We have come across samples of the über-secure & über-hyped SLE78/97. It would appear new engineers are at the core of these design series. It's a shame they have sacrificed physical security replacing it with over-hyped so called "secure core" designs.This whole scenario makes an person miss the good old trustable SLE66P.
|FOR IMMEDIATE RELEASE
July 26, 2012
IOActive Announces Acquisition of Flylogic Engineering and Hardware Security Lab
World-renowned Semiconductor Security Expert, Christopher, Tarnovsky, to Head IOActive’s Expanded Hardware Division
Seattle, WA—July 26, 2012. IOActive, a a global leader in information security services and research, today announced the acquisition of Flylogic Engineering and its assets, in addition to the appointment of Christopher Tarnovsky as IOActive’s Vice President of Semiconductor Security Services. In conjunction with this announcement, IOActive will be opening an expanded hardware and semiconductor security lab in San Diego, California.
Flylogic and Mr. Tarnovsky have long been at the forefront of this industry, building a world-renowned reputation for delivering high-quality semiconductor assessments to some of the most respected organizations in the world. With this acquisition, IOActive will be opening a new multi-million dollar hardware campus in San Diego. This lab will serve as both a training facility and home for Flylogic’s expansive hardware needs, including tools such as a Focused Ion-Beam Workstation (FIB) and Scanning Electron Microscope (SEM).
Advances in embedded device manufacturing have resulted in smaller, faster, and more enhanced chips. As a result, supply chain security has become even more critical to forward-thinking enterprises: It is clear that investing solely in software security is no longer enough to combat today’s sophisticated attackers. The new-generation attacker has targeted the silicon, embedding hidden gates and/or backdoors at the electron level that could allow any system appointed with the technology to be quietly compromised far outside the realm of the asset holder to ever detect.
With this acquisition, IOActive is the only leading international boutique security firm in the world with the capability to review chips at the silicon level in-house, using world-acknowledged and -accredited experts while leveraging our best-of-breed software security experts. The expansion of the San Diego lab will allow Tarnovsky and his team to focus on performing these types of extensive semiconductor risk assessments and provide the necessary insights to drive the shift toward more secure chipsets.
“The passion and skill Chris has for his work mirrors what IOActive’s team has long been known for. He has a keen eye and unmatched skill for breaking semiconductors, coupled with a strong desire to help his clients be more secure,” said Jennifer Steffens, Chief Executive Officer of IOActive. “What he has accomplished with Flylogic is amazing; we are thrilled to be forming this unified team and to provide the support needed to bring services to the next level.”
“I’ve had the pleasure of getting to know IOActive over the last few years and the timing couldn’t be better for this announcement. They continue to break the barriers of what is expected from security firms and with their backbone of support, our semiconductor security assessments can continue to surpass all expectations,” said Chris Tarnovsky, owner of Flylogic and now VP of Semiconductor Security at IOActive. “I’m excited to work with them as we strive to improve the security landscape overall.”
Christopher Tarnovsky will be available to discuss Flylogic and the acquisition in IOActive’s IOAsis suite at Caesars Palace. For more information, visit http://info.ioactive.com/bh-2012.html.
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.
Please use : http://www.flylogic.net/blog/?page_id=368 for Questions
Does anyone know how to decapulate a substrate epoxy FR-4 material ? What would be the best method in doing so ? Has flylogic taken up similar decapsulations ?
4 Metal, 350 nanometer fabrication process, EAL4+ smart card. A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink).
Figure 1: Logo of the ST19XL18 die coded K5F0A. Notice active shielding presence.
The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off. The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4). This also helps begin the polishing process on the lower layers fairly evenly.
Figure 2: Active shield is removed. Device needs polishing now.
The oxide thickness of a layer once the passivation oxide is removed requires less than 2 minutes per layer to remove. We purposely stop just before the Metal 3 (M3) surface is exposed leaving the vias visibly clear (there are several gates tied to the ground of the mesh on Metal 4 (M4) as well as the active shield’s begin and end vias.
