0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/86 Thanks! 1 00:00:09,450 --> 00:00:11,609 I think we can begin now, so Dimitri 2 00:00:11,610 --> 00:00:13,709 is going to tell you something about 3 00:00:13,710 --> 00:00:15,990 the security of the icy backside. 4 00:00:17,310 --> 00:00:18,929 Please give him a warm round of applause. 5 00:00:24,410 --> 00:00:26,929 All right, so unfortunately, 6 00:00:26,930 --> 00:00:28,879 my my coauthors that I've done a lot of 7 00:00:28,880 --> 00:00:31,009 this research with couldn't be 8 00:00:31,010 --> 00:00:33,109 here, but so I get to do this alone, 9 00:00:33,110 --> 00:00:35,269 but this wasn't by any means just 10 00:00:35,270 --> 00:00:37,069 my work, but. 11 00:00:37,070 --> 00:00:38,989 And so this is a nice for people who 12 00:00:38,990 --> 00:00:41,239 maybe saw David Oswald's talk today. 13 00:00:41,240 --> 00:00:43,339 He kind of did a nice introduction 14 00:00:43,340 --> 00:00:45,649 to a lot of the concepts all covered 15 00:00:45,650 --> 00:00:47,119 today in terms of security. 16 00:00:47,120 --> 00:00:49,519 And also anyone who saw 17 00:00:49,520 --> 00:00:51,619 the talk by the Infineon guy 18 00:00:51,620 --> 00:00:53,269 just now, I'm sure got a very good 19 00:00:53,270 --> 00:00:54,979 overview as well. But that was in German, 20 00:00:54,980 --> 00:00:57,049 so I'll be covering a lot 21 00:00:57,050 --> 00:00:59,689 of the same stuff, but in English. 22 00:00:59,690 --> 00:01:01,639 So you're just a little bit about me. 23 00:01:01,640 --> 00:01:02,959 So I'm a third year a Ph.D. 24 00:01:02,960 --> 00:01:04,759 student on to Berlin at security and 25 00:01:04,760 --> 00:01:05,869 telecommunications. 26 00:01:06,950 --> 00:01:08,839 So one of the my main interests is 27 00:01:08,840 --> 00:01:11,179 physical attacks. So what's a physical 28 00:01:11,180 --> 00:01:13,039 attack against that? I see that's where 29 00:01:13,040 --> 00:01:15,319 you actually go in and you 30 00:01:15,320 --> 00:01:16,909 do something to the transistors. 31 00:01:16,910 --> 00:01:19,159 So not externally connecting 32 00:01:19,160 --> 00:01:20,479 an oscilloscope, it's where you 33 00:01:20,480 --> 00:01:22,339 completely open up the device. 34 00:01:22,340 --> 00:01:24,589 You go in, you put a needle down 35 00:01:24,590 --> 00:01:26,419 or something along those lines. 36 00:01:26,420 --> 00:01:28,489 So and also, we'll learn 37 00:01:28,490 --> 00:01:30,709 what exactly these all these terms are. 38 00:01:30,710 --> 00:01:32,959 So semi and fully invasive 39 00:01:32,960 --> 00:01:35,299 analysis is kind of what we 40 00:01:35,300 --> 00:01:37,579 did, which was never done before. 41 00:01:37,580 --> 00:01:39,679 And an important thing 42 00:01:39,680 --> 00:01:41,869 which which I mentioned and all 43 00:01:41,870 --> 00:01:44,239 of my talk is failure analysis because 44 00:01:44,240 --> 00:01:45,649 a lot of people think that, you know, 45 00:01:45,650 --> 00:01:47,959 we're applying this to security and 46 00:01:47,960 --> 00:01:49,759 no one has ever thought of this before. 47 00:01:49,760 --> 00:01:51,559 And where, you know, how do people come 48 00:01:51,560 --> 00:01:52,939 up with these crazy ideas to do all these 49 00:01:52,940 --> 00:01:54,709 things? And it turns out there's a 50 00:01:54,710 --> 00:01:56,569 there's a whole industry for this and the 51 00:01:56,570 --> 00:01:58,309 industry is failure analysis. 52 00:01:58,310 --> 00:02:00,829 So what failure analysis is, is 53 00:02:00,830 --> 00:02:03,409 is basically you have 54 00:02:03,410 --> 00:02:05,419 your when you're producing a chip and 55 00:02:05,420 --> 00:02:07,249 something goes wrong, you don't know what 56 00:02:07,250 --> 00:02:09,499 went wrong. So now you have to sit 57 00:02:09,500 --> 00:02:11,659 there and you have to you basically 58 00:02:11,660 --> 00:02:13,249 have to reverse engineer your own device 59 00:02:13,250 --> 00:02:14,659 even though you designed it because you 60 00:02:14,660 --> 00:02:15,769 don't know what went wrong. 61 00:02:15,770 --> 00:02:17,059 So that's fairly nuts. 62 00:02:17,060 --> 00:02:19,159 And so there's my, you know, Twitter. 63 00:02:19,160 --> 00:02:20,929 And if you want to contact me by email 64 00:02:20,930 --> 00:02:23,149 and I'm especially proud, it's my homage 65 00:02:23,150 --> 00:02:25,459 to to Dan that I 66 00:02:25,460 --> 00:02:27,319 got such a cool domain name. 67 00:02:28,790 --> 00:02:31,189 So this is just kind of a 68 00:02:31,190 --> 00:02:33,499 joke. So people who do electrical 69 00:02:33,500 --> 00:02:35,269 engineering and maybe don't know this 70 00:02:35,270 --> 00:02:37,549 well will appreciate this. 71 00:02:37,550 --> 00:02:39,769 So this is kind of this was an 72 00:02:39,770 --> 00:02:42,049 April Fool's joke done by synthetics many 73 00:02:42,050 --> 00:02:44,179 years ago, and this 74 00:02:44,180 --> 00:02:46,519 is this shows you from a conceptual 75 00:02:46,520 --> 00:02:47,520 level. 76 00:02:48,080 --> 00:02:49,819 Some of the main misconceptions that 77 00:02:49,820 --> 00:02:52,069 people have when it comes to hardware 78 00:02:52,070 --> 00:02:54,229 and if you apply to security, the 79 00:02:54,230 --> 00:02:56,839 one of the main misconceptions 80 00:02:56,840 --> 00:02:58,249 when it comes to security. 81 00:02:58,250 --> 00:03:00,529 And so this as the joke 82 00:03:00,530 --> 00:03:02,629 is, so this is a data 83 00:03:02,630 --> 00:03:04,309 sheet. And what this is is a fully 84 00:03:04,310 --> 00:03:06,349 encoded random access, right? 85 00:03:06,350 --> 00:03:07,729 Only memory. 86 00:03:07,730 --> 00:03:09,799 So I don't know if people 87 00:03:09,800 --> 00:03:12,049 see the contradiction between 88 00:03:12,050 --> 00:03:14,299 memory and right only, but it 89 00:03:14,300 --> 00:03:15,979 doesn't make a lot of sense. 90 00:03:15,980 --> 00:03:18,169 And actually, nowadays you do have right 91 00:03:18,170 --> 00:03:20,029 only memory or certain types of right 92 00:03:20,030 --> 00:03:21,349 only memories or things that are called 93 00:03:21,350 --> 00:03:22,309 right only memory. 94 00:03:22,310 --> 00:03:23,779 But this is back in the 70s, and this 95 00:03:23,780 --> 00:03:25,189 literally meant something that you write 96 00:03:25,190 --> 00:03:27,079 to and you can never get the data out. 97 00:03:27,080 --> 00:03:29,689 And so they never get the data out is is 98 00:03:29,690 --> 00:03:30,979 kind of expressed in some of the 99 00:03:30,980 --> 00:03:31,969 applications. 100 00:03:31,970 --> 00:03:33,919 My favorite of which is the first in 101 00:03:33,920 --> 00:03:35,629 never old buffer. 102 00:03:35,630 --> 00:03:37,729 So, so your data goes in 103 00:03:37,730 --> 00:03:38,659 and it never gets out. 104 00:03:38,660 --> 00:03:40,789 And this is the I mean, everyone 105 00:03:40,790 --> 00:03:42,859 here is laughing and they see how absurd 106 00:03:42,860 --> 00:03:45,199 this is. But when you when you talk to 107 00:03:45,200 --> 00:03:47,179 vendors, when you talk to people doing 108 00:03:47,180 --> 00:03:49,369 security or people who try 109 00:03:49,370 --> 00:03:51,589 to build secure systems, they assume 110 00:03:51,590 --> 00:03:53,329 they write the data onto the secure 111 00:03:53,330 --> 00:03:54,829 hardware. And that's there's no way to 112 00:03:54,830 --> 00:03:56,539 get it out. Because the hardware has 113 00:03:56,540 --> 00:03:58,939 encryption, it's encrypting everything. 114 00:03:58,940 --> 00:04:00,949 Everything's being executed, you know, on 115 00:04:00,950 --> 00:04:02,059 the device and everything's being 116 00:04:02,060 --> 00:04:03,619 processed on the device and never leaves 117 00:04:03,620 --> 00:04:05,629 the device in an unencrypted form. 118 00:04:05,630 --> 00:04:07,849 And that's all true, but that means 119 00:04:07,850 --> 00:04:09,469 that it still gets decrypted on the 120 00:04:09,470 --> 00:04:11,659 device. So on the device somewhere, 121 00:04:11,660 --> 00:04:13,489 there's an area where you can find this 122 00:04:13,490 --> 00:04:15,649 and basically, you know, 123 00:04:15,650 --> 00:04:17,869 break the crypto by getting it 124 00:04:17,870 --> 00:04:20,059 decrypted and the device does 125 00:04:20,060 --> 00:04:21,018 all the decryption for you. 126 00:04:21,019 --> 00:04:22,369 You don't even have to know how it works. 127 00:04:22,370 --> 00:04:24,349 And so we'll we'll cover that a couple of 128 00:04:24,350 --> 00:04:25,549 times as well. 129 00:04:25,550 --> 00:04:27,709 So here's kind of let alone 130 00:04:27,710 --> 00:04:29,419 for today. So I'm going to do some 131 00:04:29,420 --> 00:04:30,379 background. 132 00:04:30,380 --> 00:04:33,079 And so there's then I'm going to get into 133 00:04:33,080 --> 00:04:35,299 I see reverse engineering and 134 00:04:35,300 --> 00:04:37,369 then we'll talk about what the backside 135 00:04:37,370 --> 00:04:40,279 is of an icy and why this is important. 136 00:04:40,280 --> 00:04:42,679 And finally, we'll get into the 137 00:04:42,680 --> 00:04:44,689 more exciting stuff that we did, which 138 00:04:44,690 --> 00:04:46,999 was the kind of new research 139 00:04:47,000 --> 00:04:49,069 the same way in full invasive 140 00:04:49,070 --> 00:04:50,070 stuff. 141 00:04:50,780 --> 00:04:54,229 So for that, I have a nice little 142 00:04:54,230 --> 00:04:56,359 part of which is a nice also 143 00:04:56,360 --> 00:04:58,669 a nice motivation, a nice part of a nice 144 00:04:58,670 --> 00:05:00,649 BBC documentary, which was done. 145 00:05:00,650 --> 00:05:02,299 And so I hope to let's hope the sound 146 00:05:02,300 --> 00:05:04,130 works, OK? 147 00:05:07,930 --> 00:05:09,999 And I TVs on digital had 148 00:05:10,000 --> 00:05:12,999 picked one of those competitor systems. 149 00:05:13,000 --> 00:05:15,219 It was made by a French company called 150 00:05:15,220 --> 00:05:16,220 Canal Plus. 151 00:05:17,740 --> 00:05:20,589 Their smart card had never been hacked 152 00:05:20,590 --> 00:05:21,429 and 153 00:05:21,430 --> 00:05:22,929 can now police technologies were so 154 00:05:22,930 --> 00:05:25,209 confident in their ability 155 00:05:25,210 --> 00:05:27,549 to supply a secure system 156 00:05:27,550 --> 00:05:29,679 that they stated very openly that it 157 00:05:29,680 --> 00:05:30,680 was unhackable. 158 00:05:33,830 --> 00:05:35,089 The people who are setting us the 159 00:05:35,090 --> 00:05:37,009 microprocessor in which we embedded our 160 00:05:37,010 --> 00:05:38,899 software were telling us, I'm talking 161 00:05:38,900 --> 00:05:40,789 about the largest companies in this world 162 00:05:40,790 --> 00:05:43,399 of microprocessor cannot be broken. 163 00:05:43,400 --> 00:05:44,989 Your software cannot be extracted. 164 00:05:48,310 --> 00:05:50,439 But it could be an end, yes, 165 00:05:50,440 --> 00:05:52,419 had the resources to do it. 166 00:05:52,420 --> 00:05:54,369 All of the common and did crack open the 167 00:05:54,370 --> 00:05:55,450 Canal Plus card. 168 00:05:58,880 --> 00:06:01,159 Ends now possessed the competitor's 169 00:06:01,160 --> 00:06:02,600 greatest commercial secrets. 170 00:06:03,740 --> 00:06:05,959 Did people from the team and Haifa, 171 00:06:05,960 --> 00:06:08,749 your team reverse engineer, 172 00:06:08,750 --> 00:06:10,999 get a readout, understand the secrets 173 00:06:11,000 --> 00:06:13,639 of the canal plus encryption system 174 00:06:13,640 --> 00:06:14,809 of the kind of loose ideas? 175 00:06:16,340 --> 00:06:18,349 OK, so you get the idea. 176 00:06:18,350 --> 00:06:20,479 And so what happens is 177 00:06:20,480 --> 00:06:22,489 you extract the software from a from a 178 00:06:22,490 --> 00:06:24,199 smartcard and then you can build 179 00:06:24,200 --> 00:06:26,629 something like this, which 180 00:06:26,630 --> 00:06:28,639 I mean, I'll mention it also later, we're 181 00:06:28,640 --> 00:06:29,989 going to be hanging around. So if anyone 182 00:06:29,990 --> 00:06:31,939 wants to see all this kind of stuff 183 00:06:31,940 --> 00:06:33,559 because, I mean, it's impressive to me 184 00:06:33,560 --> 00:06:35,389 how simple it is. 185 00:06:35,390 --> 00:06:36,679 You can you can come and talk to me. 186 00:06:36,680 --> 00:06:38,599 But so what this is is it's one of the 187 00:06:38,600 --> 00:06:40,159 original pirate cards. 188 00:06:40,160 --> 00:06:42,379 So once they extracted the software, they 189 00:06:42,380 --> 00:06:44,299 knew how the cryptographic algorithm 190 00:06:44,300 --> 00:06:46,369 worked. And now they could go and grab 191 00:06:46,370 --> 00:06:48,259 a different microcontroller and make a 192 00:06:48,260 --> 00:06:50,539 PCB that basically, 193 00:06:50,540 --> 00:06:53,149 you know, fits into a pay TV 194 00:06:53,150 --> 00:06:55,339 receiver and you stick the card in and 195 00:06:55,340 --> 00:06:57,439 now you didn't pay anything, but you have 196 00:06:57,440 --> 00:06:58,459 all the channels. 197 00:06:58,460 --> 00:07:00,739 So this is what this is, what results 198 00:07:00,740 --> 00:07:03,469 from it? So again, the thing is, 199 00:07:03,470 --> 00:07:05,599 this is this is what used to be the 200 00:07:05,600 --> 00:07:07,609 case for the industry, because now we 201 00:07:07,610 --> 00:07:09,709 kind of shifted because it used to 202 00:07:09,710 --> 00:07:12,139 be that the the office station 203 00:07:12,140 --> 00:07:13,849 was the fact was kind of what we talked 204 00:07:13,850 --> 00:07:15,619 about before. It was just the data. 205 00:07:15,620 --> 00:07:17,539 The fact there was data on the chip was 206 00:07:17,540 --> 00:07:19,759 considered to be 207 00:07:19,760 --> 00:07:22,009 a big enough kind of protection mechanism 208 00:07:22,010 --> 00:07:24,469 to protect anyone from 209 00:07:24,470 --> 00:07:26,629 attacks because no one would ever 210 00:07:26,630 --> 00:07:28,789 be able to extract the software from from 211 00:07:28,790 --> 00:07:30,859 a chip. And now we know 212 00:07:30,860 --> 00:07:32,959 that's not true. So it will 213 00:07:32,960 --> 00:07:34,969 be kind of getting into is what is what 214 00:07:34,970 --> 00:07:37,039 they do today, which is you implement the 215 00:07:37,040 --> 00:07:39,139 cryptographic algorithm in hardware 216 00:07:39,140 --> 00:07:40,639 instead, which makes it much more 217 00:07:40,640 --> 00:07:41,749 difficult to attack. 218 00:07:41,750 --> 00:07:43,519 But if you're more interested in this, 219 00:07:43,520 --> 00:07:45,859 this there's a nice book on this topic. 220 00:07:45,860 --> 00:07:47,989 So people who I 221 00:07:47,990 --> 00:07:50,569 talked to call it the book 222 00:07:50,570 --> 00:07:52,849 because it's pretty accurate 223 00:07:52,850 --> 00:07:54,769 and it has all the people who you need to 224 00:07:54,770 --> 00:07:56,929 know. And yeah, I 225 00:07:56,930 --> 00:07:58,789 mean, there's some, you know, it also 226 00:07:58,790 --> 00:08:01,339 covers the story of Tron, which 227 00:08:01,340 --> 00:08:03,559 CCC people will 228 00:08:03,560 --> 00:08:05,749 surely know, but it's basically 229 00:08:05,750 --> 00:08:07,939 how how chips actually 230 00:08:07,940 --> 00:08:09,499 get hacked. Because a lot of times when 231 00:08:09,500 --> 00:08:11,629 you look at academic publications, 232 00:08:11,630 --> 00:08:13,339 they talk about side channels and how it 233 00:08:13,340 --> 00:08:15,109 takes millions of tracers and hours of 234 00:08:15,110 --> 00:08:16,369 integration, et cetera. 