburgh and Southampton) and an attacker might enrol for a PhD or other degree in order to acquire access and training. It is also possible to use more primitive equipment at the cost of spending months rather than weeks on each reconstruction; this is apparently the approach of the Chinese government, and could be viable where workers are paid little (or are expecting a share of large criminal profits). Finally, there are apparently places in the Far East, and at least one in Silicon Valley, which reverse engineer chips for cash. How much cash, and how many questions would be asked, are not known to this writer. 1.3 Possible defences A number of copy trap features are incorporated into commercial chip designs. For example, we have heard of design elements that look like a transistor, but are in reality only a connection between gate and source; and 3-input NORs which function only as 2-input NORs. Many of these copier traps are based on holes in isolating layers or on tricks done in the diffusion layer with ion implantation (based on the assumption that it is hard to distinguish N from P). However the layer etching and Schottky techniques developed by Haroun Ahmed's team can detect such traps. Another possibility is to introduce complexity into the chip layout and to use nonstandard cell libraries. However the chip still has to work, which limits the complexity; and nonstandard cells can be reconstructed at the gate level and incorporated in the recognition software. Finally, in the Clipper chip there are a number of silicon features, of which the most important is a fusible link system. These links are only fused after fabrication and hold the long term key and other secret aspects of the chip. Details can of course be found in a paper in the relevant data book[3], and from the scanning electron micrographs there, it is clear that the secret information can be recovered by sectioning the chip. This technique has been used by Professor Ahmed's team on occasion on obscure features in other chips. Thus the effect of current silicon level copy traps is just to slow down the attacker. In fact, we have heard from a usually reliable source that Intel has reverse engineered the Clipper chip, but that the results have been classified. The same appears to be the case for chemical measures. Chips intended for classified military use are often protected by passivation layers of a tenacity never encountered in civilian packaging[4]. But here again, informed sources agree that with enough effort, techniques can be developed to remove them. 1.4 Relevance to smartcard products We understand that neither silicon copy traps not advanced passivation techniques are used by smartcard manufacturers in the bulk of their products. The marketing director of a smartcard manufacturer said that they simply had no demand from their users for anything really sophisticated[5]. The most that appears to be done is an optical sensor under an opaque coating[6]. Hi-tech techniques may indeed have been used by commercial pirates to duplicate satellite TV smartcards[7]. Recent postings to a TV hackers' mailing list recount how an undergraduate used nitric acid and acetone to remove ICs intact from Sky-TV smartcards; he then put them in the University's electron beam tester (an ICT 8020, also sold as the Advantest E 1340 - a 1991 machine). The chips were run in a test loop, but he had been unable to remove the silicon nitride passivation layer; the many secondary electrons removed from this caused it to get charged positive very quickly, which obscured the underlying circuit. He did not have access to a dry etching facility to remove this layer, and could get no further. However it is significant that a person with no funding or specialist knowledge could get even this far. However, amateur hackers have managed to break smartcard security without having to penetrate the device physically. Instead, they have used flaws in the design of the card's hardware or software to determine its contents. 2 Determining the EEPROM contents Many methods have been employed to determine the EEPROM contents of smartcards. In addition to the very general reverse engineering techniques described above, there are a lot of shortcut attacks on particular designs. 2.1 How attacks are done The following list is not exhaustive: o raising the supply voltage above its design limit; o cutting the supply voltage below its design limit; o resetting random memory locations using ultraviolet light until the read protect bit is found; o exploiting misfeatures in the hardware, including the manufacturer supplied ROM code; o exploiting misfeatures in the customer written EEPROM code (current attacks on UK satellite TV systems take this route); o some combination of the above. The appendix contains accounts from a hacker mailing list of two actual attacks carried out on chips. 