Flylogic's Analytical Blog

This was sent in by a reader of the blog. Kudos to you!

Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.

The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.  You can download ruling in PDF form here.

As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.

I wish all persons whom this lawsuit effects the best (yes even you Charlie),

Christopher Tarnovsky

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation. 

We took a few pictures of an area of each device with an electron microscope to give you a better idea.  Both devices are a 4 metal ~140 nanometer process.  Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think! 

In the picture above, the left side is the standard Infineon mesh with the standard ST mesh on the right.   Both images were taken at 3,500 magnification. 

The Infineon mesh consists of 5 zones with 4 circuits per zone.  This means the surface of the die is being covered by 20 different electrical circuits.

The ST mesh consists of a single wire routed zig-zag across the die.  It usually begins next to the VDD pad and ends at the opposite corner of the die.  The other wires are simply GND aka ground fingers.  On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe). 

Zooming in at 15,000 magnification, the details of each mesh really begin to show.  Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.

In the Infineon scheme above, each colored wire is the same signal (4 of them per zone).  Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.

The ST simply has the single conductor labeled in red.  All green are the fingers of ground which can be usually cut away (removed) without penalty.  The latest ST K7xxx devices have a signal present that appears analog.  A closer look and a few minutes of testing proved it to simply need to be held high (logic ’1′) at the sampling side of the line.  Interesting how ST tried to obscure the signal.

Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up. 

ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low (’0′) with power applied (irrelevant of reset/clock condition).

You tell us your opinion what you think security wise.   Make sure you study the images closely beause there are other things we didn’t mention such as line spacing, etc. between the two designs which should be considered.

We probably should have been tweeting (sic?) for some time now but we are finally doing it!

You can join/follow us here: http://twitter.com/semiconduktor

As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net .

We want to personally thank every one of you who responded offering your help!

We followed what many of you said to do and this seems to have worked.

Thank you again!

Whenever the blog is enabled, spammers are able to deface the mainpages index.html file replacing it with hundreds of spam links to software.

The only way we can stop it is to stop the blog. We’ve tried cleaning the blog up but they still get in somehow through WordPress .

If you think you can help us, please email tech at flylogic.net

Thanks!

During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers.  Jeff Moss’ group setup a poll here.  Given todays Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in.  The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the class down to a few devices of the chosen family.

While the classes are not cheap, all participants will learn and understand the chosen targets security model.  Armed with such knowledge will help you to understand and recognize potential risks in future design work allowing you to avoid the possiblity of compromise (and I suppose this would also enhance job security .   Full mosaic blowups of the targets, decapsulated devices, use of a probe station and all users will “modify” the security model of their devices themselves (unless they ask for some help).  I don’t believe such a class has ever been given and seating will be limited per class.

Feel free to comment here but Blackhat really needs the feedback.

Thank you,

-Christopher Tarnovsky

Before going deeper into the analysis of today’s chips, we will take a quick journey to where it all began: the Intel 4004, world’s first widely-used microprocessor. The 4004 and most other antiquated chips differ from modern chips in two main characteristics: They only use a single type of transistor (PMOS or NMOS) and each logic gate is custom-designed to best utilize the available area — an inevitable optimization for chips built from transistors about 150x larger than those used in their modern descendants.

The pictures below show four custom-designed variations of the same logic function, 2-NAND:

Each of the gates is composed of two transistors and one resistor. If either of the transistors is open (that is: having Vcc applied to its gate), the output is strongly connected to Vcc. If neither of the transistors is open, the gate is weakly connected to GND through the resistor, but still strong enough to pull the output to GND. The next image shows the only metal layer of the 4004, just above the 2-NANDs:

PMOS is very area-efficient, but more power hungry and slower than alternatives such as CMOS, which combines PMOS and NMOS transistors as illustrated in this post. It’s beautiful to see how none of the inefficiencies we see in modern chips are found on the 4004 and how the available space is completely filled with logic. The entire 4004 has only some 2,300 transistors and makes for a perfect exercise in learning neat chip layout and logic gate design (click for a high-res version):

[edit - Jan 9, 2009:  Adding mosaic of entire substrate]

(Clicking on the picture above will result in a 45 MB download!)

As a challenge for next time, identify the extra 3 layers that the Intel museum claims. Last episode’s challenge was correctly solved first by Jeri Ellsworth. Respect for her almost perfect circuit diagram as well as her remarkable on-your-kitchen-table semiconductors fab.

Credit for the chips go to Tim McNerney. Tim is an expert on the 4004 who has built an interactive exhibit of the chip for the Intel museum. For more information please visit the Intel 4004 35th anniversary project web site.

-Karsten Nohl