235 00:08:16,370 --> 00:08:18,769 And in the real world, you know, it's 236 00:08:18,770 --> 00:08:20,449 everyone wants to have success off the 237 00:08:20,450 --> 00:08:21,709 first time and they don't want to tinker 238 00:08:21,710 --> 00:08:22,999 with this. So they, you know, they get 239 00:08:23,000 --> 00:08:25,339 out the bazooka and do what 240 00:08:25,340 --> 00:08:26,959 is surely going to work. 241 00:08:26,960 --> 00:08:29,059 So and yeah, so let's 242 00:08:29,060 --> 00:08:31,429 get into that. So what you 243 00:08:31,430 --> 00:08:33,619 kind of have this, you have to think of 244 00:08:33,620 --> 00:08:35,689 classes of attacks when you talk about 245 00:08:35,690 --> 00:08:37,459 hardware security and so on the left, you 246 00:08:37,460 --> 00:08:39,558 have the the least expensive. 247 00:08:39,559 --> 00:08:41,359 The most simple attacks are noninvasive 248 00:08:41,360 --> 00:08:42,979 attacks. That's where you don't open up 249 00:08:42,980 --> 00:08:43,999 the device at all. 250 00:08:44,000 --> 00:08:46,129 So you connect to it externally, 251 00:08:46,130 --> 00:08:47,989 you watch the power consumption, you do 252 00:08:47,990 --> 00:08:49,999 something along those lines and some 253 00:08:50,000 --> 00:08:51,649 invasive analysis. Now you're opening up 254 00:08:51,650 --> 00:08:53,689 the package and now maybe you're trying 255 00:08:53,690 --> 00:08:55,849 to hit it with with a laser, for example. 256 00:08:55,850 --> 00:08:57,979 So using using a 257 00:08:57,980 --> 00:08:59,839 laser to induce a fault. 258 00:08:59,840 --> 00:09:02,239 Flip bits, et cetera. 259 00:09:02,240 --> 00:09:04,549 And full invasive is what I explained 260 00:09:04,550 --> 00:09:06,259 before, which is the stuff that I always 261 00:09:06,260 --> 00:09:08,329 wanted to do is, you know, 262 00:09:08,330 --> 00:09:10,249 there's a circuit manufactured on this 263 00:09:10,250 --> 00:09:12,079 chip. I'm going to go in and change the 264 00:09:12,080 --> 00:09:14,179 circuit so that I can get at the data. 265 00:09:15,260 --> 00:09:17,419 So noninvasive techniques are 266 00:09:17,420 --> 00:09:19,759 stuff like side channel analysis 267 00:09:19,760 --> 00:09:21,859 and different types of glitching 268 00:09:21,860 --> 00:09:23,419 and fuzzing, et cetera. 269 00:09:23,420 --> 00:09:25,399 And so this is actually a project I did 270 00:09:25,400 --> 00:09:26,959 together with Thorsten, who's up here in 271 00:09:26,960 --> 00:09:29,449 the front row of the DOD in Kharkiv, 272 00:09:29,450 --> 00:09:31,519 which is a nice little FPGA board to 273 00:09:31,520 --> 00:09:33,739 play around with. And we'll also 274 00:09:33,740 --> 00:09:35,779 mention how you can come and talk to us 275 00:09:35,780 --> 00:09:37,219 about that at the end of the talk. 276 00:09:37,220 --> 00:09:39,409 But so here you, you can really 277 00:09:39,410 --> 00:09:41,179 do this low cost so you can do things 278 00:09:41,180 --> 00:09:42,559 like there will be protocol errors. 279 00:09:42,560 --> 00:09:44,509 So now if you can talk to the device, you 280 00:09:44,510 --> 00:09:46,849 might be able to induce some 281 00:09:46,850 --> 00:09:48,409 some errors and dump a couple of bytes 282 00:09:48,410 --> 00:09:49,969 that way. Or you can play around with a 283 00:09:49,970 --> 00:09:52,039 clock or the voltage, et cetera. 284 00:09:52,040 --> 00:09:54,139 But so why is 285 00:09:54,140 --> 00:09:55,939 this not applicable? 286 00:09:55,940 --> 00:09:57,409 I kind of touched on this already. 287 00:09:57,410 --> 00:09:59,569 So I mean, on the one hand, I mean, this 288 00:09:59,570 --> 00:10:00,929 is kind of to compare and contrast. 289 00:10:00,930 --> 00:10:02,089 On the one hand, you have limited 290 00:10:02,090 --> 00:10:04,339 resources versus organizations 291 00:10:04,340 --> 00:10:05,779 that are very well equipped. 292 00:10:05,780 --> 00:10:07,999 And we kind of saw in the in the video, 293 00:10:08,000 --> 00:10:10,249 right? This was a professional lab 294 00:10:10,250 --> 00:10:12,829 from one of the competitors that 295 00:10:12,830 --> 00:10:14,149 hacked this chip. 296 00:10:14,150 --> 00:10:16,219 So, so in the real world, 297 00:10:16,220 --> 00:10:18,289 it's not always, you know, somebody 298 00:10:18,290 --> 00:10:19,909 in their garage, although there is also 299 00:10:19,910 --> 00:10:21,739 Chris Darnovsky, who does all this stuff 300 00:10:21,740 --> 00:10:23,899 in his garage, too. But I mean, the point 301 00:10:23,900 --> 00:10:26,449 is, is that in general, you you 302 00:10:26,450 --> 00:10:28,099 don't have the case where you have 303 00:10:28,100 --> 00:10:29,719 limited resources, you have substantial 304 00:10:29,720 --> 00:10:31,769 resources. That's kind of a 305 00:10:33,950 --> 00:10:36,379 misrepresented in academia. 306 00:10:36,380 --> 00:10:38,629 And so the thing like I said before, 307 00:10:38,630 --> 00:10:40,579 you want to have a foolproof attack, 308 00:10:40,580 --> 00:10:42,079 something you can do with a single trace 309 00:10:42,080 --> 00:10:43,159 so you don't have to. 310 00:10:43,160 --> 00:10:45,919 So like for sideshow analysis, 311 00:10:45,920 --> 00:10:47,749 a lot of times you'll talk about millions 312 00:10:47,750 --> 00:10:49,849 of traces. So what do people do to 313 00:10:49,850 --> 00:10:51,559 prevent psychoanalysis? 314 00:10:51,560 --> 00:10:53,179 They have a counter, and the counter 315 00:10:53,180 --> 00:10:55,249 usually accounts to two to the 316 00:10:55,250 --> 00:10:56,959 minus one. So the council sixty five 317 00:10:56,960 --> 00:10:59,229 thousand. And then after that, the car 318 00:10:59,230 --> 00:11:00,509 traces itself, and you're done. 319 00:11:00,510 --> 00:11:02,159 You can't do anything on this card, so 320 00:11:02,160 --> 00:11:04,379 you can't talk about doing 321 00:11:04,380 --> 00:11:06,479 a million repetitions to to extract 322 00:11:06,480 --> 00:11:07,589 some sort of key. 323 00:11:07,590 --> 00:11:09,809 So the the again 324 00:11:09,810 --> 00:11:12,149 high security attacks, you always assume 325 00:11:12,150 --> 00:11:14,339 that you have kind of a black box, but 326 00:11:14,340 --> 00:11:16,089 it doesn't stay a black box to you. 327 00:11:16,090 --> 00:11:17,629 You actually reverse engineered it. 328 00:11:17,630 --> 00:11:19,889 And you, you, you figure out 329 00:11:19,890 --> 00:11:21,539 how the crypto system works, which which 330 00:11:21,540 --> 00:11:23,579 is also kind of I found it interesting to 331 00:11:23,580 --> 00:11:24,869 me when I saw David Stark. 332 00:11:24,870 --> 00:11:26,469 He kind of touched on that as well. 333 00:11:26,470 --> 00:11:28,199 This is that for even for their side 334 00:11:28,200 --> 00:11:30,899 channel stuff, for for certain 335 00:11:30,900 --> 00:11:32,129 applications, they really have to 336 00:11:32,130 --> 00:11:33,539 understand how the crypto system works as 337 00:11:33,540 --> 00:11:35,639 well. So anyway, but the main 338 00:11:35,640 --> 00:11:37,109 thing is, you know, there there are 339 00:11:37,110 --> 00:11:39,299 countermeasures and weird stuff 340 00:11:39,300 --> 00:11:41,399 that people do on chips nowadays, and 341 00:11:41,400 --> 00:11:43,469 you have that on the you have 342 00:11:43,470 --> 00:11:45,629 that in every, you know, 343 00:11:45,630 --> 00:11:47,099 chip that you buy. You know, it is this 344 00:11:47,100 --> 00:11:48,329 relatively secure. 345 00:11:48,330 --> 00:11:50,429 And this is enough to to 346 00:11:50,430 --> 00:11:52,199 stop noninvasive techniques. 347 00:11:52,200 --> 00:11:54,389 But high security kinds 348 00:11:54,390 --> 00:11:56,459 of analysis will always be able to 349 00:11:56,460 --> 00:11:58,559 circumvent any techniques implement 350 00:11:58,560 --> 00:11:59,939 on the device because we can actually 351 00:11:59,940 --> 00:12:01,139 change the circuit. 352 00:12:01,140 --> 00:12:04,529 So what's a see reverse engineering? 353 00:12:04,530 --> 00:12:06,179 So here we can kind of kind of look at 354 00:12:06,180 --> 00:12:08,339 it. So, you know, transistors 355 00:12:08,340 --> 00:12:10,739 are created at the surface of the silicon 356 00:12:10,740 --> 00:12:12,839 wafer. And now on top of that, 357 00:12:12,840 --> 00:12:15,029 we have interconnects going 358 00:12:15,030 --> 00:12:16,979 around connecting the different circuit 359 00:12:16,980 --> 00:12:19,199 nodes and basically you 360 00:12:19,200 --> 00:12:21,299 passive nation around it. 361 00:12:21,300 --> 00:12:23,399 So if you look on this 362 00:12:23,400 --> 00:12:25,229 picture, you actually the MOSFET is 363 00:12:25,230 --> 00:12:27,359 actually, you know, here in the in the 364 00:12:27,360 --> 00:12:29,519 middle and around 365 00:12:29,520 --> 00:12:30,539 it, you have passive Asian. 366 00:12:30,540 --> 00:12:32,789 So so sorry, on top of it, 367 00:12:32,790 --> 00:12:34,499 you have these this metal station. 368 00:12:34,500 --> 00:12:35,729 So like I talked about, these are the 369 00:12:35,730 --> 00:12:37,589 metal interconnects and around it, you 370 00:12:37,590 --> 00:12:39,689 also have this isolation, which kind 371 00:12:39,690 --> 00:12:41,999 of provides the chip structure, 372 00:12:42,000 --> 00:12:43,739 and it allows you to deposit layers on 373 00:12:43,740 --> 00:12:45,629 top of it, et cetera. And so this is also 374 00:12:45,630 --> 00:12:47,969 something which a lot of people think 375 00:12:47,970 --> 00:12:49,079 you know, that you look through a 376 00:12:49,080 --> 00:12:51,209 microscope and you can see the tracks 377 00:12:51,210 --> 00:12:52,349 running all across the chip. 378 00:12:52,350 --> 00:12:54,269 But in reality, you know, there's layers 379 00:12:54,270 --> 00:12:56,489 and layers of of of this. 380 00:12:56,490 --> 00:12:58,349 It's literally glass that you have to 381 00:12:58,350 --> 00:13:00,689 remove first before you can access the 382 00:13:00,690 --> 00:13:02,399 the chip. So it's not visible to the eye, 383 00:13:02,400 --> 00:13:03,359 but it's there. 384 00:13:03,360 --> 00:13:05,999 And so, yeah, but 385 00:13:06,000 --> 00:13:08,189 so just continuing. 386 00:13:08,190 --> 00:13:10,409 So the the thing is, you now 387 00:13:10,410 --> 00:13:12,539 have. So let me zoom 388 00:13:12,540 --> 00:13:14,699 out, you know, sorry, next 389 00:13:14,700 --> 00:13:17,069 slide. So the the thing 390 00:13:17,070 --> 00:13:18,659 that you actually end up doing when 391 00:13:18,660 --> 00:13:21,119 you're looking at a device is you begin 392 00:13:21,120 --> 00:13:23,129 to you want to reconstruct the logical 393 00:13:23,130 --> 00:13:24,479 function it's actually implement in the 394 00:13:24,480 --> 00:13:26,699 hardware. And to do that is you do 395 00:13:26,700 --> 00:13:27,959 what I have here. 396 00:13:27,960 --> 00:13:30,209 You image the chip and so you don't have 397 00:13:30,210 --> 00:13:32,339 one layer, you have multiple layers. 398 00:13:32,340 --> 00:13:34,439 So usually like on a modern 399 00:13:34,440 --> 00:13:36,869 smartcard, you might have five 400 00:13:36,870 --> 00:13:38,519 to seven or eight metal layers. 401 00:13:38,520 --> 00:13:40,559 If you have something like as complex as 402 00:13:40,560 --> 00:13:42,719 an Intel CPU, you 403 00:13:42,720 --> 00:13:44,939 have something like 15 layers, et cetera. 404 00:13:44,940 --> 00:13:48,179 And so you even see the complexity 405 00:13:48,180 --> 00:13:50,369 going up. It gets very complicated just 406 00:13:50,370 --> 00:13:51,599 because of all the routing you have to 407 00:13:51,600 --> 00:13:53,759 do. So but the process is 408 00:13:53,760 --> 00:13:56,189 always the same. So you image the device, 409 00:13:56,190 --> 00:13:58,589 you begin to identify the gates and 410 00:13:58,590 --> 00:14:00,209 you begin to reconstruct the net loss. 411 00:14:00,210 --> 00:14:02,309 So the net list is kind of the logical 412 00:14:02,310 --> 00:14:04,109 function that the circuit represents. 413 00:14:04,110 --> 00:14:06,419 So that's where you see like and 414 00:14:06,420 --> 00:14:08,519 at the end gate kind 415 00:14:08,520 --> 00:14:09,749 of like as a function. 416 00:14:09,750 --> 00:14:11,579 And there, if you sit there with a pen 417 00:14:11,580 --> 00:14:13,589 and paper, you can say, OK, what if I 418 00:14:13,590 --> 00:14:15,439 have a one here and a zero here? 419 00:14:15,440 --> 00:14:17,669 What do I get at the output, et cetera, 420 00:14:17,670 --> 00:14:20,279 of of a very complex, multi-stage 421 00:14:20,280 --> 00:14:22,439 circuit? So anyway, but the 422 00:14:22,440 --> 00:14:23,759 thing we want to do is now that we have 423 00:14:23,760 --> 00:14:25,499 the net list, we can see where is the 424 00:14:25,500 --> 00:14:27,989 data decrypted and now we can isolate 425 00:14:27,990 --> 00:14:30,269 that logic and we can basically extract 426 00:14:30,270 --> 00:14:31,949 the secret data there, because now the 427 00:14:31,950 --> 00:14:33,809 chip decrypted the data for us. 428 00:14:33,810 --> 00:14:35,699 And so now we can pinpoint that area 429 00:14:35,700 --> 00:14:37,829 where it's decrypted and get the data out 430 00:14:37,830 --> 00:14:38,830 from there. 431 00:14:39,300 --> 00:14:40,829 So just to give you an idea if you're 432 00:14:40,830 --> 00:14:42,929 just an example, so this is just a 433 00:14:42,930 --> 00:14:45,479 simple should be a 434 00:14:45,480 --> 00:14:47,369 nand gate. One of the classics. 435 00:14:47,370 --> 00:14:49,799 And so you just have the the 436 00:14:49,800 --> 00:14:51,659 A and B and the output. 437 00:14:51,660 --> 00:14:53,519 And in this case, the outputs not 438 00:14:53,520 --> 00:14:55,829 connected to anything because this was 439 00:14:55,830 --> 00:14:57,539 a weird type of gate, but I'm not going 440 00:14:57,540 --> 00:14:58,619 to get into that. 441 00:14:58,620 --> 00:15:00,929 But the thing is like 442 00:15:00,930 --> 00:15:03,029 another thing which people underestimate 443 00:15:03,030 --> 00:15:05,009 when they think, you know, you do icy 444 00:15:05,010 --> 00:15:07,079 stuff and how do you look at chips? 445 00:15:07,080 --> 00:15:08,379 And that's unbelievable. 446 00:15:08,380 --> 00:15:10,739 You know how how 447 00:15:10,740 --> 00:15:12,809 you know how much experience is 448 00:15:12,810 --> 00:15:14,669 behind it. And the reality is what a lot 449 00:15:14,670 --> 00:15:16,559 of people, people just haven't seen these 450 00:15:16,560 --> 00:15:17,459 kinds of images. 451 00:15:17,460 --> 00:15:19,619 So which you do and the human 452 00:15:19,620 --> 00:15:21,719 eye is very good for this as you look 453 00:15:21,720 --> 00:15:23,609 at a chip and all of a sudden you see, 454 00:15:23,610 --> 00:15:25,559 Hey, those look alike. 455 00:15:25,560 --> 00:15:27,689 And over here, those look alike on 456 00:15:27,690 --> 00:15:30,209 the sides. So so what 457 00:15:30,210 --> 00:15:31,589 this is is in the middle where you had 458 00:15:31,590 --> 00:15:33,539 inverters and on the right and left you 459 00:15:33,540 --> 00:15:34,859 have flip flops. 