Flash Memory ‘Bumping’ Attacks
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Flash Memory ‘Bumping’ AttacksSergei Skorobogatovhttp://www.cl.cam.ac.uk/ sps32email: sps32@cam.ac.uk
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Introduction Data protection with integrity check– verifying memory integrity without compromising confidentiality– How secure is “No Readback” solution?2
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Introduction Flash memory prevails––––usually stores IP, sensitive data, passwords and encryption keyswidely used in microcontrollers, smartcards and some FPGAsnon-volatile (live at power-up)reprogrammable How secure is Flash memory storage?– used in smartcards and secure memory chips– used in CPLDs by Xilinx and believed to be highly secure– used in secure FPGAs by Actel and claimed virtually unbreakable Vulnerabilities of Flash memory found during my research–––––power glitching influence on data read from memory (Web2000)optical fault injection changes data values (CHES2002)laser scanning techniques reveal memory contents (PhD2004)data remanence allows recovery of erased data (CHES2005)optical emission analysis allows direct data recovery (FDTC2009)3
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Background Flash memory structure– high voltages required for operation– narrow data bus– dedicated control logic4
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Background 'Bumping' is a certain type of physical attack on door locks Memory 'Bumping attacks' is a new class of fault injectionattacks aimed at internal integrity check procedure in the chip– 'bumping' is aimed at blocks of data down to bus width– 'selective bumping' is aimed at individual bits within the bus5
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Experimental setup Sample preparation for modern chips ( 0.5µm and 2M)– only backside approach is effective– it is very simple and inexpensive– no chemicals are required6
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Experimental setup NEC 78K/0S µPD78F9116 microcontroller with 16kB Flash– memory access via bootloader for Erase, Write, Verify, Blank Check– 0.35μm process with 3 metal layers Optical fault injection attack– 1065nm laser diode module with output power up to 100mW– NIR objective lens with 20 magnification7
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Results for bumping Locating Flash and active areas is easy (laser scanning)SPI interface for data transfer and SPA for timing analysisMemory matches all '0' when the laser is switched onVerification result is available only after all bytes are comparedData extraction time: 10 hours per block, or 2 months per chip27 attempts per byte, 128 bytes per block, 128 blocks, 2s per cycle8
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Experimental setup Actel ProASIC3 Flash-based A3P250 FPGA–––––memory access via JTAG for Erase, Program and Verify operations0.13μm process with 7 metal layers, limited information is available“.offer one of the highest levels of design security in the industry”“There is NO readback mechanism on PA3 devices”soon after introduction of optical fault attacks I warned Actel aboutpossible outcomes for Flash technology, but they showed no interest Same optical fault injection attack setup9
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Results Locating Flash and active areas is easy (laser scanning) JTAG interface for data transfer Finding sensitive locations with exhaustive search (20µm)black – data corrupted, white – matching all '1'10
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Results for bumping Using SPA for timing analysis: cannot detect data timingVerification result is available after each block of 832 bits2300 blocks per array, 26 of 32-bit words per blockData extraction time: 18 years per block, 40000 years/chip231 attempts per word, 26 words per block, 10ms per cycle11
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Results for selective bumping Using SPA results as a time reference– block verification 40µs, 26 of 32-bit words per block, 1.5µs/word Laser switching time was changed in 25ns steps– searching for single '0' bit, then two '0' and so on until passed Data extraction time: 30 minutes per block, 50 days/chip213 attempts per word, 26 words per block, 10ms per cycle12
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Experimental setup Analysis of the selective bumping phenomenon using a securemicrocontroller with AES authentication– not in production yet, supplied under NDA– hardware setup was supplied by industrial sponsor– chip was supplied pre-programmed with a test AES key Non-invasive power supply glitching attack was used– bumping: 215 attempts per 16-bit word, 100ms cycle, 8 hours for AES key– selective bumping: 27 attempts per 16-bit word, 2 minutes for AES key13
