How Safe is Anti-Fuse Memory? IBG Protection for Anti-Fuse OTP Memory Security Breaches

Transcription

1 How Safe is Anti-Fuse Memory? IBG Protection for Anti-Fuse OTP Memory Security Breaches Overview A global problem that impacts the lives of millions daily is digital life security breaches. One of the major aspects of this issue is anti-fuse OTP (one-time programmable) memory vulnerability, a protection method widely used in semiconductor devices. Anti-fuse OTP can be found in products people use every day, such as cell phones, gaming consoles, RFiD tags, medical devices and more. Anti-fuse memory is considered by some to be the gold standard for secure memory. Once programmed, reverse engineering methods should not reveal memory contents; however, there is a simple, low cost, and fast hacking technique that can be used to read memory contents outside of the anti-fuse IP block. This can lead to the security breaches and identity thefts that make headlines. This article provides an overview of this simple procedure and shows that Invisible Bias Generator (IBG) technology is the only technology that can be used to block this, as well as many other hacking techniques. Anti-Fuse Operation A fuse is a device that has a closed connection that is then opened via a high current or voltage event. In simple terms, anti-fuse is exactly opposite of a fuse; it is a normally open connection that is programmed closed. A CMOS anti-fuse bit cell consists of two NMOS core transistors. Bit Line HV Write Read Sense Amp Data Verisiti, Inc. All Rights Reserved Worldwide. 1

2 There is a program transistor (Write) coupled in series with a select transistor (Read). When a normal supply voltage such as an I/O or core voltage is applied to the gates of the bit cell, no current is sensed along the bit line. The equivalent circuit for the program transistor is a capacitor. Since there is no current that flows along the bit line, the bit cell is 0 by default. When a large programming voltage is applied along the gate of the program transistor, a hard gate oxide breakdown occurs. A resistive path is created. Current flows along the bit line and a 1 is sensed. The 1 s can be programmed at any time. Once it is programmed, it cannot be reverted back to a 0. Anti-Fuse memory generally cannot be hacked using passive, semi-invasive, and invasive methods. Due to the nature of the technology, it is difficult to determine the content of memory. Passive techniques that include using current profiles to determine the word pattern are unsuccessful because the bit cell current for 0s and 1s are much smaller than the current required for sensing or to operate the peripheral circuits in order to read the memory. Invasive techniques including backside attacks or SEM passive voltage contrast are unsuccessful because it is very difficult to isolate the bit cell since it is connected in a cross point array. Furthermore, it is difficult using chemical etching or mechanical polishing to locate oxide breakdown. However, anti-fuse security is contained solely within the array. The signal interface has no protection. Anti-Fuse Hack To describe this hack, a typical anti-fuse IP configuration of a 1 Mbit array interfaced to a microcontroller bus is used. In this case the bus is 16 bits wide and the address range is from 0 to 64K (16 bit address). 16 Data In Write Output Enable 1 Mbit Anti-Fuse Memory 16 The anti-fuse block may be resistant to optical reverse engineering techniques internally but the micro-controller and anti-fuse memory is vulnerable at their interface and can be reversed. Using the net list obtained from this reversal, the metal runs associated with the address and data buses can be easily isolated. In addition, a digital simulation can be initiated that operates properly until the first anti-fuse access occurs. This simulation will reveal the address of the first access. Verisiti, Inc. All Rights Reserved Worldwide. 2

