With the proliferation of electronics into every day life, integrated circuits (ICs) process and store more sensitive information than ever before. The extraction of on-chip assets, such as keys, firmware, personal and information, threatens state-of-the-art military technologies, commercial industries, and society alike through counterfeiting, theft, fraud, development of exploits, and much more. Although protection against software and non-invasive methods of extraction has been widely investigated, physical probing has received little attention. In particular, Focused Ion Beam (FIB) is a powerful tool that allows attackers to not only to access and probe assets, but to destroy and/or bypass existing countermeasures. Since FIB capabilities are almost limitless, the best approaches should make probing as costly, time consuming, and frustrating as possible. However, a significant barrier in doing so lies in the fact that the time, effort, and cost to design a FIB-resistant chip must remain reasonable, especially to designers who are not security experts.
This project investigates iPROBE, the first ever computer-aided design (CAD) approach aimed at hindering frontside and backside probing attacks on integrated circuits. As a CAD solution, iPROBE relieves the designer's burden by automatically balancing the security and overhead of various countermeasures. Compared to ad hoc countermeasures such as top level meshes, it also allows protection to be concentrated on only the most sensitive portions of a design, thereby lowering cost. iPROBE takes design assets as input, and uses information-theoretic and test-inspired metrics to identify all nets requiring protection. During physical design, nets are ranked in terms of their sensitivity and vulnerability to probing. Internal shields are constructed using existing functional nets as well as additional test nets to surround the highest ranked nets. Cutting through the functional nets ideally renders the chip useless or destroys the sensitive data. Similarly, cutting through test nets can be detected and used to trigger self-destruction. t-private circuits and other countermeasures are integrated with the internal shield to further increase attack complexity. For evaluation, benchmark circuits are implemented with conventional flows and with iPROBE. Area, power, and timing between the two are compared to estimate the iPROBE's impact on performance. Security is evaluated using a custom-built IC probing evaluation tool previously developed by the PIs (with upgrades for backside attack evaluation) and using FIBs in the PIs' lab to execute real attacks on iPROBE-designed chips that are fabricated through MOSIS.
|