font> or check for previous versions at the Internet Archive. Yahoo! is not affiliated with the authors of this page or responsible for its content.
Optical Fault Induction Attacks
Optical Fault Induction Attacks
Sergei P. Skorobogatov and Ross J. Anderson
University of Cambridge, Computer Laboratory,
15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom
{sps32, rja14}@cl.cam.ac.uk
Abstract. We describe a new class of attacks on secure microcontrollers
and smartcards. Illumination of a target transistor causes it to conduct,
thereby inducing a transient fault. Such attacks are practical; they do
not even require expensive laser equipment. We have carried them out
using a ashgun bought second-hand from a camera store for $30 and
with an $8 laser pointer. As an illustration of the power of this attack,
we developed techniques to set or reset any individual bit of SRAM
in a microcontroller. Unless suitable countermeasures are taken, optical
probing may also be used to induce errors in cryptographic computations
or protocols, and to disrupt the processors control ow. It thus provides
a powerful extension of existing glitching and fault analysis techniques.
This vulnerability may pose a big problem for the industry, similar to
those resulting from probing attacks in the mid-1990s and power analysis
attacks in the late 1990s.
We have therefore developed a technology to block these attacks. We use
self-timed dual-rail circuit design techniques whereby a logical 1 or 0 is
not encoded by a high or low voltage on a single line, but by (HL) or
(LH) on a pair of lines. The combination (HH) signals an alarm, which
will typically reset the processor. Circuits can be designed so that single-
transistor failures do not lead to security failure. This technology may
also make power analysis attacks very much harder too.
1
Introduction
Secure microcontrollers and smartcards are designed to protect both the con-
dentiality and the integrity of sensitive information. It is not sucient to prevent
an attacker from nding out the value of a stored cryptographic key; she must
also be unable to set part of the key to a known value, or to induce errors in
the computation that enable sensitive information to be deduced. These errors
may be data errors, such as an incorrect digital signature that leaks the value
of the signing key [3], or errors in the code, such as a missed conditional jump
that reduces the number of rounds in a block cipher [1]. Until now, the most
widely known technique for inducing such errors was glitching the introduction
of voltage transients into the power or clock line of the target chip. Many chips
are now designed to resist glitch attacks.
A review of the tamper-resistance of smartcard and secure microcontroller
chips may be found in [2]. Attacks tend to be either invasive, using chip test-
ing equipment such as probing stations and focused ion beam workstations to
B.S. Kaliski Jr. et al. (Eds.): CHES 2002, LNCS 2523, pp. 212, 2003.
c Springer-Verlag Berlin Heidelberg 2003 Optical Fault Induction Attacks
3
extract data from the chip directly, or else non-invasive processes involving the
exploitation of unintentional electromagnetic emissions, protocol design aws,
and other vulnerabilities that manifest themselves externally. Either type of at-
tack may be passive or active. The standard passive invasive attack involves
using microprobes to monitor a smartcards bus while a program is executing;
in an active attack, signals may be also injected, the classic example being the
use of a grounded microprobe needle on the clock line to the instruction latch to
disable jump instructions. A passive non-invasive attack is analyzing the electro-
magnetic eld in the neighborhood of the device under test [10], while glitching
is the classic example of an active attack.
Until now, invasive attacks involved a relatively high capital investment for
lab equipment plus a moderate investment of eort for each individual chip
attacked. Non-invasive attacks such as power analysis require only a moderate
capital investment, plus a moderate investment of eort in designing an attack
on a particular type of device; thereafter the cost per device attacked is low.
Non-invasive attacks are thus particularly attractive where they exist.
Unfortunately for the attacker, many chipmakers have now implemented de-
fenses against the most obvious non-invasive attacks. These defenses include
random clock jitter to make power analysis harder, and circuits that react to
glitches by resetting the processor. Meanwhile invasive attacks are becoming
constantly more demanding and expensive, as feature sizes shrink and device
complexity increases, We therefore set out to nd new, more powerful, ways of
attacking chips.