460 00:15:34,860 --> 00:15:36,989 So you don't sit there figuring 461 00:15:36,990 --> 00:15:38,609 out, you know, what the logical function 462 00:15:38,610 --> 00:15:40,649 is. You one time with your eye, you 463 00:15:40,650 --> 00:15:42,659 recognize that this is a flip flop. 464 00:15:42,660 --> 00:15:44,189 And so you kind of scroll through the 465 00:15:44,190 --> 00:15:46,409 device identifying, 466 00:15:46,410 --> 00:15:47,699 Oh, that's a flip flop. 467 00:15:47,700 --> 00:15:49,559 So let me maybe write that down if I'm if 468 00:15:49,560 --> 00:15:52,319 I'm doing the on paper, et cetera. 469 00:15:52,320 --> 00:15:54,629 And so the only thing that's missing is 470 00:15:54,630 --> 00:15:56,069 this is just the gates. 471 00:15:56,070 --> 00:15:58,049 So. But they're somehow logically 472 00:15:58,050 --> 00:16:00,149 connected, so let's take a look at that. 473 00:16:00,150 --> 00:16:02,159 And so here's an example. 474 00:16:02,160 --> 00:16:04,049 This was some device and we'll get into 475 00:16:04,050 --> 00:16:05,669 what we actually see here. 476 00:16:05,670 --> 00:16:07,649 So we have a we have something that 477 00:16:07,650 --> 00:16:09,869 starts down here and 478 00:16:09,870 --> 00:16:11,250 and then it goes up 479 00:16:12,630 --> 00:16:14,939 here and it ends, 480 00:16:14,940 --> 00:16:16,049 but it doesn't actually end. 481 00:16:16,050 --> 00:16:16,979 It goes down. 482 00:16:16,980 --> 00:16:18,899 So now it goes down onto this layer. 483 00:16:18,900 --> 00:16:20,160 And so now it goes to the left, 484 00:16:21,240 --> 00:16:23,669 and now it goes down one more time. 485 00:16:23,670 --> 00:16:25,319 And now, boom, we're in that gate. 486 00:16:25,320 --> 00:16:27,239 So this is the input to the inverter. 487 00:16:27,240 --> 00:16:29,519 And so now we have the we have the 488 00:16:29,520 --> 00:16:31,049 the gate, and now we look at the output 489 00:16:31,050 --> 00:16:32,459 because there's only one output and you 490 00:16:32,460 --> 00:16:34,589 can actually see the the the 491 00:16:34,590 --> 00:16:36,599 contact, you can actually see what's 492 00:16:36,600 --> 00:16:38,549 going up. It's the dot. 493 00:16:38,550 --> 00:16:39,869 So that's either the inputs or the 494 00:16:39,870 --> 00:16:41,309 outputs, that's the actual connection to 495 00:16:41,310 --> 00:16:43,799 the different to the other metal layers. 496 00:16:43,800 --> 00:16:45,949 So now it's going up, obviously, because 497 00:16:45,950 --> 00:16:46,949 they can't go down anymore. 498 00:16:46,950 --> 00:16:48,419 That's the bottom metal layer. 499 00:16:48,420 --> 00:16:50,489 So now it goes up over here. 500 00:16:50,490 --> 00:16:52,259 And so now we know we can see it goes 501 00:16:52,260 --> 00:16:54,869 over to the left and up and 502 00:16:54,870 --> 00:16:56,849 boom, we hit the flip flop. 503 00:16:56,850 --> 00:16:58,709 So that was the image we had before. 504 00:16:58,710 --> 00:17:00,839 So if you actually reconstructed this, we 505 00:17:00,840 --> 00:17:03,119 have some nonvolatile memory 506 00:17:03,120 --> 00:17:04,379 because that's where we started off. 507 00:17:04,380 --> 00:17:06,368 We know that the chip has its program 508 00:17:06,369 --> 00:17:07,919 stored in nonvolatile memory. 509 00:17:07,920 --> 00:17:09,719 And now we start going from there and 510 00:17:09,720 --> 00:17:10,919 then we have an XOR. 511 00:17:10,920 --> 00:17:12,328 And then for whatever reason, we have an 512 00:17:12,329 --> 00:17:14,459 inverter because you can just have 513 00:17:14,460 --> 00:17:16,169 inverters sometimes, and it doesn't 514 00:17:16,170 --> 00:17:17,098 really affect anything. 515 00:17:17,099 --> 00:17:18,269 It just flips a bit, right? 516 00:17:18,270 --> 00:17:20,459 So and then we have our flip flop and 517 00:17:20,460 --> 00:17:22,529 then all of a sudden and I didn't show it 518 00:17:22,530 --> 00:17:24,659 here, you'll realize that after that you 519 00:17:24,660 --> 00:17:26,608 have the ALU and all these parts, which 520 00:17:26,609 --> 00:17:27,989 are actually parts of the core. 521 00:17:27,990 --> 00:17:29,649 So but just keep that in mind. 522 00:17:29,650 --> 00:17:31,919 So now just to just to give you a better 523 00:17:31,920 --> 00:17:33,539 idea of of what it is. 524 00:17:33,540 --> 00:17:35,729 So another thing that you 525 00:17:35,730 --> 00:17:37,229 do. You don't just start making these 526 00:17:37,230 --> 00:17:38,369 images. The first thing you do is you 527 00:17:38,370 --> 00:17:40,079 make it like an overview of the chip. 528 00:17:40,080 --> 00:17:42,199 So here you can already see 529 00:17:42,200 --> 00:17:43,589 and get a lot of information about the 530 00:17:43,590 --> 00:17:45,359 device so you can see that you have flash 531 00:17:45,360 --> 00:17:47,249 up there because it's a big nonvolatile 532 00:17:47,250 --> 00:17:49,319 memory. You can see the SRM 533 00:17:49,320 --> 00:17:50,849 and E problem at the bottom. 534 00:17:50,850 --> 00:17:52,979 And then here you have your actual 535 00:17:52,980 --> 00:17:54,539 core. And how do I know that that's the 536 00:17:54,540 --> 00:17:56,609 core? Well, it's just like when 537 00:17:56,610 --> 00:17:59,189 you write, you know, write, 538 00:17:59,190 --> 00:18:00,959 compile something logic. 539 00:18:00,960 --> 00:18:02,669 So if you were to write assembler by 540 00:18:02,670 --> 00:18:04,439 hand, you would get something which is 541 00:18:04,440 --> 00:18:06,749 much more humanly readable 542 00:18:06,750 --> 00:18:09,539 than something that GCSE 543 00:18:09,540 --> 00:18:11,219 potentially spits out at you because it 544 00:18:11,220 --> 00:18:12,719 will do tons of optimizations that you've 545 00:18:12,720 --> 00:18:13,889 never heard of, etc. 546 00:18:13,890 --> 00:18:15,389 And the same thing is the case here. 547 00:18:15,390 --> 00:18:17,759 So you have this gray area which 548 00:18:17,760 --> 00:18:19,949 doesn't have any any structure to it. 549 00:18:19,950 --> 00:18:21,539 And the reason for that is it went 550 00:18:21,540 --> 00:18:23,519 through synthesis. 551 00:18:23,520 --> 00:18:25,319 It went through something which spit out 552 00:18:25,320 --> 00:18:28,599 the most optimized code. 553 00:18:28,600 --> 00:18:30,839 I mean, layout net lists that it could, 554 00:18:30,840 --> 00:18:32,079 and that's what gets placed there. 555 00:18:32,080 --> 00:18:33,509 And so in the middle, in the quarry, you 556 00:18:33,510 --> 00:18:35,669 see completely irregular structures, so 557 00:18:35,670 --> 00:18:37,679 it's almost depending on the device. 558 00:18:37,680 --> 00:18:39,749 It'll look very gray or 559 00:18:39,750 --> 00:18:42,399 something between, you know, black and 560 00:18:42,400 --> 00:18:44,579 and copper or whatever. 561 00:18:44,580 --> 00:18:46,739 So anyway, but the 562 00:18:46,740 --> 00:18:48,299 thing to remember is that so we have the 563 00:18:48,300 --> 00:18:50,399 flash and this data goes into the 564 00:18:50,400 --> 00:18:51,899 course. So somewhere between the flash 565 00:18:51,900 --> 00:18:53,789 and the core, we can find these wires, 566 00:18:53,790 --> 00:18:55,679 which I had on the previous slide. 567 00:18:55,680 --> 00:18:58,169 So this is the case if you're 568 00:18:58,170 --> 00:19:00,209 extracting data from a device which 569 00:19:00,210 --> 00:19:01,799 doesn't have encryption. So what is what 570 00:19:01,800 --> 00:19:02,999 if it has encryption? 571 00:19:03,000 --> 00:19:05,099 Well, we've kind of discussed this 572 00:19:05,100 --> 00:19:07,769 already that a CPU, it can't process 573 00:19:07,770 --> 00:19:09,959 encrypted data, so the 574 00:19:09,960 --> 00:19:11,189 environment is encrypted. 575 00:19:11,190 --> 00:19:12,779 And now this data comes out of the 576 00:19:12,780 --> 00:19:14,999 nonvolatile memory and it goes 577 00:19:15,000 --> 00:19:16,619 into the core. But before it gets to the 578 00:19:16,620 --> 00:19:18,269 core, it has to be decrypted. 579 00:19:18,270 --> 00:19:20,549 So now we know that we have a decryption 580 00:19:20,550 --> 00:19:21,749 function here somewhere. 581 00:19:21,750 --> 00:19:23,309 So now let's go back to this. 582 00:19:23,310 --> 00:19:25,379 So in the case where we don't have 583 00:19:25,380 --> 00:19:27,509 any encryption function, we would have 584 00:19:27,510 --> 00:19:29,549 just nonvolatile memory shooting straight 585 00:19:29,550 --> 00:19:32,219 through into our registers. 586 00:19:32,220 --> 00:19:34,469 But now we have an extra 587 00:19:34,470 --> 00:19:36,599 hint hint, which we don't even know 588 00:19:36,600 --> 00:19:37,529 what the other input is. 589 00:19:37,530 --> 00:19:38,999 And the other input is some sort of 590 00:19:39,000 --> 00:19:40,379 encryption function, which we don't even 591 00:19:40,380 --> 00:19:42,209 care about because the data we know for a 592 00:19:42,210 --> 00:19:44,549 fact will be decrypted on the right side. 593 00:19:44,550 --> 00:19:46,529 So that's just to give you an idea of the 594 00:19:46,530 --> 00:19:49,559 of the kind of general workflow. 595 00:19:49,560 --> 00:19:51,569 So you can also automate this process. 596 00:19:51,570 --> 00:19:53,159 So this is like Digg aid for 597 00:19:53,160 --> 00:19:55,619 professionals. So this is 598 00:19:55,620 --> 00:19:57,719 Olivia Thomas's talk 599 00:19:57,720 --> 00:19:59,789 from Recon. And so he actually did was he 600 00:19:59,790 --> 00:20:01,109 did something much more advanced than 601 00:20:01,110 --> 00:20:03,329 date. And this is literally a chip 602 00:20:03,330 --> 00:20:05,459 where it's stitching the images in real 603 00:20:05,460 --> 00:20:07,019 time, and he can just scroll around the 604 00:20:07,020 --> 00:20:09,329 chip and see all the connections 605 00:20:09,330 --> 00:20:11,399 and extract partial or full 606 00:20:11,400 --> 00:20:12,899 net loss, et cetera. 607 00:20:12,900 --> 00:20:15,659 And so this is kind of like, 608 00:20:15,660 --> 00:20:17,399 I mean, there's you should you should. 609 00:20:17,400 --> 00:20:18,839 I don't want to take anything away from 610 00:20:18,840 --> 00:20:20,289 him because he did a really good talking 611 00:20:20,290 --> 00:20:21,899 to explained a lot of the engineering 612 00:20:21,900 --> 00:20:23,589 decisions because he also started with 613 00:20:23,590 --> 00:20:25,349 something like Deckard and why he ended 614 00:20:25,350 --> 00:20:27,269 up doing things like this and why this 615 00:20:27,270 --> 00:20:28,349 works much better. 616 00:20:28,350 --> 00:20:30,149 And it's kind of interesting, even from 617 00:20:30,150 --> 00:20:31,739 an icy engineering point of view to 618 00:20:31,740 --> 00:20:33,839 listen to this. But this is this is 619 00:20:33,840 --> 00:20:35,939 kind of the direction that if you when 620 00:20:35,940 --> 00:20:37,919 people ask me, you know, where do you 621 00:20:37,920 --> 00:20:39,659 what do you think attacks are going to be 622 00:20:39,660 --> 00:20:41,999 in the future? So now if everyone 623 00:20:42,000 --> 00:20:45,029 is making their own, you know, custom 624 00:20:45,030 --> 00:20:48,119 hardware, then you have 625 00:20:48,120 --> 00:20:50,249 software like this to the obfuscated 626 00:20:50,250 --> 00:20:51,779 for you because the obfuscation that you 627 00:20:51,780 --> 00:20:53,519 did is you converted your algorithm from 628 00:20:53,520 --> 00:20:55,589 software to hardware, put her on the 629 00:20:55,590 --> 00:20:57,199 device. And you assume that no one will 630 00:20:57,200 --> 00:20:58,729 ever be able to extract this. 631 00:20:58,730 --> 00:21:00,979 And another thing which I already 632 00:21:00,980 --> 00:21:03,229 had a discussion and kind of the speaker 633 00:21:03,230 --> 00:21:05,569 room that I expect is with software 634 00:21:05,570 --> 00:21:07,249 like this, you can also reconstruct the 635 00:21:07,250 --> 00:21:09,439 masks. So now you can go 636 00:21:09,440 --> 00:21:12,139 ahead and produce your own 637 00:21:12,140 --> 00:21:14,329 copy of this chip if you want 638 00:21:14,330 --> 00:21:16,729 it to. And so the interesting thing is, 639 00:21:16,730 --> 00:21:18,439 let's say you have something like, let's 640 00:21:18,440 --> 00:21:20,629 say somebody in the world was 641 00:21:20,630 --> 00:21:23,089 was smart enough to build a bitcoin ASEC, 642 00:21:23,090 --> 00:21:25,189 which was substantially better 643 00:21:25,190 --> 00:21:26,689 than all the other bitcoin. 644 00:21:26,690 --> 00:21:29,059 So now somebody in a country 645 00:21:29,060 --> 00:21:31,399 which doesn't respect, you know, patent 646 00:21:31,400 --> 00:21:33,619 and IP law as much as you do maybe 647 00:21:33,620 --> 00:21:36,019 in Germany goes ahead 648 00:21:36,020 --> 00:21:37,969 and constructs their own mask set and 649 00:21:37,970 --> 00:21:38,989 sends it off to somewhere. 650 00:21:38,990 --> 00:21:40,489 And now they get the best. 651 00:21:40,490 --> 00:21:42,649 Effectively the best bitcoin exec 652 00:21:42,650 --> 00:21:44,719 without spending a year 653 00:21:44,720 --> 00:21:45,919 of development of this thing. 654 00:21:45,920 --> 00:21:48,019 And now they can produce it for and save 655 00:21:48,020 --> 00:21:49,969 money over going to the to the 656 00:21:49,970 --> 00:21:52,009 manufacturer and having them produce the 657 00:21:52,010 --> 00:21:54,169 system. So, I mean, the fact that you 658 00:21:54,170 --> 00:21:56,629 can obfuscate hardware and automate this, 659 00:21:56,630 --> 00:21:58,819 it makes it 660 00:21:58,820 --> 00:22:00,859 opens up a lot of areas, new areas of 661 00:22:00,860 --> 00:22:02,179 research that people haven't really 662 00:22:02,180 --> 00:22:04,039 thought about. I mean, the other obvious 663 00:22:04,040 --> 00:22:06,139 cases. So let's say you have PTV 664 00:22:06,140 --> 00:22:08,209 again. So now you have a smart 665 00:22:08,210 --> 00:22:10,309 card, which basically does some 666 00:22:10,310 --> 00:22:11,509 sort of encryption on it. 667 00:22:11,510 --> 00:22:14,059 And so now you go, you obfuscate 668 00:22:14,060 --> 00:22:16,729 this, you extract the cryptographic, 669 00:22:16,730 --> 00:22:19,159 you know, the hardware crypto 670 00:22:19,160 --> 00:22:21,289 that's implemented on the device and now 671 00:22:21,290 --> 00:22:23,599 you design the pirate card. 672 00:22:23,600 --> 00:22:25,279 Except now, instead of having a 673 00:22:25,280 --> 00:22:27,289 microcontroller as an FPGA because on the 674 00:22:27,290 --> 00:22:30,019 FPGA, you can now synthesize 675 00:22:30,020 --> 00:22:31,549 whatever the hardware function did. 676 00:22:31,550 --> 00:22:34,189 Now again, you have piracy 677 00:22:34,190 --> 00:22:35,359 everywhere. 