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Attack time on 128-bit block Without any improvements: brute force searchrequires on average 2127 attempts Bumping: down to bus width8-bit bus: 27 16 211 attempts16-bit bus: 215 8 218 attempts32-bit bus: 231 4 233 attempts Selective bumping: down to single bit in limited steps8-bit bus: (1 8 7 6 5 4 3 2 1) ½ 16 28 attempts16-bit bus: (1 16 15 . 2 1) ½ 8 29 attempts32-bit bus: (1 32 31 . 2 1) ½ 4 210 attempts In a real attack the complexity could be higher due to thegranularity of the delay time and timing jitter32-bit bus: (1 32 31 . 2 1) ½ 4 8 4 215 attempts14
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Limitations and countermeasures Slow process– depends on the implementation of data verification or authentication Precision timing is not necessary– slowly increase the delay until the effect is observed Selective bumping attacks have partial repeatability– between words in the row and between memory rows Fault attacks can be carried out with glitching or optically– optical attacks on modern chips require backside approach Precise positioning for optical attacks is not necessary Encryption and redundancy check make analysis harder Asynchronous circuits could make the attack moreproblematic as bumping requires predictable timing Understanding the core of a problem is vital15
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Why Flash memory fails? Flash memory in a nutshell – for better understanding– can you see the bottleneck(s)?16
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Improvements and Future work Security with no readback is not the only one in ProASIC3– passkey access protection, AES encryption, security fuses Moving away from semi-invasive attacks toward usingnon-invasive attacks like in the last example with AES keyextraction from the secure microcontroller– easier to setup for deep-submicron chips– faster to get the result– pose larger threat to the hardware security Using data remanence effect for bumping throughthreshold voltage adjustment– S. Skorobogatov: Data Remanence in Flash Memory Devices,CHES-2005, LNCS 3659, pp.339–353 Testing other chips for strength against firmware andsecret key extraction17
Flash Memory ‘Bumping’ AttacksCHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010Conclusions Bumping attacks are dangerous and can compromise thesecurity in chips – evaluation and protection is necessary Backside approach helps in modern chips, it is simple to do anddoes not require expensive optics and precise positioning Bumping attacks can be used for partial reverse engineering tounderstand internal data paths and chip structure If you do not want to get screwed talk to experts in academia;there are solutions for increasing the security of chips18
Flash Memory ‘Bumping’ Attacks CHES-2010 Workshop, Santa Barbara, USA, 17-20 August 2010 Background 'Bumping' is a certain type of physical attack on door locks Memory 'Bumping attacks' is a new class of fault injection attacks aimed at internal integrity check procedure in the chip –'bumping' is aimed at blocks of data down to .
bumping a new modular electroless Ni wafer bumping line has been developed. Each module can take batches of 50 wafers 8" or 10 wafers 12". Such processing is a key to the extremely high throughput of this bumping line which again determines the overall cost of the bumping process.File Size: 424KBPage Count: 6
injection) Code injection attacks: also known as "code poisoning attacks" examples: Cookie poisoning attacks HTML injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Script injection (e.g. cross-site scripting) attacks Shell injection attacks SQL injection attacks XML poisoning attacks
design of key depends upon technique of bumping. bumping: insert the key. bumping: apply energy. how bumping works. . metal transfer: doubtful
VMAX All Flash System Overview . VMAX All Flash is architected to support the densest flash configuration possible. VMAX All Flash support for high capacity flash drives provides a differentiated capability versus many all flash alternatives. It allows VMAX All Flash to leverage the increases in flash drive
3V 32M-Bit Serial Flash Memory with Dual and Quad SPI Brief Report Partial Image EN25Q64 EON Flash 64 Megabit Serial Flash Memory with 4Kbyte Uniform Sector Brief Report Partial Image FMND1GXXX3B FIDELIX Flash 3V/1.8V, x8/x16 1G-BIT NAND FLASH Brief Report Partial CA GD25Q64C GigaDevice Flash 3.3V Uniform Sector, Dual and Quad Serial Flash .
Android (version lower than 2.3) mobile phone’s internal memory is a NAND flash chip using YAFFS2 file system to manage data. NAND flash memory contains three logical structures: flash erasable zone, flash block and flash page. The flash erasable zone is the unit of managing bad block, because the NAND flash
memory card from the USB 3.0 Multi Card Reader. Windows Flash memory cards can be removed at any time. However, to prevent data loss, data corruption or memory card failure, DO NOT remove a flash memory card while data is transmitting. Mac OS X 1. Click and drag the flash memory card icon into the trash can, the
300-a02 abp enterprise sdn bhd. 7th floor menara lien hee no, 8 jalan tangung, 47700 petaling jaya. selangor p. j john c.o.d. 03-7804448 03-7804444 300-c01 control manufacturing 400-2 (tingkat satu) batu 1/2, jalan pahang, 51000 kuala lumpur kl lal net 60 days 03-6632599 03-6632588
