PROTECTIVE ORDER MATERIAL
`
`Design Principles for Tamper-Resistant Smartcard Processors
`
`Oliver K¨ommerling
`
`Markus G. Kuhn
`
`Advanced Digital
`Security Research
`M¨uhlstraße 7
`66484 Riedelberg
`Germany
`ok@adsr.de
`
`University of Cambridge
`Computer Laboratory
`Pembroke Street
`Cambridge CB2 3QG
`United Kingdom
`mgk25@cl.cam.ac.uk
`
`Abstract
`
`We describe techniques for extracting protected
`software and data from smartcard processors. This
`includes manual microprobing,
`laser cutting,
`fo-
`cused ion-beam manipulation, glitch attacks, and
`power analysis. Many of these methods have already
`been used to compromise widely-fielded conditional-
`access systems, and current smartcards offer little
`protection against them. We give examples of low-
`cost protection concepts that make such attacks con-
`siderably more difficult.
`
`1 Introduction
`
`Smartcard piracy has become a common occur-
`rence. Since around 1994, almost every type of
`smartcard processor used in European, and later also
`American and Asian, pay-TV conditional-access sys-
`tems has been successfully reverse engineered. Com-
`promised secrets have been sold in the form of il-
`licit clone cards that decrypt TV channels without
`revenue for the broadcaster. The industry has had
`to update the security processor technology several
`times already and the race is far from over.
`Smartcards promise numerous security benefits.
`They can participate in cryptographic protocols, and
`unlike magnetic stripe cards, the stored data can be
`protected against unauthorized access. However, the
`strength of this protection seems to be frequently
`overestimated.
`In Section 2, we give a brief overview on the
`most important hardware techniques for breaking
`into smartcards. We aim to help software engineers
`without a background in modern VLSI test tech-
`niques in getting a realistic impression of how phys-
`ical tampering works and what it costs. Based on
`our observations of what makes these attacks par-
`ticularly easy, in Section 3 we discuss various ideas
`
`Proceedings of the USENIX Workshop on Smartcard Technol-
`ogy (Smartcard ’99), Chicago, Illinois, USA, May 10–11, 1999,
`USENIX Association, pp. 9–20, ISBN 1-880446-34-0.
`
`for countermeasures. Some of these we believe to be
`new, while others have already been implemented in
`products but are either not widely used or have de-
`sign flaws that have allowed us to circumvent them.
`
`2 Tampering Techniques
`
`We can distinguish four major attack categories:
`• Microprobing techniques can be used to access
`the chip surface directly, thus we can observe, ma-
`nipulate, and interfere with the integrated circuit.
`• Software attacks use the normal communica-
`tion interface of the processor and exploit secu-
`rity vulnerabilities found in the protocols, cryp-
`tographic algorithms, or their implementation.
`• Eavesdropping techniques monitor, with high
`time resolution, the analog characteristics of all
`supply and interface connections and any other
`electromagnetic radiation produced by the pro-
`cessor during normal operation.
`• Fault generation techniques use abnormal en-
`vironmental conditions to generate malfunctions
`in the processor that provide additional access.
`
`All microprobing techniques are invasive attacks.
`They require hours or weeks in a specialized labora-
`tory and in the process they destroy the packaging.
`The other three are non-invasive attacks. After we
`have prepared such an attack for a specific proces-
`sor type and software version, we can usually repro-
`duce it within seconds on another card of the same
`type. The attacked card is not physically harmed
`and the equipment used in the attack can usually be
`disguised as a normal smartcard reader.
`Non-invasive attacks are particularly dangerous
`in some applications for two reasons. Firstly, the
`
`IRIS
`EXHIBIT 2029 PAGE 1
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`owner of the compromised card might not notice
`that the secret keys have been stolen, therefore it
`is unlikely that the validity of the compromised keys
`will be revoked before they are abused. Secondly,
`non-invasive attacks often scale well, as the neces-
`sary equipment (e.g., a small DSP board with special
`software) can usually be reproduced and updated at
`low cost.
`The design of most non-invasive attacks requires
`detailed knowledge of both the processor and soft-
`ware. On the other hand, invasive microprobing at-
`tacks require very little initial knowledge and usually
`work with a similar set of techniques on a wide range
`of products. Attacks therefore often start with in-
`vasive reverse engineering, the results of which then
`help to develop cheaper and faster non-invasive at-
`tacks. We have seen this pattern numerous times on
`the conditional-access piracy market.