678 00:22:35,360 --> 00:22:37,429 OK. But this is all kind of 679 00:22:37,430 --> 00:22:39,109 a background to I see security in 680 00:22:39,110 --> 00:22:40,939 general, so let's get into what we 681 00:22:40,940 --> 00:22:43,129 actually did. And so we did 682 00:22:43,130 --> 00:22:45,529 stuff with the AC back site. 683 00:22:45,530 --> 00:22:47,599 So this is these are things 684 00:22:47,600 --> 00:22:49,669 that. So these are attacks that 685 00:22:49,670 --> 00:22:51,829 go all the way through the 686 00:22:51,830 --> 00:22:53,959 silicon substrate. And actually, I don't 687 00:22:53,960 --> 00:22:55,369 have it on me. 688 00:22:55,370 --> 00:22:57,439 I think it's in my bag, but I also have 689 00:22:57,440 --> 00:22:58,549 the chips that we opened up. 690 00:22:58,550 --> 00:23:00,649 So if you come and see me, I can let you 691 00:23:00,650 --> 00:23:02,359 look at what they look like. 692 00:23:02,360 --> 00:23:04,499 So, yeah, 693 00:23:04,500 --> 00:23:05,959 so to understand the backside, let's talk 694 00:23:05,960 --> 00:23:07,189 about the front side for us because the 695 00:23:07,190 --> 00:23:08,839 front side is what was done up until 696 00:23:08,840 --> 00:23:10,939 today. And so now 697 00:23:10,940 --> 00:23:12,379 you kind of front side attacks are 698 00:23:12,380 --> 00:23:14,509 becoming unattractive, which is why we 699 00:23:14,510 --> 00:23:16,309 were motivated to look at the back side. 700 00:23:16,310 --> 00:23:18,259 And the reason for that is you have lots 701 00:23:18,260 --> 00:23:19,699 and lots of interconnect layers like I 702 00:23:19,700 --> 00:23:22,219 described before, like on an Intel chip, 703 00:23:22,220 --> 00:23:24,589 you would have no way 704 00:23:24,590 --> 00:23:26,299 to do anything to the chip from the front 705 00:23:26,300 --> 00:23:27,919 side. There's just too many metal layers. 706 00:23:27,920 --> 00:23:29,719 You would spend too much time moving 707 00:23:29,720 --> 00:23:31,609 signals out of the way just to interface 708 00:23:31,610 --> 00:23:33,799 to the to the very, you know, 709 00:23:33,800 --> 00:23:35,689 transistor level or to the very low level 710 00:23:35,690 --> 00:23:36,690 of the device. 711 00:23:37,340 --> 00:23:38,869 And the other thing is you have 712 00:23:38,870 --> 00:23:40,729 countermeasures like active shields and 713 00:23:40,730 --> 00:23:42,919 meshes. So what manufacturers do now 714 00:23:42,920 --> 00:23:43,909 is you. 715 00:23:43,910 --> 00:23:46,099 So let's say you buy a SIM card. 716 00:23:46,100 --> 00:23:48,469 So if you buy a SIM card, you'll probably 717 00:23:48,470 --> 00:23:50,839 have a not very secure device 718 00:23:50,840 --> 00:23:52,939 because everyone wants their SIM card for 719 00:23:52,940 --> 00:23:54,829 free, so no one's willing to pay a lot of 720 00:23:54,830 --> 00:23:58,069 money for it. But if you go to 721 00:23:58,070 --> 00:24:00,439 a big, you know, 722 00:24:00,440 --> 00:24:02,659 smart card vendor and say, I want 723 00:24:02,660 --> 00:24:04,129 the most secure card you have, what 724 00:24:04,130 --> 00:24:05,989 they'll do is they'll take the SIM card 725 00:24:05,990 --> 00:24:07,549 and they'll put another three layers of 726 00:24:07,550 --> 00:24:09,709 metal on it and they'll say, You know, 727 00:24:09,710 --> 00:24:11,929 now we implemented these crazy 728 00:24:11,930 --> 00:24:13,999 protection schemes, these crazy 729 00:24:14,000 --> 00:24:15,619 signals that go all the way around. 730 00:24:15,620 --> 00:24:17,239 And just imagine you come down with your 731 00:24:17,240 --> 00:24:19,249 needle and you'll end up shorting them. 732 00:24:19,250 --> 00:24:20,869 And if you try to open them up using a 733 00:24:20,870 --> 00:24:22,789 fib, you'll short them as well and we can 734 00:24:22,790 --> 00:24:25,189 detect this. And so I mean, technically, 735 00:24:25,190 --> 00:24:26,359 there are still ways around it which 736 00:24:26,360 --> 00:24:28,519 Chris demonstrated a Black Hat in 737 00:24:28,520 --> 00:24:30,889 2010, when he kind of showed 738 00:24:30,890 --> 00:24:33,079 this on an Infineon chip, which had a 739 00:24:33,080 --> 00:24:34,219 lot of the countermeasures. 740 00:24:34,220 --> 00:24:36,469 But the thing is, it's still a nuisance. 741 00:24:36,470 --> 00:24:38,239 So what it looks like this is kind of the 742 00:24:38,240 --> 00:24:39,349 image we had before. 743 00:24:39,350 --> 00:24:41,179 But the reality is you have something 744 00:24:41,180 --> 00:24:43,459 like this on a on a modern smart card. 745 00:24:43,460 --> 00:24:45,709 And what's completely irrelevant 746 00:24:45,710 --> 00:24:47,659 to the actual circuit underneath is this 747 00:24:47,660 --> 00:24:49,969 mesh. So these protective 748 00:24:49,970 --> 00:24:51,109 layers on top. 749 00:24:51,110 --> 00:24:53,329 So yeah, so that's why we want 750 00:24:53,330 --> 00:24:55,309 to flip the chip over and go in through 751 00:24:55,310 --> 00:24:56,449 the other side. 752 00:24:56,450 --> 00:24:59,029 So we'll get into that in a bit 753 00:24:59,030 --> 00:25:00,769 and you can do other stuff as well, so 754 00:25:00,770 --> 00:25:02,359 you can actually do sensors. 755 00:25:02,360 --> 00:25:04,309 So what you can do is assuming that the 756 00:25:04,310 --> 00:25:06,379 density of of what you have on top of 757 00:25:06,380 --> 00:25:08,149 the chip is so high you can assume that 758 00:25:08,150 --> 00:25:09,469 no light will ever get through. 759 00:25:09,470 --> 00:25:11,329 So if you ever see light underneath this 760 00:25:11,330 --> 00:25:13,309 mesh, then you know that somebody open up 761 00:25:13,310 --> 00:25:15,409 the chip. So stuff like that, and this is 762 00:25:15,410 --> 00:25:17,629 really stuff that is implemented on 763 00:25:17,630 --> 00:25:18,869 lots and lots of devices. 764 00:25:18,870 --> 00:25:20,899 And interestingly enough, the smart card 765 00:25:20,900 --> 00:25:23,089 industry remains the industry which has 766 00:25:23,090 --> 00:25:25,639 the most, you know, secure devices. 767 00:25:25,640 --> 00:25:28,079 I mean, I was talking to some, 768 00:25:28,080 --> 00:25:29,959 some some of our colleagues and friends 769 00:25:29,960 --> 00:25:31,669 and they say, you know, this is just 770 00:25:31,670 --> 00:25:33,859 obscene how paranoid the smart card 771 00:25:33,860 --> 00:25:35,479 industry is because you would think that 772 00:25:35,480 --> 00:25:37,609 the value of data stored on something 773 00:25:37,610 --> 00:25:39,649 like on some larger device to see on a 774 00:25:39,650 --> 00:25:41,149 smartphone processor is much more 775 00:25:41,150 --> 00:25:43,819 interesting. Anyway, long story short, 776 00:25:43,820 --> 00:25:45,499 it actually gets easier too, which is 777 00:25:45,500 --> 00:25:47,029 also something people don't want to 778 00:25:47,030 --> 00:25:48,979 believe. So there's actually a machine to 779 00:25:48,980 --> 00:25:50,209 do backside polishing. 780 00:25:50,210 --> 00:25:51,799 So this is an election. 781 00:25:51,800 --> 00:25:54,499 So it's a it's called a RCMP, 782 00:25:54,500 --> 00:25:55,749 a chemical mechanical. 783 00:25:55,750 --> 00:25:57,819 All Usher. And the thing is, it 784 00:25:57,820 --> 00:26:00,069 doesn't have chemicals or electronics, so 785 00:26:00,070 --> 00:26:02,199 to me, it's completely mechanical. 786 00:26:02,200 --> 00:26:04,389 But basically what it does is it 787 00:26:04,390 --> 00:26:06,219 does this. So there's some seventy four 788 00:26:06,220 --> 00:26:08,439 series logic we threw on there, 789 00:26:08,440 --> 00:26:09,639 just some chips. 790 00:26:09,640 --> 00:26:11,019 For those who don't know who somebody for 791 00:26:11,020 --> 00:26:12,249 series logic is. 792 00:26:12,250 --> 00:26:13,989 And so what's happening is this machine 793 00:26:13,990 --> 00:26:15,909 you kind of limit the motion that it has 794 00:26:15,910 --> 00:26:18,039 in the X on the y axis and a kind of like 795 00:26:18,040 --> 00:26:20,109 spins around and it hits 796 00:26:20,110 --> 00:26:21,999 the one limiter and then it wobbles 797 00:26:22,000 --> 00:26:24,189 around to the other side and up and down. 798 00:26:24,190 --> 00:26:25,989 And so you let this run for a couple of 799 00:26:25,990 --> 00:26:28,179 hours with as many 800 00:26:28,180 --> 00:26:30,819 accurately said with some kind of slurry. 801 00:26:30,820 --> 00:26:32,259 So you can use the like diamond based 802 00:26:32,260 --> 00:26:33,549 slurry and stuff like this. 803 00:26:33,550 --> 00:26:36,019 And basically, I mean, depending 804 00:26:36,020 --> 00:26:37,539 on what you want to do, a lot of times 805 00:26:37,540 --> 00:26:39,249 it's enough to actually just get a bit, 806 00:26:39,250 --> 00:26:40,250 which is which is 807 00:26:41,920 --> 00:26:44,559 manufactured for for the for the 808 00:26:44,560 --> 00:26:45,759 packaging that you're going through. 809 00:26:45,760 --> 00:26:47,859 But in any case, so you kind 810 00:26:47,860 --> 00:26:49,569 of come in and you open up the chip from 811 00:26:49,570 --> 00:26:50,579 the back and that's it. 812 00:26:50,580 --> 00:26:52,359 Now you haven't used any of the fuming 813 00:26:52,360 --> 00:26:54,339 nitric acid that David showed, and you 814 00:26:54,340 --> 00:26:55,929 don't have any of this mess and you don't 815 00:26:55,930 --> 00:26:58,359 need a chemical hood and and all this 816 00:26:58,360 --> 00:27:00,579 so very, very nice, this backside 817 00:27:00,580 --> 00:27:01,809 stuff. 818 00:27:01,810 --> 00:27:03,999 So but so the thing 819 00:27:04,000 --> 00:27:05,379 to remember, though, is that so the 820 00:27:05,380 --> 00:27:07,479 devices, the actual transistors, we 821 00:27:07,480 --> 00:27:09,069 can see, they're at the bottom so we can 822 00:27:09,070 --> 00:27:10,809 actually access them directly. 823 00:27:10,810 --> 00:27:12,249 Potentially, I mean, depending on the 824 00:27:12,250 --> 00:27:14,169 size, this gets a little bit more hairy 825 00:27:14,170 --> 00:27:16,239 if you're doing like 45 nanometers. 826 00:27:16,240 --> 00:27:17,319 But if you're doing something like a 827 00:27:17,320 --> 00:27:19,329 smart card like 90 matter nanometers, 828 00:27:19,330 --> 00:27:20,469 this shouldn't be a problem. 829 00:27:20,470 --> 00:27:22,869 And hundred and eighty nanometers is 830 00:27:22,870 --> 00:27:23,799 gets even easier. 831 00:27:23,800 --> 00:27:26,079 And stuff like older smart cards, 832 00:27:26,080 --> 00:27:27,879 let's say, 240 nanometers, this shouldn't 833 00:27:27,880 --> 00:27:28,929 be a problem at all. 834 00:27:28,930 --> 00:27:30,669 And so anyway, but but the 835 00:27:30,670 --> 00:27:31,609 countermeasures? 836 00:27:31,610 --> 00:27:32,709 They're not there. There's no 837 00:27:32,710 --> 00:27:33,939 countermeasures to protect against 838 00:27:33,940 --> 00:27:35,109 backside attacks. 839 00:27:35,110 --> 00:27:36,849 So. So. 840 00:27:36,850 --> 00:27:38,979 And the other funny thing is is that 841 00:27:38,980 --> 00:27:40,719 if you look at a modern SSD like 842 00:27:40,720 --> 00:27:42,369 something that's in your smartphone, 843 00:27:42,370 --> 00:27:44,619 it'll be this gigantic BGA package. 844 00:27:44,620 --> 00:27:46,659 So how do they do these BGA packages? 845 00:27:46,660 --> 00:27:48,609 They actually what they do is they they 846 00:27:48,610 --> 00:27:50,349 have all the metal position on the top 847 00:27:50,350 --> 00:27:52,419 and they flip the chip over onto kind of 848 00:27:52,420 --> 00:27:55,089 this carrier and then they have the BGA 849 00:27:55,090 --> 00:27:56,949 balls like directly underneath. 850 00:27:56,950 --> 00:27:58,329 But so now your backside is actually 851 00:27:58,330 --> 00:28:00,369 facing up, so it's even easier. 852 00:28:00,370 --> 00:28:02,319 You just take your, you know, you could 853 00:28:02,320 --> 00:28:03,849 even take it depending on how you do the 854 00:28:03,850 --> 00:28:05,019 polishing. You could even take the whole 855 00:28:05,020 --> 00:28:07,209 PCB and just polish down 856 00:28:07,210 --> 00:28:09,189 the chip, just the one that you need and 857 00:28:09,190 --> 00:28:10,899 now you would gain access to it. 858 00:28:10,900 --> 00:28:12,489 But the thing, the thing that which kind 859 00:28:12,490 --> 00:28:14,919 of which to me says or explains 860 00:28:14,920 --> 00:28:17,139 why, why people never looks into 861 00:28:17,140 --> 00:28:19,239 this is this which 862 00:28:19,240 --> 00:28:21,489 is to scale image 863 00:28:21,490 --> 00:28:23,199 of of what you actually have. 864 00:28:23,200 --> 00:28:25,299 So the thickness of the substrate is 865 00:28:25,300 --> 00:28:27,369 actually several times 866 00:28:27,370 --> 00:28:29,799 the thickness of all of the active 867 00:28:29,800 --> 00:28:32,109 devices and the wiring, et cetera. 868 00:28:32,110 --> 00:28:34,419 And so, you know, people 869 00:28:34,420 --> 00:28:36,489 would say, you're telling me I have to 870 00:28:36,490 --> 00:28:39,189 remove, you know, I have to remove 871 00:28:39,190 --> 00:28:41,799 instead of removing 10 micrometers 872 00:28:41,800 --> 00:28:44,349 of this chip, I have to remove 300. 873 00:28:44,350 --> 00:28:45,489 You know, how is that? 874 00:28:45,490 --> 00:28:47,379 How does that make it any easier? 875 00:28:47,380 --> 00:28:49,029 But the reality is you don't risk 876 00:28:49,030 --> 00:28:50,469 damaging anything if you go through the 877 00:28:50,470 --> 00:28:52,929 other side. You can safely thin 878 00:28:52,930 --> 00:28:56,139 most chips to something like 10, 879 00:28:56,140 --> 00:28:58,839 so 10 micrometers or even less 880 00:28:58,840 --> 00:29:00,909 without affecting anything on 881 00:29:00,910 --> 00:29:03,489 the chip other than it'll lose some. 882 00:29:03,490 --> 00:29:04,869 It'll get a little bit more warm, 883 00:29:04,870 --> 00:29:06,369 potentially because the substrates 884 00:29:06,370 --> 00:29:08,649 actually really useful for transporting 885 00:29:08,650 --> 00:29:10,719 heat away. So what this all 886 00:29:10,720 --> 00:29:12,489 looks like is this and I remembered 887 00:29:12,490 --> 00:29:13,989 because Colin always tells me I should 888 00:29:13,990 --> 00:29:15,339 include these images. I remember to 889 00:29:15,340 --> 00:29:16,539 include them this time. 890 00:29:16,540 --> 00:29:18,639 So what it looks like is something like 891 00:29:18,640 --> 00:29:20,749 this. So what we did here is so this is 892 00:29:20,750 --> 00:29:22,629 the chip which was polished. 893 00:29:22,630 --> 00:29:24,129 This is actually the backside. 894 00:29:24,130 --> 00:29:26,229 So the label, the text on the chip 895 00:29:26,230 --> 00:29:27,519 is on the other side. So the chips 896 00:29:27,520 --> 00:29:29,619 actually mounted upside down in this 897 00:29:29,620 --> 00:29:31,389 custom PCB, which we made with our 898 00:29:31,390 --> 00:29:33,069 wonderful Leica F 899 00:29:34,270 --> 00:29:35,559 proto modeling machine. 900 00:29:35,560 --> 00:29:37,689 They should send us more parts 901 00:29:37,690 --> 00:29:39,099 for free and 902 00:29:40,180 --> 00:29:41,679 because we go through a lot, that machine 903 00:29:41,680 --> 00:29:43,269 is actually pretty expensive to run. 904 00:29:43,270 --> 00:29:45,429 I mean, the they know where the money is. 905 00:29:45,430 --> 00:29:48,249 It's like the Gillette model on steroids. 906 00:29:48,250 --> 00:29:50,059 So, so anyway. 