Figure 3: Metal 3 (M3) polish until only a thin layer of oxide remains.
The device was very modularly placed n’ routed. The picture below is not 100% to scale but more less highlights the various blocks present. The MAP consists of asymmetric and symmetric crypto functions (DES, RSA, etc).
Figure 4: M3 with comments drawn into place.
The EEPROM control logic is actually in the lower left corner of the EEPROM block. When drawing on the picture, highlighting that area was forgotten .
Figure 5: M2 layer
As Metal 3 (M3) was removed exposing the M2 layer, the device is beginning to not look so complicated.
Figure 6: M1 layer
Metal 1 (M1) shows us all the transistors. We did not polish down to the poly. Most of the gates are understandable without it for the purposes of finding the clear data bus.
Figure 7: Small memory area located behind EEPROM block.
Figure 8: Second small memory area located behind the EEPROM block.
Most likely, these NVM areas in Figure 7 & 8 are trimming or security violation related. No further investigation is planned on these areas (it isn’t necessary).
Figure 9: Clear ROM drivers feeding the ‘clear’ data bus highlighted on each of the 3 layers.
Strangely enough, it is now understandable why ST cannot achieve high performance on the ST19 platform. Each logic area with access to the clear data bus runs via a high-output driver that is tri-stated (hi-z) when not driven. This means that all drivers are OR-tied and only one set of 8 drivers are ever active at a time. This is a very large and cumbersome way of creating a MUX.
As time permits, the ST19W and ST19N series will be looked at. It is expected to again find this kind of pattern. Overall, finding the clear data bus took 1.5 hours once the images were created. Most of the 1.5 hours was the alignment of the layers.
Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS. We had already several AT90SC3232 and AT90SC3232C. We assumed that the CS was just a 3232C with an extra IO pad. Well, one should never ass-u-me anything! The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device.
Above: A decapsulated sample of the TQFP44 packaged AT90SC3232CS devices we received.
Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device. A 350nm, 4 metal process was used on the AT90SC3232CS where the AT90SC6464C was a 350nm, 3 metal.
Above: Active shield metal was removed with wet-etching leaving the oxide residue.
A quick polishing session removes that residue you saw in the previous photo. Now the device looks very similar to the AT90SC6464C.
Above: Â With the mesh removed Metal 3 is now exposed.
Given the AT90SC family all run encrypted code that even Atmel claims they don’t know the key on. It’s mandatory to polish down the device and image areas of interest at each level to trace through the logic.
Above: Â Polished to Metal 2 in our area of interest.
With the chip at Metal 2, it was time to go to Metal 1. This is where the actual transistor is put together to become something such as AND, OR, INVert, …
Above: Â Metal 1 ready for imaging.
While not really required but always desired, removal of Metal 1 leaves us with the poly/diffusion areas visible. This is always helpful to explain P/N FETs for our purposes.
Above: Poly/Diffusion layer exposed.
All of the images above were quick 50x mosaics. Clicking on any of them will open the full version of the image.
Given the feedback received from the recent 3 Metal display, we thought we would do it again. This time however, we imaged it at 1000x for a distance of 25,000 pixels across by 2413 down (25,000 is the max a JPEG will allow).
Having no knowledge of how the Atmel AVR smart card family works means we have to tear it down and trace out the databus paths. Â The next 4 images are just a sample of the real image we created. Â The real image is so huge, it would take days to download.
The next four images can be clicked on to open up the full 25,000 pixel JPEG. Â Metal 4 was not imaged because it was the active shield. Â The active shield is an obstacle Â that can be ignored until the signals determined to be important are identified.
Each of those files are 37.9 MB each. Â They are aligned for use in GIMP or Photoshop. Â If you wish to download these same 4 images in higher quality overlaid already, please click here. This image is a layered TIFF and is 1.6 GB.
None of these images have been watermarked. We ask that people respect our work and give proper credit if they are reused. Â In these images, you have 28 EEPROM bit outputs (most likely the crypto key unique per part) and a 16 bit databus coming into the area from the top of the picture. When I briefly looked at the cropped image ‘section.tif’, I immediately spotted several 2 in, 1 out MUXes, several FlipFlops (I caught 2 variants) and random glue-logic.