`Non-invasive attacks are of particular concern in
`applications where the security processor is primar-
`ily required to provide tamper evidence, while inva-
`sive attacks violate the tamper-resistance character-
`istics of a card [1]. Tamper evidence is of primary
`concern in applications such as banking and digi-
`tal signatures, where the validity of keys can easily
`be revoked and where the owner of the card has al-
`ready all the access that the keys provide anyway.
`Tamper resistance is of importance in applications
`such as copyright enforcement, intellectual property
`protection, and some electronic cash schemes, where
`the security of an entire system collapses as soon as
`a few cards are compromised.
`To understand better which countermeasures are
`of practical value, we first of all have to understand
`the techniques that pirates have used so far to break
`practically all major smartcard processors on the
`market. In the next section, we give a short guided
`tour through a typical laboratory of a smartcard pi-
`rate.
`
`2.1
`
`Invasive Attacks
`
`2.1.1 Depackaging of Smartcards
`
`Invasive attacks start with the removal of the chip
`package. We heat the card plastic until it becomes
`flexible. This softens the glue and the chip mod-
`ule can then be removed easily by bending the card.
`We cover the chip module with 20–50 ml of fuming
`nitric acid heated to around 60 ◦C and wait for the
`black epoxy resin that encapsulates the silicon die to
`completely dissolve (Fig. 1). The procedure should
`preferably be carried out under very dry conditions,
`as the presence of water could corrode exposed alu-
`minium interconnects. The chip is then washed with
`
`Figure 1: Hot fuming nitric acid (> 98% HNO3)
`dissolves the package without affecting the chip.
`
`Figure 2: The depackaged smartcard processor is
`glued into a test package, whose pins are then con-
`nected to the contact pads of the chip with fine alu-
`minium wires in a manual bonding machine.
`
`acetone in an ultrasonic bath, followed optionally by
`a short bath in deionized water and isopropanol. We
`remove the remaining bonding wires with tweezers,
`glue the die into a test package, and bond its pads
`manually to the pins (Fig. 2). Detailed descriptions
`of these and other preparation techniques are given
`in [2, 3].
`
`2.1.2 Layout Reconstruction
`
`The next step in an invasive attack on a new pro-
`cessor is to create a map of it. We use an optical
`microscope with a CCD camera to produce several
`meter large mosaics of high-resolution photographs
`of the chip surface. Basic architectural structures,
`such as data and address bus lines, can be identi-
`fied quite quickly by studying connectivity patterns
`
`2
`
`IRIS
`EXHIBIT 2029 PAGE 2
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`Figure 3: Left: CMOS AND gate imaged by a con-
`focal microscope. Right: same gate after removal of
`metal layer (HF wet etching). Polysilicon intercon-
`nects and diffusion areas are now fully visible.
`
`and by tracing metal lines that cross clearly visible
`module boundaries (ROM, RAM, EEPROM, ALU,
`instruction decoder, etc.). All processing modules
`are usually connected to the main bus via easily rec-
`ognizable latches and bus drivers. The attacker ob-
`viously has to be well familiar with CMOS VLSI
`design techniques and microcontroller architectures,
`but the necessary knowledge is easily available from
`numerous textbooks [4, 5, 6, 7].
`Photographs of the chip surface show the top
`metal layer, which is not transparent and therefore
`obscures the view on many structures below. Un-
`less the oxide layers have been planarized,
`lower
`layers can still be recognized through the height
`variations that they cause in the covering layers.
`Deeper layers can only be recognized in a second se-
`ries of photographs after the metal layers have been
`stripped off, which we achieve by submerging the
`chip for a few seconds in hydrofluoric acid (HF) in an
`ultrasonic bath [2]. HF quickly dissolves the silicon
`oxide around the metal tracks and detaches them
`from the chip surface. HF is an extremely dangerous
`substance and safety precautions have to be followed
`carefully when handling it.
`Figure 3 demonstrates an optical layout recon-
`struction of a NAND gate followed by an inverter.