2.2 Threat assessment All systems have bugs, and so the level of threat to smartcard systems presented by exploitable loopholes is a function of how many bugs remain (i.e. how mature the design is) and how much effort is spent in looking for them (i.e. how many motivated attackers there are). This in turn depends on the application area. Satellite TV systems attracted a great many attackers for historical reasons; in the USA, many rural households had got into the habit of watching satellite TV feeds as there were no terrestrial stations in range, even although these feeds were intended for rebroadcast rather than direct consumption. When the feeds were encrypted, the families who depended on them for their news and entertainment - and often could not buy decoders through any legal channel - were outraged. In Europe, a similar problem arose when the final season of 'Star Trek: The Next Generation' was encrypted. This program's fans included many with appropriate skills, and soon (March 94) there appeared a program called Season which decoded Sky TV. Since then, there has been a battle of wits between Sky and the Trekkies, which has probably cost Sky somewhere between $10 million and $100 million. On May 18th 1994, Sky changed from issue 07 cards to their new issue 09 card. Hackers refer to May 18th as Dark Wednesday. The 09 card proved harder to hack but a temporary solution appeared in June. It only lasted a few weeks before Sky changed codes again. Though some attempts at an issue 09 Season were made, a code change by Sky stopped it until just before Christmas. Then no less than three new versions of Season appeared - two for the PC and one for the MAC. Successive code changes on January 4th and January 25th led to further updates of Season, and by about 8th March all the secrets in the Sky 09 card were known - and published! Hackers are awaiting the release of series 10 Sky cards with relish. In addition to the attacks on satellite TV, there have been a number of attacks on banking systems and prepayment electricity meter systems which are documented in three of my recent papers [8, 9, 10] Most of the attacks documented there resulted from similarly opportunistic exploitation of design and operational errors, and some of the target systems were based on smartcards. Finally, some concern has been expressed that attack skills may be transferable. For example, a banking industry security expert is worried that the satellite TV hacking community might next turn its attention to eftpos systems. 2.3 Possible defences The main conclusion to be drawn from the above is probably that just as we do not know how to make a device which resists tampering by a funded organisation, we do not know how to build a device of any complexity to resist logical as opposed to physical tampering. There are a number of other lessons. For example, companies which rely on smartcard systems should if possible avoid making a lot of enemies. Diversity of attack has been significant in pay-TV, metering and banking systems and just as a funded organisation can break the silicon directly, so one must expect that many tinkering amateurs will eventually find a flaw in any piece of software. It is well known in the software testing community that a significant number of bugs come to light when a piece of software is passed on to another tester or to a customer; this is because different testers and/or users exercise different parts of the input space[11]. It is also imprudent to start off with weak security and then improve it gradually in response to attacks. The satellite TV people did this, and trained up a community of hackers. At some point, you must invest enough to put clear water between your systems and your opponents, and the sooner you make this investment the smaller it is likely to be. The main investment should be in getting the overall design right, or at least as right as one can, from the beginning. It is unwise to spend a lot of money on tamperproofing while ignoring the much simpler and dirtier attacks which exploit errors in design and operation. Quality control, and examination by multiple independent experts, should take priority over attempts to mimic the passivation techniques used by the military. After all, the three published attacks on Clipper all involve the logical design (key management protocols and modes of operation) rather than penetration of the device itself. 3 Conclusion At present, there are no portable tamperproof devices. If secrets are held on smartcards which are allowed outside protected spaces, then both physical and logical attacks should be expected. The scale of such attacks will depend on many things. If there is a capable motivated opponent, such as a chip maker or the government of a NATO country or China, then it must be assumed that a complete penetration will take at most weeks. If there are many less capable but still motivated opponents, then penetrations based on the opportunistic exploitation of design flaws are to be expected in due course. We conclude that systems based on portable tamper-resistant devices should be designed with caution. They should avoid motivating a determined attack on the cards, and the penetration of a small number of cards should not be fatal to the system owner. These considerations interact; for example, if the scope of secrets kept within the card is limited so that breaking a card allows access to only one bank account, then it is unlikely that an attack would be economic to an attacker or prove more than a minor nuisance to the card issuer. APPENDIX First account This short essay will show you