907 00:29:50,060 --> 00:29:52,209 But this is a it's so 908 00:29:52,210 --> 00:29:53,739 that's what it is. So it's a custom board 909 00:29:53,740 --> 00:29:55,569 and the chips mounted upside down, so you 910 00:29:55,570 --> 00:29:57,009 can kind of see it from the single even 911 00:29:57,010 --> 00:29:59,559 better. So you can see the 912 00:29:59,560 --> 00:30:01,419 you can actually see the silicon in 913 00:30:01,420 --> 00:30:02,649 there. I was thinking about it holding 914 00:30:02,650 --> 00:30:04,839 like some drawing on the other side 915 00:30:04,840 --> 00:30:06,189 because you can you can see the 916 00:30:06,190 --> 00:30:08,199 reflection rate, so it could have like a 917 00:30:08,200 --> 00:30:10,209 face or something. But I didn't do it. 918 00:30:10,210 --> 00:30:12,549 But I mean, but so that's that's 919 00:30:12,550 --> 00:30:13,899 what you need to know. So now we take the 920 00:30:13,900 --> 00:30:16,449 chip, we polish the backside and now 921 00:30:16,450 --> 00:30:18,519 we're at 30 micrometers 922 00:30:18,520 --> 00:30:21,099 of thickness and now the fun ensues. 923 00:30:21,100 --> 00:30:22,419 So the first thing that we did a couple 924 00:30:22,420 --> 00:30:23,919 of years ago was this. 925 00:30:23,920 --> 00:30:26,109 So a lot of people have 926 00:30:26,110 --> 00:30:27,579 never heard of this. So people have seen 927 00:30:27,580 --> 00:30:28,479 my talk. 928 00:30:28,480 --> 00:30:29,799 Obviously know about this. But what this 929 00:30:29,800 --> 00:30:31,749 actually is is that you take an infrared 930 00:30:31,750 --> 00:30:33,819 camera and you let it watch your chip 931 00:30:33,820 --> 00:30:35,499 as it executes data and you get something 932 00:30:35,500 --> 00:30:37,629 like this. You can actually see 933 00:30:37,630 --> 00:30:39,939 the photons that transistors emit 934 00:30:39,940 --> 00:30:41,769 because with a certain very low 935 00:30:41,770 --> 00:30:44,079 probability, a transistor that switches 936 00:30:44,080 --> 00:30:45,639 emit photons. But now, if you sit there 937 00:30:45,640 --> 00:30:47,409 with your camera and you repeat this 938 00:30:47,410 --> 00:30:49,329 operation many times, then you can 939 00:30:49,330 --> 00:30:50,679 actually get an image like this. 940 00:30:50,680 --> 00:30:52,689 And so what this is is in the middle. 941 00:30:52,690 --> 00:30:54,819 You can see where 942 00:30:54,820 --> 00:30:56,059 memory actually. This is happening in 943 00:30:56,060 --> 00:30:58,329 SRM, and up top is the is 944 00:30:58,330 --> 00:30:59,979 the actual address, so now I'm going to 945 00:30:59,980 --> 00:31:00,980 let this run. 946 00:31:01,690 --> 00:31:03,819 So now you can see the layout of 947 00:31:03,820 --> 00:31:06,069 different addresses on the on the device. 948 00:31:06,070 --> 00:31:08,169 And not only that, but you can find 949 00:31:08,170 --> 00:31:09,969 data dependent parts of the circuit to 950 00:31:09,970 --> 00:31:11,739 and how to. I'll let you figure out how 951 00:31:11,740 --> 00:31:13,089 we know this is data dependent. 952 00:31:23,020 --> 00:31:24,999 So at the beginning, when we were 953 00:31:25,000 --> 00:31:26,439 starting to do this research, this is 954 00:31:26,440 --> 00:31:28,569 what I expected to happen, you know, 955 00:31:28,570 --> 00:31:29,979 like from the very beginning, and then it 956 00:31:29,980 --> 00:31:32,349 took us like a year to find 957 00:31:32,350 --> 00:31:33,819 an area of the chip where you could 958 00:31:33,820 --> 00:31:36,069 actually see the data bus 959 00:31:36,070 --> 00:31:37,159 like this. And that's what it is. 960 00:31:37,160 --> 00:31:39,339 So this is actually a 961 00:31:39,340 --> 00:31:41,319 region of the chip where the data bus 962 00:31:41,320 --> 00:31:43,449 comes in and it's addressing the SRM. 963 00:31:43,450 --> 00:31:45,819 So what you see is on the bottom right, 964 00:31:45,820 --> 00:31:47,499 you see the lower address bits, et 965 00:31:47,500 --> 00:31:49,809 cetera, or sorry, this is the data 966 00:31:49,810 --> 00:31:51,939 bus, but it's kind of shared so depending 967 00:31:51,940 --> 00:31:54,309 on on kind of how many, how much logic 968 00:31:54,310 --> 00:31:56,379 it has to go through, depending on how 969 00:31:56,380 --> 00:31:58,509 many stages because of how 970 00:31:58,510 --> 00:32:00,159 it's structured. I mean, some people who 971 00:32:00,160 --> 00:32:01,629 write HDL will understand where I'm 972 00:32:01,630 --> 00:32:03,879 coming from. You need bigger transistors 973 00:32:03,880 --> 00:32:05,199 because it goes through more logic, et 974 00:32:05,200 --> 00:32:07,069 cetera. And so that kind of explains what 975 00:32:07,070 --> 00:32:09,129 you see there. And so, 976 00:32:09,130 --> 00:32:11,679 yeah, but the thing is 977 00:32:11,680 --> 00:32:13,929 that so you you still 978 00:32:13,930 --> 00:32:15,849 have the limitations that you have with a 979 00:32:15,850 --> 00:32:17,079 lot of these noninvasive techniques. 980 00:32:17,080 --> 00:32:18,909 So you need millions and millions and 981 00:32:18,910 --> 00:32:19,839 millions of integration. 982 00:32:19,840 --> 00:32:20,959 So to get a good image, you need 983 00:32:20,960 --> 00:32:23,229 something like you need the loop to 984 00:32:23,230 --> 00:32:25,599 execute, so you need the transistor. 985 00:32:25,600 --> 00:32:28,389 So the fact that you see a transistor 986 00:32:28,390 --> 00:32:30,879 approximately once every 10000 987 00:32:30,880 --> 00:32:33,009 times the transistor switches means that 988 00:32:33,010 --> 00:32:35,499 you need millions of switches before 989 00:32:35,500 --> 00:32:37,749 you can see something as nice as this. 990 00:32:37,750 --> 00:32:39,789 But you can also apply to other stuff as 991 00:32:39,790 --> 00:32:42,309 well. So here is a chip that had an ace 992 00:32:42,310 --> 00:32:44,529 on it, and so I couldn't find the 993 00:32:44,530 --> 00:32:46,629 other image when I was clicking 994 00:32:46,630 --> 00:32:48,099 my my slides together. 995 00:32:48,100 --> 00:32:49,869 But so actually, when you look in this 996 00:32:49,870 --> 00:32:51,999 very corner, you 997 00:32:52,000 --> 00:32:54,219 this region, everything within that box 998 00:32:54,220 --> 00:32:56,079 would completely disappear if the U.S. 999 00:32:56,080 --> 00:32:57,789 wasn't running. And now, if the hardware 1000 00:32:57,790 --> 00:33:00,099 ace was running, you would see this blob 1001 00:33:00,100 --> 00:33:01,759 in the corner, and this is very nice. 1002 00:33:01,760 --> 00:33:04,119 So we never kind of verified 1003 00:33:04,120 --> 00:33:05,619 this, but I'm sure this is the ace 1004 00:33:05,620 --> 00:33:07,419 because you could see that with other 1005 00:33:07,420 --> 00:33:08,529 peripherals as well. 1006 00:33:08,530 --> 00:33:10,749 But so now the thing that 1007 00:33:10,750 --> 00:33:12,969 you have to think about is if light can 1008 00:33:12,970 --> 00:33:15,219 get out through the silicon substrate 1009 00:33:15,220 --> 00:33:17,469 because it's transparent to infrared 1010 00:33:17,470 --> 00:33:19,719 light, that means infrared light can also 1011 00:33:19,720 --> 00:33:22,599 get in, which is where we get this. 1012 00:33:22,600 --> 00:33:24,699 So what 1013 00:33:24,700 --> 00:33:26,949 you can do is actually use lasers 1014 00:33:26,950 --> 00:33:29,139 as well. So what this actually 1015 00:33:29,140 --> 00:33:31,419 is is it's instead of taking 1016 00:33:31,420 --> 00:33:32,829 the image from from the front of the 1017 00:33:32,830 --> 00:33:35,109 chip. What what you do is you 1018 00:33:35,110 --> 00:33:36,939 open it up and you don't even have to 1019 00:33:36,940 --> 00:33:38,259 thin it afterwards. You just have to 1020 00:33:38,260 --> 00:33:39,339 remove the package. 1021 00:33:39,340 --> 00:33:42,009 And so you take a laser scanning 1022 00:33:42,010 --> 00:33:44,229 microscope. So in our case, we have 1023 00:33:44,230 --> 00:33:47,319 one of the industry standards Hamamatsu 1024 00:33:47,320 --> 00:33:49,419 famous. But this is actually I mean, 1025 00:33:49,420 --> 00:33:51,519 I know that. So the research that 1026 00:33:51,520 --> 00:33:52,899 I've been presenting up until now was 1027 00:33:52,900 --> 00:33:54,999 done with our Optical Technologies 1028 00:33:55,000 --> 00:33:57,459 Research Group and those guys 1029 00:33:57,460 --> 00:33:59,139 like for them to build one of these. 1030 00:33:59,140 --> 00:34:00,789 It's like a month's work. 1031 00:34:00,790 --> 00:34:02,889 So anybody, any university group that 1032 00:34:02,890 --> 00:34:05,169 builds optics stuff like when they figure 1033 00:34:05,170 --> 00:34:06,909 out that this is interesting to people 1034 00:34:06,910 --> 00:34:08,649 doing security, they're shocked because 1035 00:34:08,650 --> 00:34:10,809 this is so, so it's such an easy task 1036 00:34:10,810 --> 00:34:12,939 for them. But basically, you get 1037 00:34:12,940 --> 00:34:14,439 a very good resolution because you're 1038 00:34:14,440 --> 00:34:15,939 actually scanning the laser. 1039 00:34:15,940 --> 00:34:18,069 So you get even though you don't have 1040 00:34:18,070 --> 00:34:19,599 the resolution that you know. 1041 00:34:19,600 --> 00:34:21,189 So even though you're using something 1042 00:34:21,190 --> 00:34:23,349 like a one micrometer laser, you get 1043 00:34:23,350 --> 00:34:25,658 a very nice you get a 1044 00:34:25,659 --> 00:34:27,249 better resolution than you would expect 1045 00:34:27,250 --> 00:34:28,329 because you're actually scanning the 1046 00:34:28,330 --> 00:34:30,399 laser and the overlaps, you can kind of 1047 00:34:30,400 --> 00:34:31,779 compute it out, et cetera. 1048 00:34:31,780 --> 00:34:33,309 But so you can get a nice image just like 1049 00:34:33,310 --> 00:34:35,049 this is the chip and you can kind of 1050 00:34:35,050 --> 00:34:37,149 already see what's on it without you. 1051 00:34:37,150 --> 00:34:39,218 So this is on a on a something like 1052 00:34:39,219 --> 00:34:41,379 a SIM card or a smart 1053 00:34:41,380 --> 00:34:42,849 card package. This is literally taking a 1054 00:34:42,850 --> 00:34:44,799 scalpel and just removing the ground 1055 00:34:44,800 --> 00:34:46,359 plane, which is which is the middle 1056 00:34:46,360 --> 00:34:48,459 contact. So you open it up, you have your 1057 00:34:48,460 --> 00:34:49,359 backside exposed. 1058 00:34:49,360 --> 00:34:50,919 You put it under the famous and you can 1059 00:34:50,920 --> 00:34:52,149 already see what kind of chip it is. 1060 00:34:52,150 --> 00:34:54,279 You can even read if I don't have it in 1061 00:34:54,280 --> 00:34:55,658 this image or actually, yeah, do I think 1062 00:34:55,659 --> 00:34:57,069 in one of the corners in the bottom right 1063 00:34:57,070 --> 00:34:58,509 one or in the bottom left one, you 1064 00:34:58,510 --> 00:35:00,189 actually see at M. 1065 00:35:00,190 --> 00:35:01,929 and what revision this is, et cetera. 1066 00:35:01,930 --> 00:35:03,459 So this is also very nice. 1067 00:35:03,460 --> 00:35:05,769 But the coolest thing that we did using 1068 00:35:05,770 --> 00:35:08,379 using this is thermal stimulation. 1069 00:35:08,380 --> 00:35:10,989 So what we actually did for this attack 1070 00:35:10,990 --> 00:35:13,509 was we basically 1071 00:35:13,510 --> 00:35:15,369 dropped. So what we do is we browned out 1072 00:35:15,370 --> 00:35:17,829 the device, so we supply 1073 00:35:17,830 --> 00:35:19,929 it. I believe the supply voltage we took 1074 00:35:19,930 --> 00:35:22,389 it down from like 1.8 1075 00:35:22,390 --> 00:35:24,519 on on on the Infineon ship was also 1076 00:35:24,520 --> 00:35:26,649 in a second and we dropped it to point 1077 00:35:26,650 --> 00:35:28,779 six, which is enough where the 1078 00:35:28,780 --> 00:35:31,149 data remains in the memory 1079 00:35:31,150 --> 00:35:33,279 because it's not enough to lose the data, 1080 00:35:33,280 --> 00:35:34,959 but it's not enough to execute anything 1081 00:35:34,960 --> 00:35:37,059 either. And so now the chip is stuck in 1082 00:35:37,060 --> 00:35:39,009 this zombie state and if you look very 1083 00:35:39,010 --> 00:35:40,899 closely. So what we can do now is we can 1084 00:35:40,900 --> 00:35:41,949 scan with the laser. 1085 00:35:41,950 --> 00:35:43,539 And so now the chip's not executing, 1086 00:35:43,540 --> 00:35:45,129 there's no switching and we can measure 1087 00:35:45,130 --> 00:35:47,469 the current with a very precise current 1088 00:35:47,470 --> 00:35:49,719 amplifier. And so we can get using 1089 00:35:49,720 --> 00:35:52,089 that technique is an image like this. 1090 00:35:52,090 --> 00:35:53,739 If you look very closely into the image, 1091 00:35:54,760 --> 00:35:56,859 you can see what the data is within the 1092 00:35:56,860 --> 00:35:58,959 SRM. So now what you're doing 1093 00:35:58,960 --> 00:36:00,279 is you're browning out the device. 1094 00:36:00,280 --> 00:36:02,529 The device is basically stuck in a zombie 1095 00:36:02,530 --> 00:36:03,999 state, like I said, and now you're 1096 00:36:04,000 --> 00:36:06,639 scanning across the device and based 1097 00:36:06,640 --> 00:36:08,829 on the laser coming in, you're 1098 00:36:08,830 --> 00:36:10,839 affecting kind of the leakage currents 1099 00:36:10,840 --> 00:36:12,729 that are remnant on the device. 1100 00:36:12,730 --> 00:36:14,439 And depending on whether there is a one 1101 00:36:14,440 --> 00:36:16,449 or a zero there, you'll get a different 1102 00:36:16,450 --> 00:36:18,699 kind of response in your image and 1103 00:36:18,700 --> 00:36:19,749 that's what you can see there. 1104 00:36:19,750 --> 00:36:22,029 So the nice thing was people always say 1105 00:36:22,030 --> 00:36:23,619 you. Oh, that's great, but you know, 1106 00:36:25,360 --> 00:36:27,429 who cares about this because, you 1107 00:36:27,430 --> 00:36:28,989 know, on a on a real smart card, the 1108 00:36:28,990 --> 00:36:31,539 memory will be encrypted, but so on 1109 00:36:31,540 --> 00:36:33,849 the media, which Karsten did 1110 00:36:33,850 --> 00:36:36,399 quite a bit of research on and 1111 00:36:36,400 --> 00:36:37,899 present in Black Hat, et cetera. 1112 00:36:37,900 --> 00:36:39,999 You actually have SRM to 1113 00:36:40,000 --> 00:36:42,159 store the keys that encrypt the 1114 00:36:42,160 --> 00:36:44,259 SRM, so that's not a 1115 00:36:44,260 --> 00:36:46,539 good solution. So you can kind of see 1116 00:36:46,540 --> 00:36:48,309 that you can begin to read them out 1117 00:36:48,310 --> 00:36:50,199 there. Although we didn't really take 1118 00:36:50,200 --> 00:36:52,299 this to the to the 1119 00:36:52,300 --> 00:36:54,009 final stages. 1120 00:36:54,010 --> 00:36:56,169 But the other thing is there's there's 1121 00:36:56,170 --> 00:36:57,369 other things being proposed. 1122 00:36:57,370 --> 00:36:59,229 There's also a big like if you get into 1123 00:36:59,230 --> 00:37:02,109 hardware, research and academia. 1124 00:37:02,110 --> 00:37:04,239 One of the big things now is pops and 1125 00:37:04,240 --> 00:37:05,739 the most popular kind of puff. 1126 00:37:05,740 --> 00:37:07,389 So puff is a physically and clonmel 1127 00:37:07,390 --> 00:37:08,739 function, and that means that you figure 1128 00:37:08,740 --> 00:37:10,929 out some way to have your device generate 1129 00:37:10,930 --> 00:37:12,039 you unique response. 1130 00:37:12,040 --> 00:37:14,259 So the easiest way to do this is you take 1131 00:37:14,260 --> 00:37:16,419 an SRM and each SRM will 1132 00:37:16,420 --> 00:37:17,319 have a different response. 