`These images were taken with a confocal micro-
`scope (Zeiss Axiotron-2 CSM), which assigns differ-
`ent colors to different focal planes (e.g., metal=blue,
`polysilicon=green) and thus preserves depth infor-
`mation [8]. Multilayer images like those shown in
`Fig. 3 can be read with some experience almost as
`easily as circuit diagrams. These photographs help
`us in understanding those parts of the circuitry that
`are relevant for the planned attack.
`If the processor has a commonly accessible stan-
`dard architecture, then we have to reconstruct the
`
`Figure 4: The vias in this structure found in a
`ST16F48A form a permutation matrix between the
`memory readout column lines and the 16:1 demulti-
`plexer. The applied mapping remains clearly visible.
`
`layout only until we have identified those bus lines
`and functional modules that we have to manipulate
`to access all memory values. More recently, design-
`ers of conditional-access smartcards have started to
`add proprietary cryptographic hardware functions
`that forced the attackers to reconstruct more com-
`plex circuitry involving several thousand transistors
`before the system was fully compromised. How-
`ever, the use of standard-cell ASIC designs allows
`us to easily identify logic gates from their diffusion
`area layout, which makes the task significantly easier
`than the reconstruction of a transistor-level netlist.
`Some manufacturers use non-standard instruction
`sets and bus-scrambling techniques in their secu-
`rity processors.
`In this case, the entire path from
`the EEPROM memory cells to the instruction de-
`coder and ALU has to be examined carefully before
`a successful disassembly of extracted machine code
`becomes possible. However, the attempts of bus
`scrambling that we encountered so far in smartcard
`processors were mostly only simple permutations of
`lines that can be spotted easily (Fig. 4).
`Any good microscope can be used in optical VLSI
`layout reconstruction, but confocal microscopes have
`a number of properties that make them particularly
`suited for this task. While normal microscopes pro-
`duce a blurred image of any plane that is out of fo-
`cus, in confocal scanning optical microscopes, every-
`thing outside the focal plane just becomes dark [8].
`Confocal microscopes also provide better resolution
`and contrast. A chromatic lens in the system can
`make the location of the focal plane wavelength de-
`pendent, such that under white light different layers
`
`3
`
`IRIS
`EXHIBIT 2029 PAGE 3
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`Figure 5: The data of this NOR ROM becomes
`clearly visible when the covering metal and polysili-
`con access lines plus the surrounding field oxide have
`been removed (HF wet etching). The image shows
`16× 10 bits in an ST16xyz. Every bit is represented
`by either a present or missing diffusion layer connec-
`tion.
`
`of the chip will appear simultaneously, but in differ-
`ent colors.
`Automatic layout reconstruction has been demon-
`strated with scanning electron microscopy [9]. We
`consider confocal microscopy to be an attractive al-
`ternative, because we do not need a vacuum envi-
`ronment, the depth information is preserved, and
`the option of oil immersion allows the hiding of un-
`evenly removed oxide layers. With UV microscopy,
`even chip structures down to 0.1 μm can be resolved.
`With semiautomatic image-processing methods,
`significant portions of a processor can be reverse
`engineered within a few days. The resulting poly-
`gon data can then be used to automatically generate
`transistor and gate-level netlists for circuit simula-
`tions.
`Optical reconstruction techniques can also be
`used to read ROM directly. The ROM bit pattern
`is stored in the diffusion layer, which leaves hardly
`any optical indication of the data on the chip sur-
`face. We have to remove all covering layers using HF
`wet etching, after which we can easily recognize the
`rims of the diffusion regions that reveal the stored
`bit pattern (Fig. 5).
`Some ROM technologies store bits not in the
`shape of the active area but by modifying transistor
`threshold voltages. In this case, additional dopant-
`selective staining techniques have to be applied to
`make the bits visible (Fig. 6). Together with an
`understanding of the (sometimes slightly scrambled,
`see Fig. 4) memory-cell addressing, we obtain disas-
`sembler listings of the entire ROM content. Again,
`automated processing techniques can be used to ex-
`tract the data from photos, but we also know cases
`
`Figure 6: The implant-mask layout of a NAND
`ROM can be made visible by a dopant-selective
`crystallographic etch (Dash etchand [2]). This im-
`age shows 16 × 14 bits plus parts of the row selec-
`tor of a ROM found on an MC68HC05SC2x CPU.
`The threshold voltage of 0-bit p-channel transistors
`(stained dark here) was brought below 0 V through
`ion implantation.
