Flylogic's Analytical Blog

http://www.ioactive.com/news-events/IOAFlyLogic12PR.html

IOActive Announces Acquisition of Flylogic Engineering and Hardware Security Lab

World-renowned Semiconductor Security Expert, Christopher, Tarnovsky, to Head IOActive’s Expanded Hardware Division

Seattle, WA—July 26, 2012. IOActive, a a global leader in information security services and research, today announced the acquisition of Flylogic Engineering and its assets, in addition to the appointment of Christopher Tarnovsky as IOActive’s Vice President of Semiconductor Security Services. In conjunction with this announcement, IOActive will be opening an expanded hardware and semiconductor security lab in San Diego, California.

Flylogic and Mr. Tarnovsky have long been at the forefront of this industry, building a world-renowned reputation for delivering high-quality semiconductor assessments to some of the most respected organizations in the world. With this acquisition, IOActive will be opening a new multi-million dollar hardware campus in San Diego. This lab will serve as both a training facility and home for Flylogic’s expansive hardware needs, including tools such as a Focused Ion-Beam Workstation (FIB) and Scanning Electron Microscope (SEM).

Advances in embedded device manufacturing have resulted in smaller, faster, and more enhanced chips. As a result, supply chain security has become even more critical to forward-thinking enterprises: It is clear that investing solely in software security is no longer enough to combat today’s sophisticated attackers. The new-generation attacker has targeted the silicon, embedding hidden gates and/or backdoors at the electron level that could allow any system appointed with the technology to be quietly compromised far outside the realm of the asset holder to ever detect.

With this acquisition, IOActive is the only leading international boutique security firm in the world with the capability to review chips at the silicon level in-house, using world-acknowledged and -accredited experts while leveraging our best-of-breed software security experts. The expansion of the San Diego lab will allow Tarnovsky and his team to focus on performing these types of extensive semiconductor risk assessments and provide the necessary insights to drive the shift toward more secure chipsets.

“The passion and skill Chris has for his work mirrors what IOActive’s team has long been known for. He has a keen eye and unmatched skill for breaking semiconductors, coupled with a strong desire to help his clients be more secure,” said Jennifer Steffens, Chief Executive Officer of IOActive. “What he has accomplished with Flylogic is amazing; we are thrilled to be forming this unified team and to provide the support needed to bring services to the next level.”

“I’ve had the pleasure of getting to know IOActive over the last few years and the timing couldn’t be better for this announcement. They continue to break the barriers of what is expected from security firms and with their backbone of support, our semiconductor security assessments can continue to surpass all expectations,” said Chris Tarnovsky, owner of Flylogic and now VP of Semiconductor Security at IOActive. “I’m excited to work with them as we strive to improve the security landscape overall.”

Christopher Tarnovsky will be available to discuss Flylogic and the acquisition in IOActive’s IOAsis suite at Caesars Palace. For more information, visit http://info.ioactive.com/bh-2012.html.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

*Update*

Please use : http://www.flylogic.net/blog/?page_id=368 for Questions

Victor Mehta:

Does anyone know how to decapulate a substrate epoxy FR-4 material ? What would be the best method in doing so ? Has flylogic taken up similar decapsulations ?

Real quick image as posted on Facebook tech .at. flylogic.net profile.  Total of 4 over layed images of a small section of an NEC upd78F9210 MCU.

A FlipFlop and a few AND’s were quickly spotted.  Can you find them?

Nice place to see quick shots of general devices in Chris’ life.

To prevent spammers, it’s the tech @ address. See you there!

This was sent in by a reader of the blog. Kudos to you!

Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.

The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.  You can download ruling in PDF form here.

As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.

I wish all persons whom this lawsuit effects the best (yes even you Charlie),

Christopher Tarnovsky

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation.Â

We took a few pictures of an area of each device with an electron microscope to give you a better idea.  Both devices are a 4 metal ~140 nanometer process.  Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think!Â

In the picture above, the left side is the standard Infineon mesh with the standard ST mesh on the right.   Both images were taken at 3,500 magnification.Â

The Infineon mesh consists of 5 zones with 4 circuits per zone.  This means the surface of the die is being covered by 20 different electrical circuits.

The ST mesh consists of a single wire routed zig-zag across the die.  It usually begins next to the VDD pad and ends at the opposite corner of the die.  The other wires are simply GND aka ground fingers.  On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe).Â

Zooming in at 15,000 magnification, the details of each mesh really begin to show.  Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.

In the Infineon scheme above, each colored wire is the same signal (4 of them per zone).  Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.

The ST simply has the single conductor labeled in red.  All green are the fingers of ground which can be usually cut away (removed) without penalty.  The latest ST K7xxx devices have a signal present that appears analog.  A closer look and a few minutes of testing proved it to simply need to be held high (logic ’1′) at the sampling side of the line.  Interesting how ST tried to obscure the signal.

Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up.Â

ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low (’0′) with power applied (irrelevant of reset/clock condition).

You tell us your opinion what you think security wise.   Make sure you study the images closely beause there are other things we didn’t mention such as line spacing, etc. between the two designs which should be considered.

We probably should have been tweeting (sic?) for some time now but we are finally doing it!

You can join/follow us here: http://twitter.com/semiconduktor

As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net .

We want to personally thank every one of you who responded offering your help!

We followed what many of you said to do and this seems to have worked.

Thank you again!

Whenever the blog is enabled, spammers are able to deface the mainpages index.html file replacing it with hundreds of spam links to software.

The only way we can stop it is to stop the blog. We’ve tried cleaning the blog up but they still get in somehow through WordPress .

If you think you can help us, please email tech at flylogic.net

Thanks!