1133 00:37:17,320 --> 00:37:19,479 So you just read, you give it, you power 1134 00:37:19,480 --> 00:37:21,219 it up, and it won't just give you back 1135 00:37:21,220 --> 00:37:23,319 ones either one or either zero. 1136 00:37:23,320 --> 00:37:24,760 It'll give you back some random, 1137 00:37:25,960 --> 00:37:28,089 you know, data that'll be it won't 1138 00:37:28,090 --> 00:37:30,459 be random. It'll be it'll 1139 00:37:30,460 --> 00:37:32,709 have data which differs from every other 1140 00:37:32,710 --> 00:37:34,869 chip, but it'll be the same every time 1141 00:37:34,870 --> 00:37:36,309 you power it on this device and power it 1142 00:37:36,310 --> 00:37:38,589 back up. It's like a unique fingerprint. 1143 00:37:38,590 --> 00:37:41,229 And so now you can see that you 1144 00:37:41,230 --> 00:37:43,419 this is really stupid to use Ethereum 1145 00:37:43,420 --> 00:37:45,129 as well, because this is a really 1146 00:37:45,130 --> 00:37:46,809 effective technique for for reading it 1147 00:37:46,810 --> 00:37:47,919 up. 1148 00:37:47,920 --> 00:37:49,629 But anyway, but then we got into kind of 1149 00:37:49,630 --> 00:37:51,699 fully invasive stuffs, stuff 1150 00:37:51,700 --> 00:37:53,379 that we did. And so now we want to 1151 00:37:53,380 --> 00:37:55,929 actually go through 1152 00:37:55,930 --> 00:37:57,909 and actually touch, you know, modify the 1153 00:37:57,910 --> 00:38:00,099 circuitry. So we kind of just 1154 00:38:00,100 --> 00:38:01,779 the first thing that we did was we 1155 00:38:01,780 --> 00:38:03,519 continued with this topic of puffs. 1156 00:38:03,520 --> 00:38:06,069 And so now we said we wanted to clone 1157 00:38:06,070 --> 00:38:07,929 a physically on colonial function. 1158 00:38:07,930 --> 00:38:09,999 So we read it, we could read it out and 1159 00:38:10,000 --> 00:38:11,439 we knew what the data was that was stored 1160 00:38:11,440 --> 00:38:13,269 in it. And so now we wanted to take a 1161 00:38:13,270 --> 00:38:14,919 second instance of the device and 1162 00:38:14,920 --> 00:38:17,829 basically turn it from this 1163 00:38:17,830 --> 00:38:19,899 to to the next one and actually see 1164 00:38:19,900 --> 00:38:22,029 a kind of screwed up these slides. 1165 00:38:22,030 --> 00:38:24,339 But I'll get I'll get into that in a 1166 00:38:24,340 --> 00:38:25,989 second. I have the wrong. 1167 00:38:25,990 --> 00:38:27,669 But actually, let me just comment on that 1168 00:38:27,670 --> 00:38:29,469 since this unexcited. So actually in this 1169 00:38:29,470 --> 00:38:31,539 in this one of our attacks 1170 00:38:31,540 --> 00:38:33,609 and this year or 1171 00:38:33,610 --> 00:38:36,549 the first issue of CT for 2014, 1172 00:38:36,550 --> 00:38:38,319 it mentions us, which is this is 1173 00:38:38,320 --> 00:38:40,749 ironically exactly what claimants 1174 00:38:40,750 --> 00:38:42,699 and I wear and when we're working on the 1175 00:38:42,700 --> 00:38:44,949 film. So it 1176 00:38:44,950 --> 00:38:46,449 actually describes a lot of the things 1177 00:38:46,450 --> 00:38:47,709 that I'll be talking about. So if you're 1178 00:38:47,710 --> 00:38:49,059 if you're curious, definitely take a look 1179 00:38:49,060 --> 00:38:50,949 at that. But so again, getting back to 1180 00:38:50,950 --> 00:38:53,349 the SRM, we knew what the SRM was. 1181 00:38:53,350 --> 00:38:55,269 So we could we could do a couple of 1182 00:38:55,270 --> 00:38:57,099 things there. So what we would do is we 1183 00:38:57,100 --> 00:38:59,199 would take a second SRM 1184 00:38:59,200 --> 00:39:01,329 area and we would prevent it from 1185 00:39:01,330 --> 00:39:03,009 ever storing the value that we didn't 1186 00:39:03,010 --> 00:39:05,139 want it to store. So we would program it 1187 00:39:05,140 --> 00:39:07,119 to only be able to store zero or only be 1188 00:39:07,120 --> 00:39:08,769 able to store one. And so that's the top 1189 00:39:08,770 --> 00:39:11,319 image. So you can actually see the holes 1190 00:39:11,320 --> 00:39:13,449 are actually going down to to 1191 00:39:13,450 --> 00:39:14,409 the actual context. 1192 00:39:14,410 --> 00:39:16,839 And so the transistor is completely gone 1193 00:39:16,840 --> 00:39:19,029 there or at least the gate the 1194 00:39:19,030 --> 00:39:21,069 gates no longer contacted, even if some 1195 00:39:21,070 --> 00:39:23,169 of the data is left. 1196 00:39:23,170 --> 00:39:25,629 And so the but it turned out, you know, 1197 00:39:25,630 --> 00:39:26,619 since we work with. 1198 00:39:26,620 --> 00:39:28,329 So all of this work was done in 1199 00:39:28,330 --> 00:39:29,859 collaboration with our semiconductor 1200 00:39:29,860 --> 00:39:30,789 devices, guys. 1201 00:39:30,790 --> 00:39:32,979 They said, You know, this is way too 1202 00:39:32,980 --> 00:39:35,079 simple. We can do it even better because 1203 00:39:35,080 --> 00:39:37,239 we had a bunch of research previously 1204 00:39:37,240 --> 00:39:38,679 on trimming transistors. 1205 00:39:38,680 --> 00:39:40,719 So now the bottom image, what we did was 1206 00:39:40,720 --> 00:39:42,819 you thin the transistor, and 1207 00:39:42,820 --> 00:39:44,049 it turns out that if you thin a 1208 00:39:44,050 --> 00:39:46,239 transistor, it becomes faster. 1209 00:39:46,240 --> 00:39:48,309 So now you can set the value that you 1210 00:39:48,310 --> 00:39:49,719 want to be at startup. 1211 00:39:49,720 --> 00:39:51,459 And so now, as opposed to the first image 1212 00:39:51,460 --> 00:39:53,679 where it basically became a ram. 1213 00:39:53,680 --> 00:39:55,299 The second image, it still behaves like 1214 00:39:55,300 --> 00:39:57,399 an SRM, but we can basically 1215 00:39:57,400 --> 00:39:59,289 program. It's it's startup behavior. 1216 00:39:59,290 --> 00:40:01,479 So that was that was really nice. 1217 00:40:01,480 --> 00:40:03,729 And these are actual images 1218 00:40:03,730 --> 00:40:06,039 from our focused ion beam workstation, 1219 00:40:06,040 --> 00:40:07,659 which I should actually also mention what 1220 00:40:07,660 --> 00:40:09,669 this is. So I think a lot of people are 1221 00:40:09,670 --> 00:40:11,769 familiar with with what 1222 00:40:11,770 --> 00:40:14,169 a semi or a scanning electron microscope. 1223 00:40:14,170 --> 00:40:17,139 This is like a SEM, except it's ions. 1224 00:40:17,140 --> 00:40:18,579 So no, OK. 1225 00:40:18,580 --> 00:40:20,589 But so what it actually means is that if 1226 00:40:20,590 --> 00:40:23,379 you have a Ironsi, have a lot more mass. 1227 00:40:23,380 --> 00:40:25,569 And what you can do is you can put 1228 00:40:25,570 --> 00:40:27,729 chemicals into into the vacuum chamber 1229 00:40:27,730 --> 00:40:29,259 where you actually have your device. 1230 00:40:29,260 --> 00:40:31,779 And so now you can basically stimulate 1231 00:40:31,780 --> 00:40:33,879 a reaction to happen with nanometer 1232 00:40:33,880 --> 00:40:36,039 precision. So now you deposit a guess 1233 00:40:36,040 --> 00:40:37,959 that etches the way the silicon 1234 00:40:37,960 --> 00:40:39,129 substrate, for example. 1235 00:40:39,130 --> 00:40:41,169 And so now you go over it with your ion 1236 00:40:41,170 --> 00:40:43,509 beam and you say only please 1237 00:40:43,510 --> 00:40:45,789 only this, you know, two by two. 1238 00:40:45,790 --> 00:40:47,409 Or let's say something more realistic. 1239 00:40:47,410 --> 00:40:49,599 Let's say only this 10 by 10 1240 00:40:49,600 --> 00:40:51,249 nanometers square on. 1241 00:40:51,250 --> 00:40:53,529 Please only react here and then this 1242 00:40:53,530 --> 00:40:54,759 is what a fib lets you do. 1243 00:40:54,760 --> 00:40:57,189 So this is what how you manipulate 1244 00:40:57,190 --> 00:40:59,079 devices. I mean, this is how the most 1245 00:40:59,080 --> 00:41:00,009 advanced the text works. 1246 00:41:00,010 --> 00:41:02,259 And the thing that I should also 1247 00:41:02,260 --> 00:41:04,149 mention here is, again, this is something 1248 00:41:04,150 --> 00:41:06,529 which is done when chips are produced. 1249 00:41:06,530 --> 00:41:08,679 So when they do an initial generation of 1250 00:41:08,680 --> 00:41:11,169 of some chips, they'll run into 1251 00:41:11,170 --> 00:41:12,129 tons and tons of issues. 1252 00:41:12,130 --> 00:41:13,779 So they'll have stuff that doesn't work. 1253 00:41:13,780 --> 00:41:15,909 And instead of creating a completely 1254 00:41:15,910 --> 00:41:18,009 new design and a completely new chip, 1255 00:41:18,010 --> 00:41:19,539 they have different ways and they've 1256 00:41:19,540 --> 00:41:21,309 developed different ways over the years 1257 00:41:21,310 --> 00:41:23,379 to. You basically do like a 1258 00:41:23,380 --> 00:41:25,509 hot fix. So do like a fix 1259 00:41:25,510 --> 00:41:27,489 to see if it fixes all the other issues 1260 00:41:27,490 --> 00:41:29,769 or without, you know, maybe they can kill 1261 00:41:29,770 --> 00:41:31,239 two birds with one stone before they have 1262 00:41:31,240 --> 00:41:32,750 to produce a new chip, etc. 1263 00:41:33,790 --> 00:41:34,839 anyway. 1264 00:41:34,840 --> 00:41:37,029 But so this is kind of this is kind 1265 00:41:37,030 --> 00:41:38,049 of the simple case, right? 1266 00:41:38,050 --> 00:41:39,639 We're just going, you know, shooting, 1267 00:41:39,640 --> 00:41:40,809 we're thinning the chip. 1268 00:41:40,810 --> 00:41:42,099 We're just completely removing the 1269 00:41:42,100 --> 00:41:43,779 transistors that we don't want because we 1270 00:41:43,780 --> 00:41:44,859 know what an SRM is. 1271 00:41:44,860 --> 00:41:46,809 S films always have almost identical 1272 00:41:46,810 --> 00:41:48,759 layouts independent of which device use, 1273 00:41:48,760 --> 00:41:51,009 et cetera. And so now 1274 00:41:51,010 --> 00:41:52,839 now, but we actually want to do is we 1275 00:41:52,840 --> 00:41:54,309 want to probe it and we want to extract 1276 00:41:54,310 --> 00:41:56,469 some, some data and we want to do 1277 00:41:56,470 --> 00:41:57,669 some other stuff too. 1278 00:41:57,670 --> 00:41:59,829 So this is what we did kind of 1279 00:41:59,830 --> 00:42:01,479 here and again. 1280 00:42:01,480 --> 00:42:03,819 So we send it to 25 micrometers 1281 00:42:03,820 --> 00:42:06,039 and then what we do is so let's 1282 00:42:06,040 --> 00:42:08,229 say we want to attack some 1283 00:42:08,230 --> 00:42:10,809 signal, which is, let's say, over here. 1284 00:42:10,810 --> 00:42:13,149 So what this looks like is we send it 1285 00:42:13,150 --> 00:42:15,289 and this is all approximately to scale. 1286 00:42:15,290 --> 00:42:17,169 So after we send it, we might leave, you 1287 00:42:17,170 --> 00:42:19,209 know, 25, 50 micrometers or something 1288 00:42:19,210 --> 00:42:21,369 like that. And so now after that, we 1289 00:42:21,370 --> 00:42:23,169 take the fib and now we make what's 1290 00:42:23,170 --> 00:42:24,369 called a flip trench. 1291 00:42:24,370 --> 00:42:27,129 And so now we make a trench approximately 1292 00:42:27,130 --> 00:42:29,289 like so and so now we have a 1293 00:42:29,290 --> 00:42:31,509 hole basically going up to where 1294 00:42:31,510 --> 00:42:32,679 our transistors are. 1295 00:42:32,680 --> 00:42:34,869 And now we again, we 1296 00:42:34,870 --> 00:42:36,849 wanted to target the wire in the middle. 1297 00:42:36,850 --> 00:42:39,219 So now we have to remove just 1298 00:42:39,220 --> 00:42:41,649 in that area, we have to just remove 1299 00:42:41,650 --> 00:42:43,449 stuff there. And so we do that and then 1300 00:42:43,450 --> 00:42:45,729 we deposit some, some metal. 1301 00:42:45,730 --> 00:42:47,919 So now you see that it's kind 1302 00:42:47,920 --> 00:42:49,809 of exposed. 1303 00:42:49,810 --> 00:42:51,459 That signal is exposed to the outside 1304 00:42:51,460 --> 00:42:53,229 world and now we can come in with a 1305 00:42:53,230 --> 00:42:55,419 probing needle. And this is also 1306 00:42:55,420 --> 00:42:56,409 approximately to scale. 1307 00:42:56,410 --> 00:42:58,419 This is a one micrometer probing needle 1308 00:42:58,420 --> 00:43:00,429 that you can't see with your eye, but you 1309 00:43:00,430 --> 00:43:03,249 can install, you know, 1310 00:43:03,250 --> 00:43:04,689 orders of magnitude bigger than the 1311 00:43:04,690 --> 00:43:06,729 actual transistors there. 1312 00:43:06,730 --> 00:43:08,919 So that kind of the the the steps 1313 00:43:08,920 --> 00:43:11,019 that we went through was we 1314 00:43:11,020 --> 00:43:13,269 had to figure out a way to to navigate 1315 00:43:13,270 --> 00:43:15,389 through the chip. So on the left is a is 1316 00:43:15,390 --> 00:43:17,539 an optical image of the device that we 1317 00:43:17,540 --> 00:43:19,209 I mean, these are actually images of the 1318 00:43:19,210 --> 00:43:20,379 crystal. 1319 00:43:20,380 --> 00:43:22,589 And this is actually so I 1320 00:43:22,590 --> 00:43:24,309 will use this opportunity to dimension if 1321 00:43:24,310 --> 00:43:26,289 anyone's ever had to work on this is a 1322 00:43:26,290 --> 00:43:28,239 training that you should all go and check 1323 00:43:28,240 --> 00:43:30,309 out. It's I know Carson did it 1324 00:43:30,310 --> 00:43:32,289 when Chris couldn't do it and Bunny did 1325 00:43:32,290 --> 00:43:34,269 it with with Carson, as well as a sort of 1326 00:43:34,270 --> 00:43:35,619 awesome training where you actually get 1327 00:43:35,620 --> 00:43:37,779 to put some probes down on a device, 1328 00:43:37,780 --> 00:43:39,639 etc. and you get to get your hands dirty 1329 00:43:39,640 --> 00:43:41,229 and you get an idea of how all this stuff 1330 00:43:41,230 --> 00:43:43,359 works. But so now we don't have an image 1331 00:43:43,360 --> 00:43:45,219 like this and we can't just look through 1332 00:43:45,220 --> 00:43:47,049 a microscope and see what's going on. 1333 00:43:47,050 --> 00:43:49,629 But what we can do in our fab is 1334 00:43:49,630 --> 00:43:51,069 the substrates then. 1335 00:43:51,070 --> 00:43:52,989 So now we can use an infrared camera, 1336 00:43:52,990 --> 00:43:54,579 which you can get for the fib to 1337 00:43:54,580 --> 00:43:56,109 approximately orient ourselves. 1338 00:43:56,110 --> 00:43:58,359 So this is this is actually. 1339 00:43:58,360 --> 00:43:59,989 So these are identical regions. 1340 00:43:59,990 --> 00:44:01,959 So something over there, which looks like 1341 00:44:01,960 --> 00:44:03,099 that an optical image, you know, 1342 00:44:03,100 --> 00:44:05,229 perfectly crisp looks completely blurred 1343 00:44:05,230 --> 00:44:06,999 over here. But just based on the spacing, 1344 00:44:07,000 --> 00:44:08,469 you can still figure out where it is. 1345 00:44:08,470 --> 00:44:10,809 And this was just a second example. 1346 00:44:10,810 --> 00:44:12,969 So now we find where we want to go and 1347 00:44:12,970 --> 00:44:15,129 we start making the trenches, which is 1348 00:44:15,130 --> 00:44:16,329 exactly what we have here. 1349 00:44:16,330 --> 00:44:17,859 And so the wire that we're actually 1350 00:44:17,860 --> 00:44:20,109 targeting is is this was 1351 00:44:20,110 --> 00:44:22,119 as far as I remember this, I think this 1352 00:44:22,120 --> 00:44:24,819 is metal three. So this was not. 1353 00:44:24,820 --> 00:44:27,159 So this is, you know, the transistors, 1354 00:44:27,160 --> 00:44:29,139 the transistors go up to metal one. 1355 00:44:29,140 --> 00:44:31,419 Then there's a metal two and metal three. 