`
`where an enthusiastic smartcard hacker has recon-
`structed several kilobytes of ROM manually.
`While the ROM usually does not contain any
`cryptographic key material, it does often contain
`enough I/O, access control, and cryptographic rou-
`tines to be of use in the design of a non-invasive
`attack.
`
`2.1.3 Manual Microprobing
`
`The most important tool for invasive attacks is a
`microprobing workstation. Its major component is
`a special optical microscope (e.g., Mitutoyo FS-60)
`with a working distance of at least 8 mm between
`the chip surface and the objective lens. On a stable
`platform around a socket for the test package, we in-
`stall several micropositioners (e.g., from Karl Suss,
`Micromanipulator, or Wentworth Labs), which allow
`us to move a probe arm with submicrometer preci-
`sion over a chip surface. On this arm, we install a
`“cat whisker” probe (e.g., Picoprobe T-4-10). This
`is a metal shaft that holds a 10 μm diameter and
`5 mm long tungsten-hair, which has been sharpened
`at the end into a < 0.1 μm tip. These elastic probe
`hairs allow us to establish electrical contact with on-
`chip bus lines without damaging them. We connect
`them via an amplifier to a digital signal processor
`card that records or overrides processor signals and
`also provides the power, clock, reset, and I/O signals
`needed to operate the processor via the pins of the
`test package.
`On the depackaged chip, the top-layer aluminium
`interconnect lines are still covered by a passivation
`
`4
`
`IRIS
`EXHIBIT 2029 PAGE 4
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`2.1.4 Memory Read-out Techniques
`
`It is usually not practical to read the information
`stored on a security processor directly out of each
`single memory cell, except for ROM. The stored data
`has to be accessed via the memory bus where all data
`is available at a single location. Microprobing is used
`to observe the entire bus and record the values in
`memory as they are accessed.
`It is difficult to observe all (usually over 20) data
`and address bus lines at the same time. Various
`techniques can be used to get around this problem.
`For instance we can repeat the same transaction
`many times and use only two to four probes to ob-
`serve various subsets of the bus lines. As long as
`the processor performs the same sequence of mem-
`ory accesses each time, we can combine the recorded
`bus subset signals into a complete bus trace. Over-
`lapping bus lines in the various recordings help us
`to synchronize them before they are combined.
`In applications such as pay-TV, attackers can eas-
`ily replay some authentic protocol exchange with
`the card during a microprobing examination. These
`applications cannot implement strong replay pro-
`tections in their protocols, because the transaction
`counters required to do this would cause an NVRAM
`write access per transaction.
`Some conditional-
`access cards have to perform over a thousand pro-
`tocol exchanges per hour and EEPROM technology
`allows only 104–106 write cycles during the lifetime
`of a storage cell. An NVRAM transaction counter
`would damage the memory cells, and a RAM counter
`can be reset by the attacker easily by removing
`power. Newer memory technologies such as FERAM
`allow over 109 write cycles, which should solve this
`problem.
`Just replaying transactions might not suffice to
`make the processor access all critical memory loca-
`tions. For instance, some banking cards read criti-
`cal keys from memory only after authenticating that
`they are indeed talking to an ATM. Pay-TV card
`designers have started to implement many different
`encryption keys and variations of encryption algo-
`rithms in every card, and they switch between these
`every few weeks. The memory locations of algorithm
`and key variations are not accessed by the proces-
`sor before these variations have been activated by a
`signed message from the broadcaster, so that passive
`monitoring of bus lines will not reveal these secrets
`to an attacker early.
`Sometimes, hostile bus observers are lucky and
`encounter a card where the programmer believed
`that by calculating and verifying some memory
`checksum after every reset the tamper-resistance
`
`5
`
`IRIS
`EXHIBIT 2029 PAGE 5
`DOJ v. IRIS
`IPR 2016-00497
`
`Figure 7: This image shows 9 horizontal bus lines
`on a depackaged smartcard processor. A UV laser
`(355 nm, 5 ns) was used to remove small patches of
`the passivation layer over the eight data-bus lines to
`provide for microprobing access.
`
`layer (usually silicon oxide or nitride), which pro-
`tects the chip from the environment and ion migra-
`tion. On top of this, we might also find a poly-
`imide layer that was not entirely removed by HNO3
`but which can be dissolved with ethylendiamine.
