White Hat Hacking

At first glance, the words “reverse engineering” (RE) might conjure up a couple of nefarious individuals with table full of tools, meters, and the like, in some basement trying to figure out how to disassemble some sort of electronic device.

The image is wrong, however. More likely, today’s RE work will be found in a clandestine, well-funded uber-laboratory in an up-and-coming third-world country that is trying to see what is inside a captured Patriot missile. Or it might be a couple of wonder-geeks at a Silicon Valley startup, feverishly trying to figure out how get a competitive edge on the competition’s latest networking chip. And finally, it just might be a disgruntled hardware engineer trying to get even with an organization that he holds a grudge against.

But there are plenty of other uses for RE, too. Among them: Interfacing, reducing documentation shortcomings, analyzing obsolete devices for security, bug fixing, and unauthorized academic/educational and repurposing. RE wears many hats, some of them bad, some good, and some in a gray area in between.

On the good side, RE is an indispensable tool that can be used to protect both edge-of-the-envelope intellectual property as well as the resulting physical property. Companies can use RE techniques to develop the best-of-breed chip design and what it takes to keep intruders out. RE has been one of the most influential factors on the propagation of technology in the electronics industry, worldwide and legal under the terms of “fair use.”

And on the extremist front, on the right side of subversion, it can be used to help derail the plan for a stealth drone carrying the Armageddon virus—or to hack a terrorist organization’s communications network and track down the leader of a cell. In fact, it can be used for good and bad in the same scenario, by anyone and for any purpose. It just depends on their motive. The difference between good and bad is simply what it is used for.

Today, in the semiconductor industry, state-of-the-art RE techniques are a must have business philosophy for high tech companies. In this competitive landscape, where the difference in success or failure can measured in milliseconds, megabits, how much, how cheap, or how avant-garde, simple teardowns of products are no longer sufficient. Advances in semiconductor technology, i.e. the massive integration of billions of gates, and masses of functions into single components, require a specialized, complex approach to peeling back the layers and figuring out what they do.

Types of RE
RE comes in four flavors. The simplest and least expensive is the product teardown. This works well for some devices, such as automobiles, but not so well for chips. Next is system-level analysis. This is better for chips and a bit more tedious. It includes operational analysis, and signal path, timing, and interconnect analysis as well. The next level of depth is process analysis. This consists of material and composition analysis. Finally, and the most complex and expensive, is circuit extraction. This is what gets to the meat of the IC. It involves delayering of the gate layers and extraction and analysis of the components.

For ICs not much has changed in terms of RE techniques, but a lot has changed in equipment and methodologies.

“There haven’t been a lot of new processes,” said Dick James, senior fellow at Chipworks. “Rather, the industry has had to evolve the techniques used to delayer capture images. That involves bigger and better microscopes and evolving processes to keep up with the chip evolution, itself.”

Today’s processors contain both aluminum and copper on the same chip, various interconnect layer thicknesses and multiple dielectrics, as well as memory, RF, power, MEMs, and passive components. Delayering a chip requires the ability to determine what is where, and using the refined process to dissect it. Typically, today’s delayering techniques involves the latest approaches in plasma (dry) etching, wet etching, and polishing. On the imaging side, optical imaging has given way to scanning electron microscopes (SEM). At processes under 0.25/22 µm gate geometries, optical scans just can’t provide sufficient resolution.

Figure 1. Aren’t we thankful for 64-bit analysis software? Courtesy of Chipworks.

When chips were single layer, it was pretty easy to see the see what was going on. And complex software wasn’t available so it was done manually (see Figure 1). But chips now consist of billions of devices, and one area where RE has undergone significant evolution is in circuit extraction—particularly analysis. After all the images are taken, stitched and aligned, the job of making sense of it all begins.

Simulation software has replaced the knee-worn engineer, and now the analysis process occurs on a computer monitor. Figure 2 is a modern-day image of several layers of a complex, multi-layer chip developed with complex 3D CAD software. The final stage is to have a seasoned extraction engineer analyze the drawing and annotate the components, wires, and devices.

Figure 2. Three layers of a multi-layered chip analyzed by RE ready for annotation. Courtesy of Chipworks.

“The single, most important resource one can use for RE is to have experienced analysts,” said Randy Torrance manager of circuit analysis at Chipworks. They can look at a circuit and know it is a DMOS, rather than a CMOS,” which might be missed by an inexperienced analyst.

The next generation – secure chips
The move to create hardware-based security on chips is finally gaining some traction. Because chips have a much more advanced capability to house sensitive data and keys than in the past, reverse engineering therefore becomes much more of a challenge. In legitimate cases, the interest in the chip isn’t the data, but the design (although there might be instances where the data needs to be legitimately extracted). “Therefore, secure chips are designed to keep one from getting to the data,” Torrance said. “But there is very little security to keep one from extracting the schematics — the functionality of the chips. The schematics of the memory that holds sensitive data are as easy as ever to extract.”

Missive
There are a couple of observations that seem to pop up in today’s RE playing field. The first one is security. From Torrance’s comments, there doesn’t appear to be a strong movement to protect the chips functionality. The data is another story, but if one can easily obtain the schematic of the chip, that provided details of memory design where sensitive data is kept, logic dictates that it might not be as hard to extract the data as may be believed.

Second, it seems the chip design industry isn’t paying as much attention to RE as it could. The expense of RE, especially at the lower end of the food chain, (SIM cards, smart cards set-top boxes, etc.) doesn’t seem to worry anyone. Compromising such chips is both relatively easy and the potential damage from attacking such devices is minimal in most cases—at least until everything is connected in the IoT. But when the IoT begins to ramp up and such low-end chips end up in everything from toothbrushes to door hardware to entertainment centers, it seem that protecting such hardware from RE might move closer to the center of the security radar screen.

Finally, at the high end of chip design, emerging crypto processors and other powerful and multi-functional, multi-purpose processors would be further up the food chain, and the expense of securing them from RE should be part of the equation. Because such chips can contain megabytes or gigabytes of sensitive data, it seems this is where the chip industry should be paying attention, now.

“Pretty much any hardware is reverse engineer-able,” said Torrance. “But getting out secure software, or data, can be a huge challenge. So a note to chip hardware players – know that your hardware is, unequivocally, accessible…period. And, given enough resources, your data will be compromised.”