1356 00:44:31,420 --> 00:44:33,189 There is something connecting between two 1357 00:44:33,190 --> 00:44:34,959 gates. And this is where we're targeting 1358 00:44:34,960 --> 00:44:36,969 them. So we're going all the way from, 1359 00:44:36,970 --> 00:44:38,589 you know, basically effectively going 1360 00:44:38,590 --> 00:44:40,749 through three layers of the device 1361 00:44:40,750 --> 00:44:42,489 to to to probe it. 1362 00:44:42,490 --> 00:44:44,619 And so now we actually deposited 1363 00:44:44,620 --> 00:44:46,839 some metal, which is which 1364 00:44:46,840 --> 00:44:48,549 is you can see the conductor. 1365 00:44:48,550 --> 00:44:50,829 That's the kind of blob on the or is 1366 00:44:50,830 --> 00:44:51,909 the bar coming out? 1367 00:44:51,910 --> 00:44:53,709 And the interesting thing is, you know, 1368 00:44:53,710 --> 00:44:54,909 when I showed this to Chris, he said, 1369 00:44:54,910 --> 00:44:56,979 that's the dirtiest fib I've ever 1370 00:44:56,980 --> 00:44:57,879 seen in my life. 1371 00:44:57,880 --> 00:45:00,159 And he's he's he's he's right. 1372 00:45:00,160 --> 00:45:02,109 But the thing was, we screwed up. 1373 00:45:02,110 --> 00:45:04,239 So the first time we shorted out two 1374 00:45:04,240 --> 00:45:05,739 of the wires when we were doing this in a 1375 00:45:05,740 --> 00:45:07,929 fib. But the nice thing about the fibers, 1376 00:45:07,930 --> 00:45:09,939 if you screw up and you short two wires, 1377 00:45:09,940 --> 00:45:11,529 you can disconnect them with a different 1378 00:45:11,530 --> 00:45:13,839 gas and then connect to the wires using 1379 00:45:13,840 --> 00:45:15,309 a different gas where you're depositing 1380 00:45:15,310 --> 00:45:17,409 metal. And so now we fix the chip, and 1381 00:45:17,410 --> 00:45:18,639 now we can. 1382 00:45:18,640 --> 00:45:20,619 We can come down and probe the chip as we 1383 00:45:20,620 --> 00:45:23,049 wanted to before, which looks like. 1384 00:45:23,050 --> 00:45:25,179 So approximately. 1385 00:45:25,180 --> 00:45:27,279 So there I mean, claimants 1386 00:45:27,280 --> 00:45:29,529 also built a probing amplifier, which 1387 00:45:29,530 --> 00:45:31,599 which did its job. 1388 00:45:31,600 --> 00:45:32,979 I mean, he even used some space 1389 00:45:32,980 --> 00:45:35,529 simulations to to see how well 1390 00:45:35,530 --> 00:45:36,549 it'll it'll behave. 1391 00:45:36,550 --> 00:45:38,229 But I mean, in reality, you could do this 1392 00:45:38,230 --> 00:45:39,489 a lot more quick and dirty. 1393 00:45:39,490 --> 00:45:41,019 So anyway, but the 1394 00:45:42,130 --> 00:45:43,959 getting back just kind of as a summary so 1395 00:45:43,960 --> 00:45:46,509 the CPU can work on the encrypted data. 1396 00:45:46,510 --> 00:45:48,639 So now we isolate 1397 00:45:48,640 --> 00:45:49,989 a signal where the data has been 1398 00:45:49,990 --> 00:45:51,549 decrypted for us, and that's where we put 1399 00:45:51,550 --> 00:45:53,289 our needles down and extract the 1400 00:45:53,290 --> 00:45:55,029 encrypted data. 1401 00:45:55,030 --> 00:45:57,459 And yeah, I mean, that's 1402 00:45:57,460 --> 00:45:59,829 pretty much all there needs to be said. 1403 00:45:59,830 --> 00:46:01,929 So the the kind of 1404 00:46:01,930 --> 00:46:04,059 an interesting thing that we thought 1405 00:46:04,060 --> 00:46:06,249 of next was something 1406 00:46:06,250 --> 00:46:08,349 which was covered pretty well and in the 1407 00:46:08,350 --> 00:46:10,359 console hacking talk yesterday, which was 1408 00:46:10,360 --> 00:46:12,639 how do you do 1409 00:46:12,640 --> 00:46:13,749 in like modern days? 1410 00:46:13,750 --> 00:46:15,529 How do you do crypto? 1411 00:46:15,530 --> 00:46:16,929 So a lot of times what they do is they 1412 00:46:16,930 --> 00:46:19,179 have fuzes, which they do 1413 00:46:19,180 --> 00:46:20,380 to program. 1414 00:46:21,400 --> 00:46:23,139 I mean, they use one time programable 1415 00:46:23,140 --> 00:46:25,449 fuzes to program a key 1416 00:46:25,450 --> 00:46:27,039 into the associate. 1417 00:46:27,040 --> 00:46:29,199 And so what we 1418 00:46:29,200 --> 00:46:31,329 see here is an area on an 1419 00:46:31,330 --> 00:46:33,159 80 mega microcontroller because then we 1420 00:46:33,160 --> 00:46:34,809 could easily play around with the fuzes 1421 00:46:34,810 --> 00:46:36,519 and set them and clear them, etc.. 1422 00:46:36,520 --> 00:46:37,929 And so now this is an area where we have 1423 00:46:37,930 --> 00:46:40,089 the fuzes. And you can actually see 1424 00:46:40,090 --> 00:46:42,069 if the Fuze is set or not, because those 1425 00:46:42,070 --> 00:46:44,259 those dots in the in 1426 00:46:44,260 --> 00:46:46,269 both rows. So here you have eight fuzes. 1427 00:46:46,270 --> 00:46:47,919 And so now you can see if the Fuze is set 1428 00:46:47,920 --> 00:46:49,809 or not. And the reason for that is how 1429 00:46:49,810 --> 00:46:51,309 the image that you get on the fib. 1430 00:46:51,310 --> 00:46:53,189 These are actually secondary electrons. 1431 00:46:53,190 --> 00:46:55,479 So these are electrons that could reflect 1432 00:46:55,480 --> 00:46:57,789 that off the device and come back and 1433 00:46:57,790 --> 00:46:59,979 basically into your imaging 1434 00:46:59,980 --> 00:47:02,319 system. And so here, because 1435 00:47:02,320 --> 00:47:03,969 of the fact that you have a Fuze and you 1436 00:47:03,970 --> 00:47:05,799 have a floating gate, the electrical 1437 00:47:05,800 --> 00:47:07,899 field, et cetera, is different and 1438 00:47:07,900 --> 00:47:09,159 there's some sort of charge there. 1439 00:47:09,160 --> 00:47:11,679 And so now you get a different contrast. 1440 00:47:11,680 --> 00:47:12,999 So you get a different amount of 1441 00:47:13,000 --> 00:47:14,289 electrons coming back at you and you can 1442 00:47:14,290 --> 00:47:16,389 see this. And so I remember when we 1443 00:47:16,390 --> 00:47:17,739 were sitting there, you know, so now we 1444 00:47:17,740 --> 00:47:19,959 can set and clear the Fuze the brute 1445 00:47:19,960 --> 00:47:22,359 force way, which is either connected with 1446 00:47:22,360 --> 00:47:24,579 wire or disconnected by 1447 00:47:24,580 --> 00:47:25,749 disconnecting the wire. 1448 00:47:25,750 --> 00:47:26,919 And I remember when we were sitting there 1449 00:47:26,920 --> 00:47:28,509 with, you know, Starbuck and claimants. 1450 00:47:28,510 --> 00:47:30,939 And as soon as as soon as 1451 00:47:30,940 --> 00:47:32,589 we were somebody, I think Starbuck was 1452 00:47:32,590 --> 00:47:34,329 sitting there just testing every argued. 1453 00:47:34,330 --> 00:47:36,549 And as soon as as soon as we, 1454 00:47:36,550 --> 00:47:38,679 you know, set it, you know, check 1455 00:47:38,680 --> 00:47:39,999 if you are doing, what are the fuzes set 1456 00:47:40,000 --> 00:47:41,979 to? And then, you know, it's like instead 1457 00:47:41,980 --> 00:47:44,139 of it being f f, it's all 1458 00:47:44,140 --> 00:47:46,299 of a sudden it's, you know, seven 1459 00:47:46,300 --> 00:47:47,949 f four or whatever. And then I just 1460 00:47:47,950 --> 00:47:49,209 remember, you know, we're jumping up and 1461 00:47:49,210 --> 00:47:50,439 down and high fiving. 1462 00:47:50,440 --> 00:47:51,819 You know, you're so happy. 1463 00:47:51,820 --> 00:47:54,039 But the nice thing is with these 1464 00:47:54,040 --> 00:47:55,869 contrasting images that you you can 1465 00:47:55,870 --> 00:47:57,969 actually also see, you can 1466 00:47:57,970 --> 00:48:00,549 actually also see how you're removing 1467 00:48:00,550 --> 00:48:01,899 the gate, which is what you see here. 1468 00:48:01,900 --> 00:48:04,059 So you can see that you can 1469 00:48:04,060 --> 00:48:05,769 see it. And the contrast is also 1470 00:48:05,770 --> 00:48:07,269 representative of the voltage that you 1471 00:48:07,270 --> 00:48:09,219 have where you're looking at it. 1472 00:48:09,220 --> 00:48:11,649 So if you see on the left and the right, 1473 00:48:11,650 --> 00:48:13,869 the dots are actually the contacts going 1474 00:48:13,870 --> 00:48:15,889 up until up to the metal layers of the 1475 00:48:15,890 --> 00:48:18,099 floating it. So as we remove the floating 1476 00:48:18,100 --> 00:48:19,539 gate, you'll see that the voltage 1477 00:48:19,540 --> 00:48:21,249 changes. So we've actually changed the 1478 00:48:21,250 --> 00:48:22,869 value stored in the Fuze because all of a 1479 00:48:22,870 --> 00:48:25,449 sudden the right side isn't the same 1480 00:48:25,450 --> 00:48:26,949 voltage level as the left side, it 1481 00:48:26,950 --> 00:48:28,719 changes in its color. 1482 00:48:28,720 --> 00:48:30,309 So that was kind of nice to see, too. 1483 00:48:30,310 --> 00:48:32,409 But anyway, so kind of the summary is, 1484 00:48:34,510 --> 00:48:36,339 you know, advanced. 1485 00:48:36,340 --> 00:48:38,379 A lot of these are kind of claims that we 1486 00:48:38,380 --> 00:48:40,239 hear a lot of times and a lot of claims 1487 00:48:40,240 --> 00:48:42,399 that you hear from 1488 00:48:42,400 --> 00:48:44,319 from, especially if you send in academic 1489 00:48:44,320 --> 00:48:46,149 papers that reviewers send back to you. 1490 00:48:46,150 --> 00:48:47,469 So like, you know, we have advanced 1491 00:48:47,470 --> 00:48:49,639 packaging, you know, invasive analysis, 1492 00:48:49,640 --> 00:48:50,979 you know, this is all never going to 1493 00:48:50,980 --> 00:48:53,229 happen. And the truth is like, 1494 00:48:53,230 --> 00:48:54,399 I showed you, we don't even need 1495 00:48:54,400 --> 00:48:56,289 chemicals anymore to open up these chips. 1496 00:48:56,290 --> 00:48:58,179 So now you have a backside polishing 1497 00:48:58,180 --> 00:49:00,129 machine and you put your chip in there 1498 00:49:00,130 --> 00:49:02,109 and you let it polish away and you get a 1499 00:49:02,110 --> 00:49:03,039 very nice result. 1500 00:49:03,040 --> 00:49:04,929 And after that, you only need AFib. 1501 00:49:04,930 --> 00:49:06,459 You don't need all of these disgusting 1502 00:49:06,460 --> 00:49:08,619 chemicals that nowadays 1503 00:49:08,620 --> 00:49:10,749 at universities who don't 1504 00:49:10,750 --> 00:49:12,549 want to get sued by, you know, health 1505 00:49:12,550 --> 00:49:14,769 insurance companies are very hard to get 1506 00:49:14,770 --> 00:49:17,019 to. So anyway, but then 1507 00:49:17,020 --> 00:49:19,089 the other claim is, you know, 1508 00:49:19,090 --> 00:49:21,159 attackers must first reverse engineer a 1509 00:49:21,160 --> 00:49:22,059 device to attack it. 1510 00:49:22,060 --> 00:49:24,039 And so this is only this is not, you 1511 00:49:24,040 --> 00:49:26,109 know, applicable to the real world 1512 00:49:26,110 --> 00:49:28,329 because who's going to reverse engineer 1513 00:49:28,330 --> 00:49:30,579 a device? And and although 1514 00:49:30,580 --> 00:49:32,769 that may be true, that 1515 00:49:32,770 --> 00:49:34,749 most of the cases and almost all the 1516 00:49:34,750 --> 00:49:35,799 cases, the attacker is not going to 1517 00:49:35,800 --> 00:49:38,349 reverse engineer the full integrated 1518 00:49:38,350 --> 00:49:39,549 circuit he's going to. 1519 00:49:39,550 --> 00:49:40,479 He doesn't even have to reverse 1520 00:49:40,480 --> 00:49:42,219 engineering that much. I showed you what 1521 00:49:42,220 --> 00:49:44,439 the what the processes are finding 1522 00:49:44,440 --> 00:49:45,999 the areas where the decryption is. 1523 00:49:46,000 --> 00:49:47,499 It's not it's not even reverse 1524 00:49:47,500 --> 00:49:48,549 engineering, it's just following the 1525 00:49:48,550 --> 00:49:50,619 lines anyway. 1526 00:49:50,620 --> 00:49:51,620 And so 1527 00:49:52,690 --> 00:49:54,429 the reverse engineering modernizes is 1528 00:49:54,430 --> 00:49:56,379 impossible. They're way too complex. 1529 00:49:56,380 --> 00:49:58,509 And in reality, you saw that, you 1530 00:49:58,510 --> 00:50:00,099 know, the gates, they appear again and 1531 00:50:00,100 --> 00:50:02,349 again. So like a 1532 00:50:02,350 --> 00:50:04,099 cell library on a chip, nowadays, it 1533 00:50:04,100 --> 00:50:05,829 might have something like 60 or 70 1534 00:50:05,830 --> 00:50:06,969 different types of gates. 1535 00:50:06,970 --> 00:50:08,799 So fine you spend two weeks studying all 1536 00:50:08,800 --> 00:50:10,809 the gates and now you have all the gates 1537 00:50:10,810 --> 00:50:12,309 on that device, you know, all of them. 1538 00:50:12,310 --> 00:50:15,849 So now you can say X or inverter 1539 00:50:15,850 --> 00:50:18,099 flip flop, you know, this type of flip 1540 00:50:18,100 --> 00:50:20,349 flop, that type of up, et cetera, you you 1541 00:50:20,350 --> 00:50:21,879 just know them, and you can literally 1542 00:50:21,880 --> 00:50:23,199 recognize them all with your eye when 1543 00:50:23,200 --> 00:50:25,779 you're sitting in front of the the 1544 00:50:25,780 --> 00:50:26,860 basically the images. 1545 00:50:27,940 --> 00:50:29,409 So, yeah, the other thing is, you know, 1546 00:50:29,410 --> 00:50:30,849 data and VM is encrypted. 1547 00:50:30,850 --> 00:50:31,929 So who cares? 1548 00:50:31,930 --> 00:50:34,029 And we saw, you know, if it's 1549 00:50:34,030 --> 00:50:35,739 encrypted, it has to get decrypted for 1550 00:50:35,740 --> 00:50:36,819 the chip to be able to do anything 1551 00:50:36,820 --> 00:50:37,809 sensible with it. 1552 00:50:37,810 --> 00:50:39,819 And the last one, which was my personal 1553 00:50:39,820 --> 00:50:42,339 favorite, is devices will stop working 1554 00:50:42,340 --> 00:50:44,139 if you do any kind of backside attacks on 1555 00:50:44,140 --> 00:50:46,299 them. And the truth is, I 1556 00:50:46,300 --> 00:50:48,339 can say, with 100 percent of certainty, 1557 00:50:48,340 --> 00:50:50,409 we've removed 99 percent of 1558 00:50:50,410 --> 00:50:52,239 the device and it still works fine 1559 00:50:52,240 --> 00:50:54,699 without, you know, literally 99 1560 00:50:54,700 --> 00:50:56,319 percent of the thickness of the backside 1561 00:50:56,320 --> 00:50:58,509 we removed and the device still 1562 00:50:58,510 --> 00:51:00,639 works. So that's not true at 1563 00:51:00,640 --> 00:51:01,539 all. 1564 00:51:01,540 --> 00:51:04,209 So just a couple of acknowledgments, 1565 00:51:04,210 --> 00:51:06,339 you know, Chris Oliver 1566 00:51:06,340 --> 00:51:08,649 Starbuck, who is a who's 1567 00:51:08,650 --> 00:51:10,749 who really got me motivated. 1568 00:51:10,750 --> 00:51:12,579 So starving back in the day and this kind 1569 00:51:12,580 --> 00:51:13,629 of gets into because I'm going to do 1570 00:51:13,630 --> 00:51:15,369 questions after this number one question 1571 00:51:15,370 --> 00:51:17,149 that I get, especially when people come 1572 00:51:17,150 --> 00:51:19,209 in and talk to me like offline, is 1573 00:51:19,210 --> 00:51:20,229 how do I get into this? 1574 00:51:20,230 --> 00:51:21,609 And Starbucks said. 1575 00:51:21,610 --> 00:51:23,439 Learn HDL, and he's right. 