`We have to remove the passivation layer before the
`probes can establish contact. The most convenient
`depassivation technique is the use of a laser cutter
`(e.g., from New Wave Research).
`The UV or green laser is mounted on the camera
`port of the microscope and fires laser pulses through
`the microscope onto rectangular areas of the chip
`with micrometer precision. Carefully dosed laser
`flashes remove patches of the passivation layer. The
`resulting hole in the passivation layer can be made so
`small that only a single bus line is exposed (Fig. 7).
`This prevents accidental contacts with neighbouring
`lines and the hole also stabilizes the position of the
`probe and makes it less sensitive to vibrations and
`temperature changes.
`Complete microprobing workstations cost tens of
`thousands of dollars, with the more luxurious ver-
`sions reaching over a hundred thousand US$. The
`cost of a new laser cutter is roughly in the same
`region.
`Low-budget attackers are likely to get a cheaper
`solution on the second-hand market for semicon-
`ductor test equipment. With patience and skill it
`should not be too difficult to assemble all the re-
`quired tools for even under ten thousand US$ by
`buying a second-hand microscope and using self-
`designed micropositioners. The laser is not essential
`for first results, because vibrations in the probing
`needle can also be used to break holes into the pas-
`sivation.
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`could somehow be increased. This gives the at-
`tacker of course easy immediate access to all memory
`locations on the bus and simplifies completing the
`read-out operation considerably. Surprisingly, such
`memory integrity checks were even suggested in the
`smartcard security literature [10], in order to defeat
`a proposed memory rewrite attack technique [11].
`This demonstrates the importance of training the
`designers of security processors and applications in
`performing a wide range of attacks before they start
`to design countermeasures. Otherwise, measures
`against one attack can far too easily backfire and
`simplify other approaches in unexpected ways.
`In order to read out all memory cells without the
`help of the card software, we have to abuse a CPU
`component as an address counter to access all mem-
`ory cells for us. The program counter is already
`incremented automatically during every instruction
`cycle and used to read the next address, which makes
`it perfectly suited to serve us as an address sequence
`generator [12]. We only have to prevent the proces-
`sor from executing jump, call, or return instructions,
`which would disturb the program counter in its nor-
`mal read sequence. Tiny modifications of the in-
`struction decoder or program counter circuit, which
`can easily be performed by opening the right metal
`interconnect with a laser, often have the desired ef-
`fect.
`
`2.1.5 Particle Beam Techniques
`
`Most currently available smartcard processors have
`feature sizes of 0.5–1 μm and only two metal lay-
`ers. These can be reverse-engineered and observed
`with the manual and optical techniques described
`in the previous sections. For future card genera-
`tions with more metal layers and features below the
`wavelength of visible light, more expensive tools ad-
`ditionally might have to be used.
`A focused ion beam (FIB) workstation consists of
`a vacuum chamber with a particle gun, comparable
`to a scanning electron microscope (SEM). Gallium
`ions are accelerated and focused from a liquid metal
`cathode with 30 kV into a beam of down to 5–10 nm
`diameter, with beam currents ranging from 1 pA to
`10 nA. FIBs can image samples from secondary par-
`ticles similar to a SEM with down to 5 nm resolution.
`By increasing the beam current, chip material can be
`removed with the same resolution at a rate of around
`
`0.25 μm3 nA−1 s−1 [13]. Better etch rates can be
`achieved by injecting a gas like iodine via a needle
`that is brought to within a few hundred micrometers
`from the beam target. Gas molecules settle down on
`the chip surface and react with removed material to
`
`form a volatile compound that can be pumped away
`and is not redeposited. Using this gas-assisted etch
`technique, holes that are up to 12 times deeper than
`wide can be created at arbitrary angles to get ac-
`cess to deep metal layers without damaging nearby
`structures. By injecting a platinum-based organo-
`metallic gas that is broken down on the chip surface
`by the ion beam, platinum can be deposited to es-
`tablish new contacts. With other gas chemistries,
`even insulators can be deposited to establish surface
`contacts to deep metal without contacting any cov-
`ering layers.
