Flylogic's Analytical Blog

During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers.  Jeff Moss’ group setup a poll here.  Given todays Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in.  The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the class down to a few devices of the chosen family.

While the classes are not cheap, all participants will learn and understand the chosen targets security model.  Armed with such knowledge will help you to understand and recognize potential risks in future design work allowing you to avoid the possiblity of compromise (and I suppose this would also enhance job security .   Full mosaic blowups of the targets, decapsulated devices, use of a probe station and all users will “modify” the security model of their devices themselves (unless they ask for some help).  I don’t believe such a class has ever been given and seating will be limited per class.

Feel free to comment here but Blackhat really needs the feedback.

 

Thank you,

-Christopher Tarnovsky

Before going deeper into the analysis of today’s chips, we will take a quick journey to where it all began: the Intel 4004, world’s first widely-used microprocessor. The 4004 and most other antiquated chips differ from modern chips in two main characteristics: They only use a single type of transistor (PMOS or NMOS) and each logic gate is custom-designed to best utilize the available area — an inevitable optimization for chips built from transistors about 150x larger than those used in their modern descendants.

The pictures below show four custom-designed variations of the same logic function, 2-NAND:

Each of the gates is composed of two transistors and one resistor. If either of the transistors is open (that is: having Vcc applied to its gate), the output is strongly connected to Vcc. If neither of the transistors is open, the gate is weakly connected to GND through the resistor, but still strong enough to pull the output to GND. The next image shows the only metal layer of the 4004, just above the 2-NANDs:

PMOS is very area-efficient, but more power hungry and slower than alternatives such as CMOS, which combines PMOS and NMOS transistors as illustrated in this post. It’s beautiful to see how none of the inefficiencies we see in modern chips are found on the 4004 and how the available space is completely filled with logic. The entire 4004 has only some 2,300 transistors and makes for a perfect exercise in learning neat chip layout and logic gate design (click for a high-res version):

[edit - Jan 9, 2009:  Adding mosaic of entire substrate]

(Clicking on the picture above will result in a 45 MB download!)

As a challenge for next time, identify the extra 3 layers that the Intel museum claims. Last episode’s challenge was correctly solved first by Jeri Ellsworth. Respect for her almost perfect circuit diagram as well as her remarkable on-your-kitchen-table semiconductors fab.

Credit for the chips go to Tim McNerney. Tim is an expert on the 4004 who has built an interactive exhibit of the chip for the Intel museum. For more information please visit the Intel 4004 35th anniversary project web site.

-Karsten Nohl

All of us at Flylogic want to wish all of our wonderful readers a wonderful new year as we enter into 2009!  We will make an effort to post more frequently on the blog this year and appologize for lack of content last year.

Let’s start the year off right!  Who out there can guess what the image below is?

 

All of you were really fast to guess the above image so we decided to append a few more interesting pictures onto this article for your viewing pleasure.

Could these be mushrooms in the forrest of the smurfs?

These appear to be snails but snails of what and they are not the same!