1576 00:51:23,440 --> 00:51:25,089 The best way to get into this is learn 1577 00:51:25,090 --> 00:51:27,099 HDL and try to try to implement, you 1578 00:51:27,100 --> 00:51:29,199 know, your own soft core processors 1579 00:51:29,200 --> 00:51:31,029 and start writing this because you'll get 1580 00:51:31,030 --> 00:51:32,739 into the mentality that the engineers 1581 00:51:32,740 --> 00:51:34,099 have designed these chips. 1582 00:51:34,100 --> 00:51:36,429 And it's not rocket science, it's quantum 1583 00:51:36,430 --> 00:51:37,430 physics. 1584 00:51:44,680 --> 00:51:47,139 But it's no I'm 1585 00:51:47,140 --> 00:51:48,549 kidding, of course, because from a 1586 00:51:48,550 --> 00:51:49,989 logical point of view, it's much it's 1587 00:51:49,990 --> 00:51:51,369 much simpler than that even. 1588 00:51:51,370 --> 00:51:53,559 So yeah, and the other two people I'd 1589 00:51:53,560 --> 00:51:55,809 like to sincerely thank or my colleagues 1590 00:51:55,810 --> 00:51:57,429 claimants who did all of the kind of 1591 00:51:57,430 --> 00:51:59,739 invasive crazy stuff, and Alex 1592 00:51:59,740 --> 00:52:01,869 who was basically there as she on all 1593 00:52:01,870 --> 00:52:04,059 the optics stuff that we used for our 1594 00:52:04,060 --> 00:52:05,319 experiments. 1595 00:52:05,320 --> 00:52:07,719 So questions, oh, and I should before 1596 00:52:07,720 --> 00:52:09,579 I'll use this as all usurped this as a 1597 00:52:09,580 --> 00:52:12,279 small opportunity to say whoever 1598 00:52:12,280 --> 00:52:14,409 wants to talk to me and see 1599 00:52:14,410 --> 00:52:16,269 all of the lovely devices that I have 1600 00:52:16,270 --> 00:52:19,359 with me or wants to potentially 1601 00:52:19,360 --> 00:52:21,189 buy this lovely device called the Don 1602 00:52:21,190 --> 00:52:23,259 Crocker can come and 1603 00:52:23,260 --> 00:52:24,789 find us in the hack center. 1604 00:52:24,790 --> 00:52:26,289 So we're kind of in the bottom and to the 1605 00:52:26,290 --> 00:52:27,909 left and one of the alleys. 1606 00:52:27,910 --> 00:52:29,529 And you can find us there. 1607 00:52:29,530 --> 00:52:31,659 You can look. I took a picture 1608 00:52:31,660 --> 00:52:33,819 for the Don Crocker 1609 00:52:33,820 --> 00:52:35,139 Twitter account if you want to find it 1610 00:52:35,140 --> 00:52:37,149 there, but I guess I don't know how much 1611 00:52:37,150 --> 00:52:38,509 time I have for questions. 1612 00:52:38,510 --> 00:52:40,059 Yeah, OK, thank you very much for this 1613 00:52:40,060 --> 00:52:41,060 interesting talk. 1614 00:52:47,470 --> 00:52:49,599 So we we still have a couple of 1615 00:52:49,600 --> 00:52:51,159 minutes for questions, so if you have a 1616 00:52:51,160 --> 00:52:53,049 question, just get up and get in front of 1617 00:52:53,050 --> 00:52:54,759 one of the mics. 1618 00:52:54,760 --> 00:52:56,380 Do we have a question from the internet? 1619 00:52:57,620 --> 00:53:00,219 Yeah, form is asking 1620 00:53:00,220 --> 00:53:02,709 what the usual amount of destroyed chips 1621 00:53:02,710 --> 00:53:04,779 is. You need to get the information 1622 00:53:04,780 --> 00:53:07,089 you're looking for typically. 1623 00:53:07,090 --> 00:53:08,559 So I mean, that really depends. 1624 00:53:08,560 --> 00:53:10,869 If you're so the answer is 1625 00:53:10,870 --> 00:53:12,079 kind of complicated, right? 1626 00:53:12,080 --> 00:53:14,199 So in terms of 1627 00:53:14,200 --> 00:53:16,299 usually when you're studying, so I 1628 00:53:16,300 --> 00:53:18,369 can I can name a number that I know from 1629 00:53:18,370 --> 00:53:20,559 Chris. When Chris was attacking the 1630 00:53:20,560 --> 00:53:22,719 Infineon 66 six before he had 1631 00:53:22,720 --> 00:53:24,609 his first success, he destroyed something 1632 00:53:24,610 --> 00:53:26,109 like 80 chips. 1633 00:53:26,110 --> 00:53:28,359 So he spent 80 times, you know, 1634 00:53:28,360 --> 00:53:30,759 on the average, you know, for six hours 1635 00:53:30,760 --> 00:53:32,359 of work before he succeeded. 1636 00:53:32,360 --> 00:53:34,269 But this is a really secure device. 1637 00:53:34,270 --> 00:53:35,949 So if you're attacking something simpler 1638 00:53:35,950 --> 00:53:38,259 than this, you won't go through 1639 00:53:38,260 --> 00:53:39,609 as many chips. 1640 00:53:39,610 --> 00:53:41,589 And the other thing is, once you've done 1641 00:53:41,590 --> 00:53:44,439 this for for so let's say 1642 00:53:44,440 --> 00:53:46,719 so in general, you'll you'll see, 1643 00:53:46,720 --> 00:53:48,819 you know, this chip might not only be 1644 00:53:48,820 --> 00:53:50,199 used on one device, it might be used in 1645 00:53:50,200 --> 00:53:51,639 lots of devices. So once you have the 1646 00:53:51,640 --> 00:53:53,169 layout, once you know what the chip looks 1647 00:53:53,170 --> 00:53:55,029 like, you don't have to repeat this 1648 00:53:55,030 --> 00:53:57,309 again. So you have to. 1649 00:53:57,310 --> 00:53:59,019 I mean, you you know what the layout is. 1650 00:53:59,020 --> 00:54:01,179 So at that point, it's one chip, one 1651 00:54:01,180 --> 00:54:02,259 success. 1652 00:54:02,260 --> 00:54:04,959 So but kind of this this practicing 1653 00:54:04,960 --> 00:54:07,539 and education stage is 1654 00:54:07,540 --> 00:54:09,759 less trivial. You need a you need to 1655 00:54:09,760 --> 00:54:11,349 understand how the chip works to reverse 1656 00:54:11,350 --> 00:54:13,149 engineer, etc. So there are engineering 1657 00:54:13,150 --> 00:54:14,260 needs a couple of devices. 1658 00:54:16,240 --> 00:54:17,889 OK, then, Mike, three, please. 1659 00:54:19,000 --> 00:54:20,049 This is a really interesting talk. 1660 00:54:20,050 --> 00:54:21,050 Thanks. 1661 00:54:22,060 --> 00:54:24,219 The intel 1662 00:54:24,220 --> 00:54:26,439 are Angie doping 1663 00:54:26,440 --> 00:54:28,479 problem that you may have seen earlier 1664 00:54:28,480 --> 00:54:29,739 today. Yeah. 1665 00:54:29,740 --> 00:54:31,029 Do you think that through any applications 1666 00:54:31,030 --> 00:54:32,199 to backside scanning to try to 1667 00:54:32,200 --> 00:54:34,199 detect so you don't even have some? 1668 00:54:34,200 --> 00:54:36,429 I mean, anyway, so this this 1669 00:54:36,430 --> 00:54:38,799 was an interesting, interesting 1670 00:54:38,800 --> 00:54:40,719 paper, and a lot of the claims in there 1671 00:54:40,720 --> 00:54:42,519 are valid and I would agree with 1672 00:54:42,520 --> 00:54:43,959 especially everything that they say in 1673 00:54:43,960 --> 00:54:46,089 terms of, you know, inducing additional 1674 00:54:46,090 --> 00:54:47,649 psi channel leakage that I completely 1675 00:54:47,650 --> 00:54:49,419 agree with. But the thing is, there are 1676 00:54:49,420 --> 00:54:51,699 ways to detect this, you know, and the 1677 00:54:51,700 --> 00:54:53,259 industry has faced this problem too, 1678 00:54:53,260 --> 00:54:55,329 because sometimes you produce a chip and 1679 00:54:55,330 --> 00:54:56,649 for whatever reason, the transistor is 1680 00:54:56,650 --> 00:54:58,089 not working. And it's because, you know, 1681 00:54:58,090 --> 00:55:00,159 you have some creep of your of 1682 00:55:00,160 --> 00:55:02,409 whatever doping theory depositing 1683 00:55:02,410 --> 00:55:03,939 over into the next well. 1684 00:55:03,940 --> 00:55:06,039 And so what you can do is 1685 00:55:06,040 --> 00:55:07,149 what's done with ROMs. 1686 00:55:07,150 --> 00:55:09,339 So you basically use 1687 00:55:09,340 --> 00:55:11,559 you use other chemicals and you 1688 00:55:11,560 --> 00:55:13,329 basically doped them again to make them 1689 00:55:13,330 --> 00:55:15,009 stand out in an a scanning electron 1690 00:55:15,010 --> 00:55:17,349 microscope image. But you wouldn't do 1691 00:55:17,350 --> 00:55:18,579 this through the back side. 1692 00:55:18,580 --> 00:55:19,989 What you would do is completely declare 1693 00:55:19,990 --> 00:55:20,919 the device. 1694 00:55:20,920 --> 00:55:22,659 We're completely removing all the metal 1695 00:55:22,660 --> 00:55:24,459 and just be left with your your basically 1696 00:55:24,460 --> 00:55:26,559 your wells and then you would basically 1697 00:55:26,560 --> 00:55:28,749 color them, you know, stain them so that 1698 00:55:28,750 --> 00:55:30,279 you can see them in a SEM image. 1699 00:55:30,280 --> 00:55:31,689 This would be this would be one way to 1700 00:55:31,690 --> 00:55:33,459 verify this. But of course, the claim is 1701 00:55:33,460 --> 00:55:35,619 true that you know, how realistic is 1702 00:55:35,620 --> 00:55:38,049 it for Intel to do this after 1703 00:55:38,050 --> 00:55:39,399 they have some production going? 1704 00:55:39,400 --> 00:55:41,229 You know, can they do this every week and 1705 00:55:41,230 --> 00:55:42,189 they do this every month? 1706 00:55:42,190 --> 00:55:44,229 Can they do this every time they they 1707 00:55:44,230 --> 00:55:46,119 produce something? I would say a company 1708 00:55:46,120 --> 00:55:47,869 like Intel? Yes, but when you get into 1709 00:55:47,870 --> 00:55:49,659 low cost smart cards, I would agree that 1710 00:55:49,660 --> 00:55:51,549 you might have better success in hiding 1711 00:55:51,550 --> 00:55:52,449 something there. 1712 00:55:52,450 --> 00:55:53,739 Thank you. 1713 00:55:53,740 --> 00:55:56,019 OK, then microphone 1714 00:55:56,020 --> 00:55:57,369 number two, please. 1715 00:55:57,370 --> 00:55:59,559 Hi. Thank you for the talk. 1716 00:55:59,560 --> 00:56:02,019 I've actually a detailed question about 1717 00:56:02,020 --> 00:56:04,149 the Asaram readout with 1718 00:56:04,150 --> 00:56:05,829 the infrared laser. 1719 00:56:05,830 --> 00:56:07,359 I was wondering if that actually worked 1720 00:56:07,360 --> 00:56:09,129 with the standard amplifier that came 1721 00:56:09,130 --> 00:56:11,289 with the famous and whether you needed 1722 00:56:11,290 --> 00:56:13,359 to probe the device for that or 1723 00:56:13,360 --> 00:56:13,959 if that worked 1724 00:56:13,960 --> 00:56:15,259 on the external leads? 1725 00:56:15,260 --> 00:56:17,409 No. So we were just looking at the supply 1726 00:56:17,410 --> 00:56:19,239 voltage, so it wasn't using the it was 1727 00:56:19,240 --> 00:56:21,099 literally measuring the current through 1728 00:56:21,100 --> 00:56:23,289 the supply voltage of the device. 1729 00:56:23,290 --> 00:56:24,819 And this was I mean, this was again 1730 00:56:24,820 --> 00:56:26,289 working on smart cards and working on 1731 00:56:26,290 --> 00:56:27,369 microcontrollers. 1732 00:56:27,370 --> 00:56:29,529 So even did it on a hundred and 1733 00:56:29,530 --> 00:56:30,789 thirty nanometer 1734 00:56:32,290 --> 00:56:34,659 MSP for 30, and this worked great there. 1735 00:56:34,660 --> 00:56:36,939 And but the other question, 1736 00:56:36,940 --> 00:56:38,799 I think it works with the famous model, 1737 00:56:40,360 --> 00:56:42,759 with the famous amplifier, the standard 1738 00:56:42,760 --> 00:56:45,039 one. But ours was broken, so we used 1739 00:56:45,040 --> 00:56:46,689 a different one. And so that's actually 1740 00:56:46,690 --> 00:56:48,909 another thing for people who don't work 1741 00:56:48,910 --> 00:56:50,859 with failure analysis equipment. 1742 00:56:50,860 --> 00:56:52,929 It's it's like a matter of 1743 00:56:52,930 --> 00:56:54,789 you sitting there and praying that your 1744 00:56:54,790 --> 00:56:56,949 equipment works on whichever day you want 1745 00:56:56,950 --> 00:56:58,899 to use it. Because I mean, like for some 1746 00:56:58,900 --> 00:57:01,059 of the people, I'll tell this 1747 00:57:01,060 --> 00:57:02,439 story because people will appreciate. 1748 00:57:02,440 --> 00:57:04,179 I just remember when we were doing these 1749 00:57:04,180 --> 00:57:06,549 Fitbits, we lost the X 1750 00:57:06,550 --> 00:57:08,419 and the Y stage we're in. 1751 00:57:08,420 --> 00:57:10,509 No, sorry. Yeah, yeah, the X and 1752 00:57:10,510 --> 00:57:11,949 the Y stage on the fib. 1753 00:57:11,950 --> 00:57:14,589 So afterwards we were using nanometer 1754 00:57:14,590 --> 00:57:16,419 screws, so one of us was standing there 1755 00:57:16,420 --> 00:57:18,789 and actually moving the fib stage across 1756 00:57:18,790 --> 00:57:20,289 the chip. But the thing is, once you 1757 00:57:20,290 --> 00:57:22,209 approximately get it, you can still scan 1758 00:57:22,210 --> 00:57:24,369 with a beam. That's not mechanical. 1759 00:57:24,370 --> 00:57:25,749 You just have to approximately get to 1760 00:57:25,750 --> 00:57:27,429 that area. But I mean, we would still 1761 00:57:27,430 --> 00:57:29,259 have crazy stuff like sit there with a 1762 00:57:29,260 --> 00:57:31,389 screwdriver, tapping on the relays 1763 00:57:31,390 --> 00:57:33,549 until they until they let go, so the 1764 00:57:33,550 --> 00:57:35,229 stage can go a little bit, etc. 1765 00:57:35,230 --> 00:57:36,909 So it's horrible, you know? 1766 00:57:36,910 --> 00:57:39,099 Anyway, I see the 1767 00:57:39,100 --> 00:57:41,259 kind of people ask us, how how well do 1768 00:57:41,260 --> 00:57:42,459 these attacks scale? 1769 00:57:42,460 --> 00:57:44,019 And I say we attacked. 1770 00:57:44,020 --> 00:57:46,179 We more than successfully attacked 1771 00:57:46,180 --> 00:57:48,169 10 year old or five year old chips with 1772 00:57:48,170 --> 00:57:49,239 the 10 year old fib. 1773 00:57:49,240 --> 00:57:51,309 So now if we got a new fib today, 1774 00:57:51,310 --> 00:57:53,409 we could attack newer chips 1775 00:57:53,410 --> 00:57:55,539 as well. But I mean, your question was 1776 00:57:55,540 --> 00:57:57,639 kind of the laser scanning, 1777 00:57:57,640 --> 00:57:59,229 but failure analysis equipment is a 1778 00:57:59,230 --> 00:58:00,230 nightmare. 1779 00:58:01,060 --> 00:58:03,129 OK, then maybe one short question 1780 00:58:03,130 --> 00:58:05,139 from the internet do you have one 1781 00:58:06,550 --> 00:58:07,749 trick users can? 1782 00:58:07,750 --> 00:58:10,029 Wouldn't asynchronous processor 1783 00:58:10,030 --> 00:58:11,979 design render the analysis a lot more 1784 00:58:11,980 --> 00:58:13,689 difficult? To the point, it's practically 1785 00:58:13,690 --> 00:58:15,339 impossible. 1786 00:58:15,340 --> 00:58:17,589 So I'm not sure what 1787 00:58:17,590 --> 00:58:20,139 they mean from an asynchronous 1788 00:58:20,140 --> 00:58:21,409 processor design. 1789 00:58:21,410 --> 00:58:23,829 I mean, you have a lot of 1790 00:58:23,830 --> 00:58:25,929 I mean, I would say 1791 00:58:25,930 --> 00:58:27,999 I don't know how that would affect 1792 00:58:28,000 --> 00:58:30,099 anything. I mean, in terms 1793 00:58:30,100 --> 00:58:32,179 of obfuscation, yes, but I mean, 1794 00:58:32,180 --> 00:58:33,999 the the kinds of attacks that we were 1795 00:58:34,000 --> 00:58:36,249 presenting were understanding what 1796 00:58:36,250 --> 00:58:38,529 the the, you know, the actual 1797 00:58:38,530 --> 00:58:40,989 algorithm is or being able to reproduce 1798 00:58:40,990 --> 00:58:42,669 the device, produce a clone of it, etc. 1799 00:58:42,670 --> 00:58:45,399 So I'm not I'm not entirely sure 1800 00:58:45,400 --> 00:58:47,349 if the person was here I could ask for. 1801 00:58:48,370 --> 00:58:49,629 OK, then our time is up. 1802 00:58:49,630 --> 00:58:51,429 The people at the mikes can grip Dimitri 1803 00:58:51,430 --> 00:58:53,679 after the talk and ask him, so 1804 00:58:53,680 --> 00:58:55,899 give him a warm round of applause again. 1805 00:58:55,900 --> 00:58:56,900 Thank you.