`Using laser interferometer stages, a FIB operator
`can navigate blindly on a chip surface with 0.15 μm
`precision, even if the chip has been planarized and
`has no recognizable surface structures. Chips can
`also be polished from the back side down to a thick-
`ness of just a few tens of micrometers. Using laser-
`interferometer navigation or infrared laser imaging,
`it is then possible to locate individual transistors and
`contact them through the silicon substrate by FIB
`editing a suitable hole. This rear-access technique
`has probably not yet been used by pirates so far,
`but the technique is about to become much more
`commonly available and therefore has to be taken
`into account by designers of new security chips.
`FIBs are used by attackers today primarily to
`simplify manual probing of deep metal and polysil-
`icon lines. A hole is drilled to the signal line of in-
`terest, filled with platinum to bring the signal to
`the surface, where a several micrometer large prob-
`ing pad or cross is created to allow easy access
`(Fig. 11). Modern FIB workstations (for example
`the FIB 200xP from FEI) cost less than half a mil-
`lion US$ and are available in over hundred organiza-
`tions. Processing time can be rented from numerous
`companies all over the world for a few hundred dol-
`lars per hour.
`Another useful particle beam tool are electron-
`beam testers (EBT) [14]. These are SEMs with a
`voltage-contrast function. Typical acceleration volt-
`ages and beam currents for the primary electrons
`are 2.5 kV and 5 nA. The number and energy of sec-
`ondary electrons are an indication of the local elec-
`tric field on the chip surface and signal lines can be
`observed with submicrometer resolution. The signal
`generated during e-beam testing is essentially the
`low-pass filtered product of the beam current mul-
`tiplied with a function of the signal voltage, plus
`noise. EBTs can measure waveforms with a band-
`width of several gigahertz, but only with periodic
`signals where stroboscopic techniques and periodic
`averaging can be used. If we use real-time voltage-
`contrast mode, where the beam is continuously di-
`
`6
`
`IRIS
`EXHIBIT 2029 PAGE 6
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`rected to a single spot and the blurred and noisy
`stream of secondary electrons is recorded, then the
`signal bandwidth is limited to a few megahertz [14].
`While such a bandwidth might just be sufficient for
`observing a single signal line in a 3.5 MHz smart-
`card, it is too low to observe an entire bus with a
`sample frequency of several megahertz for each line.
`EBTs are very convenient attack tools if the clock
`frequency of the observed processor can be reduced
`below 100 kHz to allow real-time recording of all bus
`lines or if the processor can be forced to generate
`periodic signals by continuously repeating the same
`transaction during the measurement.
`
`2.2 Non-invasive Attacks
`
`A processor is essentially a set of a few hundred
`flipflops (registers, latches, and SRAM cells) that de-
`fine its current state, plus combinatorial logic that
`calculates from the current state the next state dur-
`ing every clock cycle. Many analog effects in such
`a system can be used in non-invasive attacks. Some
`examples are:
`• Every transistor and interconnection have a ca-
`pacitance and resistance that, together with fac-
`tors such as the temperature and supply voltage,
`determine the signal propagation delays. Due to
`production process fluctuations, these values can
`vary significantly within a single chip and between
`chips of the same type.
`• A flipflop samples its input during a short time
`interval and compares it with a threshold volt-
`age derived from its power supply voltage. The
`time of this sampling interval is fixed relative to
`the clock edge, but can vary between individual
`flipflops.
`• The flipflops can accept the correct new state only
`after the outputs of the combinatorial logic have
`stabilized on the prior state.
`• During every change in a CMOS gate, both the
`p- and n-transistors are open for a short time,
`creating a brief short circuit of the power supply
`lines [15]. Without a change, the supply current
`remains extremely small.
`• Power supply current is also needed to charge or
`discharge the load capacitances when an output
`changes.
`• A normal flipflop consists of two inverters and
`two transmission gates (8 transistors). SRAM
`cells use only two inverters and two transistors
`
`to ground one of the outputs during a write oper-
`ation. This saves some space but causes a signif-
`icant short-circuit during every change of a bit.
`
`There are numerous other effects. During careful
`security reviews of processor designs it is often nec-
`essary to perform detailed analog simulations and
`tests and it is not sufficient to just study a digital
`abstraction.
`Smartcard processors are particularly vulnerable
`to non-invasive attacks, because the attacker has full
`control over the power and clock supply lines. Larger
`security modules can be equipped with backup bat-
`teries, electromagnetic shielding,
`low-pass filters,
`and autonomous clock signal generators to reduce
`many of the risks to which smartcard processors are
`particularly exposed.
