Scaling Anti-Tamper Protection To Meet Escalating Threats

Main ways attackers try to monitor or affect the correct operation of a chip and how to protect against them.


Anti-tamper tends to be one of those catchall phrases encompassing any countermeasure on a security chip. A more precise definition would be that anti-tamper protection is any collection of countermeasures that serves to thwart an adversary’s attempt to monitor or affect the correct operation of a chip or a security core within a chip. Given that, it can be useful to think about a hierarchy of anti-tamper countermeasures that parallel the type, effort and expense of tampering attacks.

So, starting at the lowest effort and building up, the categories of attacks we need to safeguard against include:

  • Non-invasive: usually passive, the attacker monitors the operation of the chip but does not try to modify its normal operation
  • Semi-invasive: an attacker induces electrical failures within the chip and monitors the resulting effects
  • Fully-invasive: often destructive attacks where an attacker bypasses shields, modifies signal connectivity, etc.
  • Reverse engineering: destructive analysis of the chip aimed at obtaining the non-volatile memory (NVM) contents or recovering netlist algorithms

The approach an adversary takes depends on their goals, their level of sophistication, and their budget. In nearly every case, however, attackers are at the very least attempting to learn the secret keys stored on the chip.

One of the values of thinking about the threat in this hierarchical manner is that it aids in planning the anti-tamper defenses for a chip appropriate to the motivation and funding of the attacker. For instance, if a chip is going into a military platform that could fall into the hands of a state-actor adversary, then it should be hardened against the full range of tampering attacks. With that as a foundation, let’s take a more detailed look at each category of attacks and some of the countermeasures.

Non-invasive attacks include protocol/software attacks, side-channel attacks, glitch injection and environmental attacks. In protocol and software attacks, the adversary manipulates the normal inputs into the chip to effect insecure behavior. In side-channel attacks, an adversary gleans the keys when they are inadvertently leaked via EM emissions or power supply fluctuations. Differential Power Analysis (DPA) is a prime example of a side-channel attack. Glitching is a ham-handed noise injection onto a secure chip’s power supply in an attempt to cause an internal bit flip that might put the chip in an unsecured state. Environmental attacks attempt to take the chip outside its tolerated range of operation with conditions such as under voltage or freezing temperatures with the same goal of a bit flip leading to a security failure.

Countermeasures for non-invasive attacks are as varied as the attacks themselves. For protocol and software attacks, there are best-known practices when it comes to how a chip accepts inputs that simply must be followed. As for side-channel attacks, in most cases they can be algorithmically prevented. For instance, a single linear operation can be split into several operations, each masked by a random value so any leakage looks like random noise. Guarding against glitch attacks can be done with fully-internal circuits that regulate core logic so that it is immune to external power supply noise. Thwarting environmental attacks, one can add sensors and alarms that trigger on out of bounds conditions, and “canary” circuits that fail first and signal secure processes to halt. This prevents a secure computation from competing incorrectly and leaking its key.

Semi-invasive attacks include overclocking, fault injection (FI) and back side IR emission. Similar to environmental attacks, overclocking pushes a circuit outside its operational envelope to cause a failure in a security process. FI is the “scalpel” counterpart to glitching’s “sledgehammer.” An IR laser or EM probe is used to make a very targeted attack. Back side IR emission entails imaging the back side of the chip in the IR spectrum to read out the contents of transistor-based memory such as registers and SRAM.

Protecting against this set of semi-invasive attacks builds on the foundation of safeguards already mentioned. Employing wholly-internal clock generators can be used to protect from overclocking. Algorithmic protections can help prevent FI attacks. And since FI IR laser attacks are done through the back of the chip, back side metallization can protect from both FI and back side IR emission attacks, or at least increase their level of effort to that of fully invasive attacks which we cover next.

Fully-invasive attacks use repurposed state-of-the-art failure analysis technologies to achieve their adversarial aims. They include laser voltage probing (LVP) and focused ion beam (FIB) attacks. LVP can be thought of as “contactless probing” with an adversary able to measure any signal, such as the those on the data bus connecting non-volatile memory (key storage) and a security processor. FIB can disable alarms, escalate privileges and induce key leaks by “editing” circuits.

Fully-invasive attacks are the most difficult to guard against, and it is akin to protecting a circuit from being debugged. Back side metallization can help mitigate the effectiveness of LVP. In addition, a high-bitrate random number generator (RNG) can be used to “split” any important data into two “shares” such that an LVP attack against either share would only see random noise. With hybrid packaging techniques, some advanced forms of “tamper evident PUFs” that combine with front and back side metal shields can be used as a FIB countermeasure.

Finally, reverse engineering is a no-holds-barred attack to understand a chip’s design and operation. The attacker removes the chip from its package and takes a high-resolution picture of the topmost layer with a scanning electron microscope (SEM). The chip’s top layer is then removed via plasma etching or similar process, exposing the underlying layer which is then SEM imaged. The process is repeated until all layers, including the P and N implants that form the transistor structures, have been imaged. The aggregated images are analyzed against known circuits to produce a functional model resulting in a full netlist and a hierarchical RTL of the design.

Circuit camouflage technology complicates the reverse engineering process through the integration of multiple “lookalike cells” into a chip’s design. These cells are either optically indistinguishable from the standard cells used throughout the design, or they may appear like nothing the reverse engineer has ever seen. Camouflaged cells can also be enabled to perform logic functions that are different than what would be expected by visual analysis. Together, these approaches introduce errors into the reverse-engineering process, resulting in an incorrect netlist recovered from the silicon.

When it comes to anti-tamper countermeasures, it is critical to identify who your opponent is, and then include at least one degree of additional countermeasure that is beyond their skill or budget. Whether hacker, counterfeiter, or well-funded state actor, their motivation and resources will vary, as will the attack types they can bring to bear. The job of the security designer is to build in enough countermeasures to keep secrets just out of an attacker’s reach. Security experts at companies like Rambus can help designers find that right mix for securing their chips against an environment of escalating risks.

Additional Resources:
Website: Rambus DPA Countermeasures
Website: Rambus Anti-Counterfeiting Solutions
e-Book: Introduction to Side-Channel Attacks
e-Book: Protecting Electronic Systems from Side-Channel Attacks
Blog: Side-channel attack targets deep neural networks (DNNs)
Blog: FIPS 140-3 and DPA: A Winning Combination
Blog: Validating Cryptographic Algorithms to FIPS 140-2

Leave a Reply

(Note: This name will be displayed publicly)