3 Using a Focused Ion Beam (FIB) circuit editor, probe pads can be placed on the data bus metal runs and the value of the first access can be easily observed. This access result allows the simulation to run further and stop at the next anti-fuse access. Again, the simulation reveals the address of the second access, where the data bus probe pads can be observed. A second probe pad is added to the Output Enable metal run in order to qualify the data bus. Now as the micro-controller executes instructions, the data bus is examined automatically and a file is generated which stores the acquired information. Time and Cost of the Hack The main time and cost for the anti-fuse hack would be the reverse engineering time and expense. For a 20K gates design (or as a matter of fact, 20K gates of hacked die), the cost of the reversal would be approximately $20,000 and take 13 weeks to implement, resulting in a net list. The additional FIB edits and monitoring would add $5000 and less than 1 week to the hack total. The final total is 14 weeks and $25,000. This is a conservative estimate. Skilled hackers might perform this procedure in half of the time and at a significantly reduced cost. If the die is larger, the cost and time for the full reversal would be higher. However, if the goal of the hack is to read out cryptography keys, the entire die would not have to be reversed in order to do this. Based on the short time and low cost of this hacking technique, anti-fuse memory security is merely a bump in the road in terms of revealing silicon secrets. IBG One Time Programmable Memory (pibg OTP) Based on Secure Silicon Layer technology, the IBG OTP memory module includes from four to 32 (but not limited to and can be extended to larger arrays) 4-byte pages that can be programmed utilizing an on board charge pump. As in anti-fuse technology, the IBG cell is subjected to high voltage from the charge pump resulting in gate oxide breakdown changing the digital state of the cell. Write Data 8 Charge Pump Write Buffers Clock Write Read Done Timing & Control 4 8 Column Decoder 4/5/6/7 Buffers Row Decoder One Time Programmable IBG Array 32 2 Read Buffers 32 Read Data Verisiti, Inc. All Rights Reserved Worldwide. 3

4 As with anti-fuse memory, it is difficult to determine the content of memory. Passive techniques include using current profiles to determine the word pattern are unsuccessful because the bit cell current for 0s and 1s are much smaller than the current required for sensing or to operate the peripheral circuits in order to read the memory. Invasive techniques including backside attacks or SEM passive voltage contrast are unsuccessful because it is very difficult to isolate the bit cell since it is connected in a cross point array. Also, chemical etching or mechanical polishing to locate oxide breakdown is time consuming and difficult. Additionally, the pibg OTP Memory includes IBG security within it s memory array and incorporates a destructive security shield providing FIB (Focused Ion Beam) edit protection. This protection is extended over the entire die (or any parts of the die). One single FIB edit through the screen will destroy the entire IBG OTP Memory s contents by causing gate oxide breakdown in all of the memory cells protecting the original programmed data. Programmable Invisible Bias Generator Technology Using pibg OTP technology, a destructive shield can be placed over the entire die removing the ability to access the internal address, data, or control signals. The resultant security shield adds FIB edit protection to the design. FIB, the design and the cryptography keys are erased. IBG Destructive Shield Anti-Fuse Array IGB OTP Micro-Controller In order to add full IBG protection to an anti-fuse Memory array, one suggested configuration uses a Trivium stream cryptography engine to decrypt the read data from the anti-fuse array. Prior to use at program time, the encrypted data is written into the anti-fuse array based on externally generated cryptography keys. This configuration uses the pibg OTP memory to store the cryptography keys. This ensures that the contents of the anti-fuse array is tied directly to the pibg OTP memory so during a FIB edit process the keys will be lost and the contents of the antifuse array protected. In this mode, the pibg OTP block can be considered a Physical Un-clonable Function (PUF) since each key set can be programmed differently for each die. Unlike other PUF devices, the pibg OTP cannot be examined or probed. IBG OTP 160 bit Key From Anti-Fuse Array Trivium Stream Encryption To Micro-Controller Verisiti, Inc. All Rights Reserved Worldwide. 4

5 Conclusions Verisiti s pibg OTP memory is the missing link in secure storage. Without FIB edit protection nothing can be hidden in silicon, including important boot code, software or complex cryptography keys. Hacks can take just a few weeks and cost less than $30,000. This pibg protection applies to other non-volatile memories such as FLASH, EEPROM, and FRAM arrays. Like anti-fuse technology, these arrays are difficult to monitor and reverse engineer at the cell level, but are subject to interface attacks and hacks. Because a FIB attack causes all of the pibg OTP memory bits to be programmed, Verisiti s pibg OTP memory achieves FIPS level 4 security status without the use of an internal charge pump. (FIPS level 4 defines an ultimate protection around semiconductor chip cryptographic modules and immediate zeroization of the memory array upon intrusion.) The IBG and pibg protection methods described above meet this requirement without any software intervention. At Verisiti, we believe IBG and pibg solutions are the only true FIPS level 4 compliant solution due to their builtin, chip-level compliance. With pibg anti-fib technology, secrets can be secured in semiconductors. Verisiti, Inc. All Rights Reserved Worldwide. 5