`
`2.2.1 Glitch Attacks
`
`In a glitch attack, we deliberately generate a mal-
`function that causes one or more flipflops to adopt
`the wrong state. The aim is usually to replace a sin-
`gle critical machine instruction with an almost ar-
`bitrary other one. Glitches can also aim to corrupt
`data values as they are transferred between registers
`and memory. Of the many fault-induction attack
`techniques on smartcards that have been discussed
`in the recent literature [11, 12, 16, 17, 18], it has
`been our experience that glitch attacks are the ones
`most useful in practical attacks.
`We are currently aware of three techniques for cre-
`ating fairly reliable malfunctions that affect only a
`very small number of machine cycles in smartcard
`processors: clock signal transients, power supply
`transients, and external electrical field transients.
`Particularly interesting instructions that an at-
`tacker might want to replace with glitches are condi-
`tional jumps or the test instructions preceding them.
`They create a window of vulnerability in the process-
`ing stages of many security applications that often
`allows us to bypass sophisticated cryptographic bar-
`riers by simply preventing the execution of the code
`that detects that an authentication attempt was un-
`successful. Instruction glitches can also be used to
`extend the runtime of loops, for instance in serial
`port output routines to see more of the memory af-
`ter the output buffer [12], or also to reduce the run-
`time of loops, for instance to transform an iterated
`cipher function into an easy to break single-round
`variant [11].
`Clock-signal glitches are currently the simplest
`and most practical ones. They temporarily increase
`the clock frequency for one or more half cycles, such
`that some flipflops sample their input before the new
`
`7
`
`IRIS
`EXHIBIT 2029 PAGE 7
`DOJ v. IRIS
`IPR 2016-00497
`
`

`

`PROTECTIVE ORDER MATERIAL
`
`state has reached them. Although many manufac-
`turers claim to implement high-frequency detectors
`in their clock-signal processing logic, these circuits
`are often only simple-minded filters that do not de-
`tect single too short half-cycles. They can be cir-
`cumvented by carefully selecting the duty cycles of
`the clock signal during the glitch.
`In some designs, a clock-frequency sensor that is
`perfectly secure under normal operating voltage ig-
`nores clock glitches if they coincide with a carefully
`designed power fluctuation. We have identified clock
`and power waveform combinations for some widely
`used processors that reliably increment the program
`counter by one without altering any other processor
`state. An arbitrary subsequence of the instructions
`found in the card can be executed by the attacker
`this way, which leaves very little opportunity for
`the program designer to implement effective coun-
`termeasures in software alone.
`Power fluctuations can shift the threshold volt-
`ages of gate inputs and anti-tampering sensors rel-
`ative to the unchanged potential of connected ca-
`pacitances, especially if this occurs close to the sam-
`pling time of the flipflops. Smartcard chips do not
`provide much space for large buffer capacitors, and
`voltage threshold sensors often do not react to very
`fast transients.
`In a potential alternative glitch technique that we
`have yet to explore fully, we place two metal needles
`on the card surface, only a few hundred micrometers
`away from the processor. We then apply spikes of
`a few hundred volts for less than a microsecond on
`these needles to generate electrical fields in the sil-
`icon substrate of sufficient strength to temporarily
`shift the threshold voltages of nearby transistors.
`
`2.2.2 Current Analysis
`
`Using a 10–15 Ω resistor in the power supply, we can
`measure with an analog/digital converter the fluctu-
`ations in the current consumed by the card. Prefer-
`ably, the recording should be made with at least
`12-bit resolution and the sampling frequency should
`be an integer multiple of the card clock frequency.
`Drivers on the address and data bus often con-
`sist of up to a dozen parallel inverters per bit, each
`driving a large capacitive load. They cause a sig-
`nificant power-supply short circuit during any tran-
`sition. Changing a single bus line from 0 to 1 or
`vice versa can contribute in the order of 0.5–1 mA
`to the total current at the right time after the clock
`edge, such that a 12-bit ADC is sufficient to esti-
`mate the number of bus bits that change at a time.
`SRAM write operations often generate the strongest
`
`signals. By averaging the current measurements of
`many repeated identical transactions, we can even
`identify smaller signals that are not transmitted over
`the bus. Si