Jacob Couch, Nicole Whewell, A. Monica, S. Papadakis
{"title":"利用光子发射显微镜从fpga直接读取空闲块RAM","authors":"Jacob Couch, Nicole Whewell, A. Monica, S. Papadakis","doi":"10.1109/HST.2018.8383889","DOIUrl":null,"url":null,"abstract":"In many reverse engineering efforts, side channels have been utilized to extract both design information and data from integrated circuits. In this paper, a technique is demonstrated to recover data by directly reading idle SRAM cells within an FPGA, without engaging the read circuitry. This is accomplished using photon emission microscopy to capture the photons that are emitted as leakage currents flow from the source to the drain of NMOS transistors within the SRAM cell. Depending on whether a 0 or 1 state is stored in a particular cell, the location of the emitting transistor is different. The read circuity in many integrated circuits cannot be easily activated in a repeatable pattern, thus forming need to access the contents of idle SRAM cells. This was evaluated and refined on a 220 nm process node FPGA. We discuss the physics of photon emission in these devices and the consequences for successful imaging of SRAM contents. Through initial investigations and calculations, we predict that extraction of data from idle SRAM can be conducted on more modern parts. Through an extension of this technique, data such as encryption keys, state information, and restricted variables that would not be accessible through traditional bitstream and firmware reverse engineering efforts can be extracted from the integrated circuit. This information can then be utilized to ensure the integrity of a system, or as a threat to the integrity of the system.","PeriodicalId":6574,"journal":{"name":"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"19 1","pages":"41-48"},"PeriodicalIF":0.0000,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Direct read of idle block RAM from FPGAs utilizing photon emission microscopy\",\"authors\":\"Jacob Couch, Nicole Whewell, A. Monica, S. Papadakis\",\"doi\":\"10.1109/HST.2018.8383889\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In many reverse engineering efforts, side channels have been utilized to extract both design information and data from integrated circuits. In this paper, a technique is demonstrated to recover data by directly reading idle SRAM cells within an FPGA, without engaging the read circuitry. This is accomplished using photon emission microscopy to capture the photons that are emitted as leakage currents flow from the source to the drain of NMOS transistors within the SRAM cell. Depending on whether a 0 or 1 state is stored in a particular cell, the location of the emitting transistor is different. The read circuity in many integrated circuits cannot be easily activated in a repeatable pattern, thus forming need to access the contents of idle SRAM cells. This was evaluated and refined on a 220 nm process node FPGA. We discuss the physics of photon emission in these devices and the consequences for successful imaging of SRAM contents. Through initial investigations and calculations, we predict that extraction of data from idle SRAM can be conducted on more modern parts. Through an extension of this technique, data such as encryption keys, state information, and restricted variables that would not be accessible through traditional bitstream and firmware reverse engineering efforts can be extracted from the integrated circuit. This information can then be utilized to ensure the integrity of a system, or as a threat to the integrity of the system.\",\"PeriodicalId\":6574,\"journal\":{\"name\":\"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)\",\"volume\":\"19 1\",\"pages\":\"41-48\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/HST.2018.8383889\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2018.8383889","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Direct read of idle block RAM from FPGAs utilizing photon emission microscopy
In many reverse engineering efforts, side channels have been utilized to extract both design information and data from integrated circuits. In this paper, a technique is demonstrated to recover data by directly reading idle SRAM cells within an FPGA, without engaging the read circuitry. This is accomplished using photon emission microscopy to capture the photons that are emitted as leakage currents flow from the source to the drain of NMOS transistors within the SRAM cell. Depending on whether a 0 or 1 state is stored in a particular cell, the location of the emitting transistor is different. The read circuity in many integrated circuits cannot be easily activated in a repeatable pattern, thus forming need to access the contents of idle SRAM cells. This was evaluated and refined on a 220 nm process node FPGA. We discuss the physics of photon emission in these devices and the consequences for successful imaging of SRAM contents. Through initial investigations and calculations, we predict that extraction of data from idle SRAM can be conducted on more modern parts. Through an extension of this technique, data such as encryption keys, state information, and restricted variables that would not be accessible through traditional bitstream and firmware reverse engineering efforts can be extracted from the integrated circuit. This information can then be utilized to ensure the integrity of a system, or as a threat to the integrity of the system.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
