Quiescent photonics side channel analysis: Low cost SRAM readout attack

Abstract

Optical emissions from semiconductors have been found to leak important information from embedded security devices. Unfortunately, the required substrate thinning and photon emission microscopy equipment is typically very expensive. Low cost equipment setups are proposed for substrate thinning/polishing and photon emission microscopy. For the first time, a security attack enabling the parallel readout of embedded SRAM while freezing the clock during any/all clock cycles is demonstrated to be viable on several embedded processors. In addition, quiescent photon emissions are shown to reveal the flash outputs. The quiescent photonics side channel attack is demonstrated on the PIC16F6xx family; in addition, quiescent emissions differential image analysis is demonstrated on an ARM Cortex-M0 device to reveal data-dependent emissions. This research has important security implications illustrating that the quiescent photonics side channel is a real threat for many embedded systems, especially lidless flipchips.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

References

  1. 1.

    Allied Vision: G-145 Near-Infrared (NIR) camera with Sony ICX285 sensor https://www.alliedvision.com/en/products/cameras/detail/Manta/G-145%20NIR.html

  2. 2.

    Courbon, F., Loubet-Moundi, P., Fournier, J., Tria, A.: Adjusting Laser injections for fully controlled faults, Presentation slides, http://www.cl.cam.ac.uk/~fr26/Papers/COSADE_Courbon_et_al_slides.pdf, April 2014

  3. 3.

    Di-Battista, J., Courrege, J.-C., Rouzeyre, B., Torres, L., Perdu, P.: When failure analysis meets side-channel attacks. CHES 2010, Vol. 6225 LNCS, pp. 188–202. Springer Berlin/Heidelberg (2011)

  4. 4.

    Ferrigno, J., Hlaváč, M.: When AES blinks: introducing optical side channel. Information Security, IET, 2(3):94–98, (2008)

  5. 5.

    Helfmeier, C., Boit, C., Nedospasov, D., Seifert, J.-P.: Cloning Physically unclonable functions Proc. of IEEE Symp. on HOST (2013)

  6. 6.

    Kraemer, J.I.: Why Cryptography Should Not Rely on Physical Attack Complexity. T.U. Berlin, (2015)

  7. 7.

    Lessard S., Dion-Bertrand, L.-I.: Cooling SWIR Sensors – an overview. White paper, https://doi.org/10.13140/RG.2.2.31365.65764, (2017)

  8. 8.

    Nedospasov, D., Schlösser, A., Seifert, J.-P., Orlic, S.: Functional integrated circuit analysis. IEEE Intl Symp on Hardware-Oriented Security and Trust (HOST), (2012)

  9. 9.

    Newman, R.: Visible light from a silicon p-n junction. Phys. Rev. 100, 700–703 (1955)

    Article  Google Scholar 

  10. 10.

    Nohl, K., Evans, D., Starbug, Plotz, H.: Reverse-engineering a cryptographic RFID tag. In Proc of 17th Usenix Security Symp 2008

  11. 11.

    Oswald, D., et al.: When reverse engineering meets side channel analysis digital lock picking in practice. Proc. of Selected Areas in Cryptography, LNCS 8282, Springer (2013)

  12. 12.

    Polonsky, S., et al.: CMOS IC diagnostics using the luminescence of off-state leakage currents. Proc. of Intl Test Conf., pp. 134–139 (2004)

  13. 13.

    Polonsky, S., et al.: Photon Emissions Microscopy of inter/intra chip device performance variations, Microelectronics reliability, 45, Elsevier (2005) 10.1016.jmicrorel.05.07.31, pp. 1471–1475

  14. 14.

    Schlosser, A., Nedospasov, D., Kramer, J., Orlic, S., Seifert, J.-P.: Simple photonic emissions analysis of AES (2013)

  15. 15.

    Shehata, A.B., et al.: Novel NIR Camera with Extended Sensitivity and Low Noise for PEM of VLSI Circuits, Proc of Intl. Symp. Testing and Failure Analysis, ASM Intl (2014)

  16. 16.

    Skorbogatov, S.: Using Optical Emission Analysis for Estimating Contributions to Power Analysis, IEEE Proc. of Workshop on Fault diagnosis and tolerance in cryptography (2009)

  17. 17.

    Stellari, F., Song, P., et al.: Revealing SRAM memory content using spontaneous photon emission. In Proc of 34th VLSI Test Symp 2016

  18. 18.

    Tajik, S.: On the Physical Security of Physically Unclonable Functions, PhD Thesis, T.U. Berlin (2017)

  19. 19.

    Xenics: XEVA-1.7-320 Shortwave infrared (SWIR) camera, xenics.com

  20. 20.

    Xenics: Bobcat-320 - Shortwave infrared (SWIR) camera xenics.com

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Mustafa Faraj.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Faraj, M., Gebotys, C. Quiescent photonics side channel analysis: Low cost SRAM readout attack. Cryptogr. Commun. (2021). https://doi.org/10.1007/s12095-020-00469-5

Download citation

Keywords

  • Photonics side channel
  • Photon emissions microscopy
  • Quiescent emissions
  • SRAM
  • Substrate thinning