Blackhat TPM Talk Follow-up

March 20th, 2011

Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.

Here are some issues that should be pointed out:

We have heard, “..it took 6 months to succeed..

The reality is it took 4 months to tackle obsticles found in any <200nm device such as:

  1. Capitance/load of probe needles when chip is running.
  2. Powering the device inside the chamber of a FIB workstation.
  3. Level-shifting a 1.8v core voltage following what we learned in #1 above.
  4. Cutting out metal layers without creating electrical shorts.
  5. Other more minute issues regarding the physical size of the die.

Upon overcoming the points above,  the actual analysis required no more than approximately 2 months time.  

In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).

 We have heard, “..you said the Infineon SLE66 was the best device out there in the market..

The Infineon SLE66PE is a very secure device however, it (as do it’s competitors) all have their strengths and weaknesses.

Some examples of weaknesses are:

  1. Layout of all Infineon SLE50/66 ‘P’ or ‘PE’ are very modular by design.
  2. Lack of penalty if active shield is opened.
  3. Begin runtime from a CLEAR (unencrypted) ROM which is ‘invisible’ to the user.
  4. CPU core is based on a microcode/PLA type implementation.
  5. Power-on-reset always begins running from the externally supplied clock.
  6. Current design is based on a previous 600nm version designed around 1998.
  7. 3 metal layer design for ”areas of interest” (4th layer is the active shield).

Some examples of strengths are:

  1. ‘PE’ family used bond-pads located up the middle of the device.
  2. ROMKey must be loaded before begin attacked (else you just see their clear ROM content).
  3. MED is quite powerful if used properly for EEPROM content.
  4. Mesh is consistent across the device and divided into sections.
  5. Auto-increment of memory base address.
  6. Mixing of physical vs. virtual address space for MED / memory fetch.

No device is perfect.  All devices have room for improvement.  Some things to consider when choosing a smartcard are:

  • Does CPU ever run on external clock?
  • What is the penalty for an active-shield breach?
  • What is the fabrication process geometry?
  • How many metal layers is the device?
  • List of labs who might have evaluated this device and their capabilities.

Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.  This is a common-oversight.

There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!  This makes a person scratch there head and say, “WTH????”

We have some new content to post soon on the blog.  Be sure and tune in for that.  We will tweet an alert as well.

Posted in Smartcards | 1 Comment »

tech from flylogic is on Facebook

September 30th, 2010

Nice place to see quick shots of general devices in Chris’ life.

To prevent spammers, it’s the tech @ address. See you there!

Posted in General | 3 Comments »

Atmel ATMEGA2560 Analysis (Blackhat follow-up)

August 9th, 2010

At this years Blackhat USA briefings, the ATMEGA2560 was shown as an example of an unsecure vs. secure device.  We have received a few requests for more information on this research so here it goes…

The device did not even need to be stripped down because of designer lazyness back at Atmel HQ.  All we did was look for the metal plates we detailed back in our ATMEGA88 teardown last year and quickly deduced which outputs were the proper outputs in under 20 minutes.

Atmel likes to cover the AVR ‘important’ fuses with metal plating.  We assume to prevent the floating gate from getting hit with UV however the debunk to this theory is that UV will SET the fuses not clear them!

Image above shows you the location of the plates and two small red marks inside smaller, higher mag’d image.

For those who must absolutely know how to unlock the device, just click on the, “Money Shot!”

Posted in Atmel Corp Device Reviews | 6 Comments »

Hardcore Reverse Engineering!

August 8th, 2010

This was sent in by a reader of the blog. Kudos to you!

Posted in General | No Comments »

Parallax Propeller P8X32A Quick Teardown

August 7th, 2010

Parallax has a really neat 8 core 32 bit CPU called the ‘Propeller’.  It’s been out for a few years but it is gaining popularity.  There is no security with the device as it boots insecurely via a UART or I2C EEPROM.  None the less, we thought it was interesting to see an 8 core CPU decapsulated!

The image above is the Propeller optically imaged 50x magnification.  One can clearly see 8 columns that appear almost symmetric (except in the middle region).  The upper 8 squares are each ‘cogs’ 512 * 32 SRAMs as described in the manual.  The middle left 4 and right 4 squares are the ROM’s Parallax describes.  The 8 rectangular objects are the 32KB SRAM as described.  The 8 cores are basically the 8 columns above the middle ROM’s to include the 512 * 32 SRAMs because they describe each cog as having it’s own 512 * 32 SRAM :) .

After removing the top metal (consisted mainly of routing tracks), we can see the 8 cores a little more clearly.  The metal over the 4 left ROMs has begun to remove as well in the image.

Above is a single COG rotated 90 degrees clockwise.  There are 8 of these objects in the upper half of the die.

Last but not least is the logo by Parallax.  Nice job Parallax on this beast!  We have one favor-  implement some flash on the next generation with a security bit ;) .

Posted in Device Teardowns | 18 Comments »

Echostar v NDS appellate court ruling update

August 6th, 2010

Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.

The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.  You can download ruling in PDF form here.

As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.

I wish all persons whom this lawsuit effects the best (yes even you Charlie),

Christopher Tarnovsky

Posted in General | 5 Comments »

Infineon / ST Mesh Comparison

February 14th, 2010

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation. 

We took a few pictures of an area of each device with an electron microscope to give you a better idea.  Both devices are a 4 metal ~140 nanometer process.  Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think! 

In the picture above, the left side is the standard Infineon mesh with the standard ST mesh on the right.   Both images were taken at 3,500 magnification. 

The Infineon mesh consists of 5 zones with 4 circuits per zone.  This means the surface of the die is being covered by 20 different electrical circuits.

The ST mesh consists of a single wire routed zig-zag across the die.  It usually begins next to the VDD pad and ends at the opposite corner of the die.  The other wires are simply GND aka ground fingers.  On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe). 

Zooming in at 15,000 magnification, the details of each mesh really begin to show.  Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.

In the Infineon scheme above, each colored wire is the same signal (4 of them per zone).  Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.

The ST simply has the single conductor labeled in red.  All green are the fingers of ground which can be usually cut away (removed) without penalty.  The latest ST K7xxx devices have a signal present that appears analog.  A closer look and a few minutes of testing proved it to simply need to be held high (logic ’1′) at the sampling side of the line.  Interesting how ST tried to obscure the signal.

Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up. 

ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low (’0′) with power applied (irrelevant of reset/clock condition).

You tell us your opinion what you think security wise.   Make sure you study the images closely beause there are other things we didn’t mention such as line spacing, etc. between the two designs which should be considered.

Posted in General | 13 Comments »

We are now on Twitter too!

February 12th, 2010

We probably should have been tweeting (sic?) for some time now but we are finally doing it!

You can join/follow us here: http://twitter.com/semiconduktor

As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net :) .

Posted in General | No Comments »

Problems solved!

February 12th, 2010

We want to personally thank every one of you who responded offering your help!

We followed what many of you said to do and this seems to have worked.

Thank you again!

Posted in General | No Comments »

Volunteers to help cleanup WordPress problems?

December 5th, 2009

Whenever the blog is enabled, spammers are able to deface the mainpages index.html file replacing it with hundreds of spam links to software.

The only way we can stop it is to stop the blog. We’ve tried cleaning the blog up but they still get in somehow through WordPress :( .

If you think you can help us, please email tech at flylogic.net

Thanks!

Posted in General | 9 Comments »

« Older Entries