how to read the EPROM of an AMD87C51, with all security programmed. ... the SM-card I had was programmed with both Lock bits and it was impossible to read out the IROM. But the data sheet also tells: To ensure proper functionality of the chip, the internally latched value of the EA pin must agree with its external state. Perhaps it was possible to confuse the processor. I build a small device with external EPROM (64KBytes) and RAM. The EPROM was coded with a monitor program in the upper address range which gives me the possibility to load and execute code by control of a PC. Starting the processor with external ROM access disables the access of the internal ROM and due to the latching of the EA pin during RESET, changes at the EA pin had no effect. Also the MOVC returns only external ROM values. Know my idea was to start the processor with internal ROM and then to confuse him so that he accesses the external EPROM and run into the monitor program. I tried ... But reduction of the power supply voltage works. At about 1,5 Volt the processor starts to access the external ROM. Rising the voltage back to 5 Volt the processor (most of the times) still run external, but with the possibility of access to the internal ROM... I programmed a small routine, which calls an address within the internal ROM and execute this. I started at the higher end of the internal ROM and decreased the calling address with each try by 10h. Most of the time the processor hangs up. But at some addresses I got a return to the monitor program. So I analysed this addresses and prepared the registers in a way to verify that the routine could read ROM data. And I found the routine which did this. So the internal ROM code reads itself and returns himself to the monitor program for storage. It took about 3 days to go through the ROM and find the routine and one long week to understand the code. Second account This short story shows how to get access to a secured 87C51 microcontroller. It's a different way, than the one described by .... Referring to his article, I assume, that this 87C51 microcontrollers and their features (including security bits) are known. The idea was, that the security bits are not located near the EPROM array on the silicon. After some tests in erasing standard EPROMS, I had the right tools to try it on a real device: With a mask designed from black, thick paper with a small hole in it, I started to lighten the silicon on the outer edges and sides. Moving the mask carefully and checking the security bits (by reading the device in a microcontroller programmer) after each try is a long job. I did additional tests to open the chip (by removing the windows or dividing the ceramic carrier material). But this always led to permanent damage to the chip (broken silicon, destroyed wires between pads and pins), so I gave this up. So after 4 destroyed chips the fifth was the right one. You have to be sure, that your mask is good prepared and the erasing light doesn't diffuse across the chip. No I'am able to erase such a device in less than 10 minutes. But ... it's only easy if the device is one of AMD or Philips. The Intel devices have a window, which is formed like a lens (the silicon looks very big). On this devices it's nearly impossible to lighten a specific part of the silicon. The job is easier on devices with standard window and a _big_ EPROM Array (seems to be devices aged two or more years). . . . if somebody is interested in the 4K codes of the MasterCard (bad and dirty code) or MovieCard (very elegant algorithm and i/o implementation), just gimme' a direct mail. Disassembled and commented listings in WinWord format are also available (comments in mixed English and German language). REFERENCES [1] 'Layout Reconstruction of Complex Silicon Chips', S Blythe, B Fraboni, S Lall, H Ahmed, U de Riu, IEEE J. of Solid-State Circuits v 28 no 2 (Feb 93) pp 138-145 [2] 'Two New Imaging Techniques Promise To Improve IC Defect Identification', C Ajluni, Electronic Design Vol 43 No 14 (10 July 1995) pp 37-38 [3] 'Conducting Filament of the Programmed Metal Electrode Amorphous Silicon Antifuse', KE Gordon, RJ Wong, International Electron Devices Meeting, Dec 93; reprinted as pp 6-3 to 6-10, QuickLogic Data Book, 1994 [4] see FIPS PUB 140-1 section 4 level 4: "Removal of the coating shall have a high probability of resulting in serious damage to the module" [5] Philippe Maes, GemPlus, during a panel discussion at Cardis 94 [6] message <CovCG9.581@apollo.hp.com> posted by Anne Anderson of Hewlett-Packard aha@apollo.HP.COM to sci.crypt 26 Apr 1994 [7] apparently tiny jets of hot acid have been used to remove the passivation layers over parts of the chip at a time [8] 'Why Cryptosystems Fail' [9] 'Liability and Computer Security - Nine Principles' [10] 'Cryptographic Credit Control in Pre-payment Metering Systems' All these can be got from http://www.cl.cam.ac.uk:/users/rja14/ [11] 'Thermodynamic description of the defects in large information processing systems', RM Brady, RC Ball, RJ Anderson, to appear -- Travis Hassloch / travish@dejanews.com / http://www.dejanews.com Deja News System Administration Group / "When news breaks... we fix it." PGP key C7FDD3D5 fgpt 7A 48 DD 46 E6 7F 11 E7 8F 7E 53 9A DF 33 9E FA