We describe our new class of attacks as semi-invasive. By this, we mean
that, like invasive attacks, they require depackaging the chip to get access to the
chip surface. But the passivation layer of the chip remains intact semi-invasive
methods do not require electrical contact to the metal surface so there is no
mechanical damage to the silicon.
Semi-invasive attacks are not entirely new. The electromagnetic analysis of
[10] is best performed on a naked chip, and the old EPROM-hacking trick of
exposing the write protect bit of a microcontroller to UV light usually entails
depackaging it. Semi-invasive attacks could in theory be performed using such
tools as UV light, X-rays, lasers, electromagnetic elds and local heating. They
could be used individually or in conjunction with each other. However, this eld
has hardly been explored.
We will now show that extremely powerful attacks can be carried out quickly
using very cheap and simple equipment.
2
Background
Once the semiconductor transistor had been invented, it was found to be more
sensitive to ionizing radiation whether caused by nuclear explosions, radioactive
isotopes, X-rays or cosmic rays than the thermionic valves (vacuum tubes) used
previously. In the middle sixties, during experiments with pulsed lasers, it was 4
S.P. Skorobogatov and R.J. Anderson
found that intensive light causes some similar phenomena. Lasers started to be
used to simulate the eects of ionizing radiation on semiconductors [4].
Since then the technology has been improved dramatically. Expensive inert-
gas-based lasers and solid-state lasers have been replaced with low-cost semicon-
ductor lasers. As a result, the technology has moved from the laboratory all the
way down to consumer electronics.
T
5
T
T
T
T
T
Vdd
Vss
1
3
2
6
4
T
T
T
1
T
T
T
2
3
4
5
6
Fig. 1. Circuit structure and layout of a six-transistor SRAM cell Optical Fault Induction Attacks
5
Laser radiation can ionize an ICs semiconductor regions if its photon energy
exceeds the semiconductor band gap. Laser radiation with 1.06
�m wavelength
(1.17 eV photon energy) used in [5] has a penetration depth of about 700
�m
and provides good spatial ionization uniformity for silicon devices. However, its
focusing is restricted by dispersion to several micrometers, and this is not precise
enough for modern semiconductor devices. However, when moving from infrared
to visible light, photon absorption dramatically increases [7], and it has become
possible to use red and green lasers as the transistors in modern chips became
thinner. Smaller devices also mean that less energy is required to achieve the
same level of ionization.
In the case of CMOS devices, there is a danger of latching up the circuit,
causing a short circuit that can result in permanent damage. So the use of
radiation with CMOS structures must be done with appropriate precautions.
Although there are many publications about using pulsed lasers to simulate
ionizing radiation, we could nd no published information about using them to
control or change the behavior of integrated circuits. So we decided to apply an
intense light source to a semiconductor chip, and particularly to CMOS logic, to
see whether it would be possible to change the state of a memory cell and how
easy, or dicult, it might be.
Our rst experiments targeted SRAM. The structure of a standard six-
transistor SRAM cell is shown in Fig. 1 [8].
Two pairs of p- and n-channel transistors create a ip-op, while two other
n-channel transistors are used to read its state and write new values into it. The
layout of the cell is shown on the right of Fig. 1 [9]. The transistors T
1
and T
3
create the CMOS inverter; together with the other similar pair, they create the
ip-op which is controlled by the transistors T
5
and T
6
.
If the transistor T
3
could be opened for a very short time by an external stim-
ulus, then it could cause the ip-op to change state. By exposing the transistor
T
4
, the state of the cell would be changed to the opposite. The main diculties
we might anticipate are focusing the ionizing radiation down to several
�m
2
and
choosing the proper intensity.
3
Experimental Method
For our experiments we chose a common microcontroller (Microchip PIC16F84),
which has 68 bytes of SRAM memory on chip (Fig. 2). A standard depackaging
procedure was applied to the chip and the result of this operation is shown as
well in Fig. 2.
The SRAM memory array is located in the centre of