This is definitely the memory encrypt-decrypt block (MED) or at least the entry of it .
- – - – - – - – - – -
Update 03-17-2012 :: Added a few more hi-res but smaller pics
Above: Small section taken from the section.tif image. The layers have been tiled for view but should be stacked over each other if section.tif is opened a proper viewer (Photoshop or GIMP will work).
Please let us know if anyone is having problems with the images.
- – - – - – - – - – -
Update 03-18-2012 :: Hosted the 1.6GB layered TIFF on Bit Torrent here.
Llink above in case of problems:Â http://flylogic.net/chippics/at90sc3232cs/section.torrent
Since speaking at BlackHat DC 2009, there have beenÂ severalÂ inquiries in regards to the security of the SLE66PE series smartcard family.
Here are some issues that should be pointed out:
We have heard, “..it took 6 months to succeed..”
The reality is it took 4 months to tackle obsticles found in any <200nm device such as:
- Capitance/loadÂ of probe needles when chip is running.
- Powering the device inside the chamber of a FIB workstation.
- Level-shifting a 1.8v core voltage following what we learned in #1 above.
- Cutting out metal layers without creating electrical shorts.
- Other more minute issues regarding the physical size of the die.
Upon overcoming the points above,Â the actual analysis required no more than approximatelyÂ 2 months time.Â Â
In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).
Â We have heard, “..you said the Infineon SLE66 was the best device out there in the market..”
The Infineon SLE66PE is a very secure device however, it (as do it’s competitors) all have their strengths and weaknesses.
Some examples of weaknesses are:
- Layout of all Infineon SLE50/66 ‘P’ or ‘PE’ are very modular by design.
- Lack of penalty if active shield is opened.
- Begin runtime from a CLEAR (unencrypted) ROM which is ‘invisible’ to the user.
- CPU core is based on a microcode/PLA type implementation.
- Power-on-reset always begins runningÂ from the externally supplied clock.
- Current design is based on a previous 600nm version designed around 1998.
- 3 metal layer design forÂ ”areasÂ of interest”Â (4th layer is the active shield).
Some examples of strengths are:
- ‘PE’ family used bond-pads located up the middle of the device.
- ROMKey must be loaded before begin attacked (else you just see their clear ROM content).
- MED is quite powerful if used properly for EEPROM content.
- Mesh is consistent across the device and divided into sections.
- Auto-increment of memory base address.
- Mixing of physical vs. virtual address space for MED / memory fetch.
No device is perfect.Â All devices have room for improvement.Â Some things to consider when choosing a smartcard are:
- Does CPU ever run on external clock?
- What is the penalty for an active-shield breach?
- What is the fabrication process geometry?
- How many metal layers is the device?
- List of labs who mightÂ have evaluated this device and their capabilities.
Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.Â This is a common-oversight.
There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!Â This makes a person scratch there head and say, “WTH????”
We have some new content to post soon on the blog.Â Be sure and tune in for that.Â We will tweet an alert as well.
Nice place to see quick shots of general devices in Chris’ life.
To prevent spammers, it’s the tech @ address. See you there!
At this years Blackhat USA briefings, the ATMEGA2560 was shown as an example of an unsecure vs. secure device. We have received a few requests for more information on this research so here it goes…
The device did not even need to be stripped down because of designer lazyness back at Atmel HQ. All we did was look for the metal plates we detailed back in our ATMEGA88 teardown last year and quickly deduced which outputs were the proper outputs in under 20 minutes.
Atmel likes to cover the AVR ‘important’ fuses with metal plating. We assume to prevent the floating gate from getting hit with UV however the debunk to this theory is that UV will SET the fuses not clear them!
Image above shows you the location of the plates and two small red marks inside smaller, higher mag’d image.
For those who must absolutely know how to unlock the device, just click on the, “Money Shot!”