Professional Documents
Culture Documents
Abstract
Latchup is a short-circuit that can be triggered in CMOS ICs when a current pulse is produced by parasitic perturbations. It is usually regarded as very disturbing for reliability, especially in space applications where it is triggered by ionizing particles naturally present in the environment. But in another context, the one of crypto-processors, it could be used as a way to protect the device from attacks by fault injections. Indeed, if all the parts of the ICs containing the secret data have the property to be more sensitive to latchup than to upsets, it will be impossible for attackers to retrieve the key with fault injections attacks. This paper describes how to design a cryptoprocessor with such features, and how to verify its properties.
power is removed or the device fails due to thermal runaway. If a limitation of current is applied on the supply of the circuit, it becomes again functional after switching power off and on. The level of charge able to trigger the event is very dependant on the position of the VCC and ground contacts in the component. ICs manufacturers usually try to raise this level, considering the fact that the mechanism can be triggered by the natural radiation environment (Single Event Latchup [2]), by electrostatic discharges or even by electromagnetic noise on the inputs/outputs. Nevertheless, the task is not so easy and it is very common to find on the commercial market some ICs very sensitive to latchup. Thats the reason why the users of circuits in severe radiation environment (such as for example space) have to carry out a systematic screening of the commercial components they are using. Here, a way to exploit latchup to protect the data contained in a crypto-processor from fault injections is presented, the conditions to ensure this protection are described and some example of circuits are proposed and tested. The crypto-processor as a whole (or at least the part containing the bits of the secret key) is made up of a CMOS process chosen to be deliberately latchup sensitive, with a triggering threshold sufficiently low so that it will be impossible to inject faults (change bit states) without triggering latchup: in the case of fault injection by any means, the parasitic structure will be triggered, leading to a brutal rise of the supply current of the circuit. A simple circuit monitoring and limiting this current (as applied in circuit boards for space) will prevent the circuit destruction. The crypto-processor will not be functional any more until powering off and on, making any data read-out impossible. In fact the
1. Introduction
A new class of threat appeared recently, aiming at extracting the data contained in a crypto-processor by injecting faults while analyzing the outputs obtained. The methods of fault injections are various (temperature, voltages, glitch, particles) but those which are seen today as being the most dangerous are the one allowing to inject faults in precise locations of the device (for example in the SRAM memory part where the secret key is stored during operations) [1]. Attacks using laser or ions micro beams enter this category. As described by F.W Sexton [2], latchup is a mechanism existing potentially in any CMOS structure, and resulting from the triggering of a parasitic thyristor, developing a low resistance path and a high current between power and ground. Once latched, this high current condition will continue until
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
idea is combine a latchup sensitive crypto-processor to current limiting circuits in order to detect and prevent the attack. All the methods to inject faults in ICs, in precise location or not, will probably trigger latchup in a sufficiently sensitive component since it is the cause of the fault (the introduction of charges inside bits) which triggers it. We will show that it is possible at least to design or select circuits protected by latchup from attacks by continuous or pulsed laser and by ionizing particles.
Various techniques of fault injection exist [3], with variable difficulties of implementation, the most effective being fortunately the most difficult to implement. 1- The simplest techniques inject faults in a random way in the component: this is the case of an attack by temperature rise, electromagnetic (radar, microwave, radio) waves, by nuclear particles (heavy ions, neutrons, protons): in these 3 cases, the attack disturbs the component as a whole, and if it is possible to determine an area, it is impossible to target one nor even several bits. Nevertheless, with a very powerful mathematical treatment, it is possible to exploit the results of the attack. These kinds of attacks are very easy to implement because it does not require any access to the die, and can be carried out from far away, but analysis of the results are very difficult to perform. 2- A little more sophisticated attacks use the inputs/outputs of the circuit, by disturbing the power voltages by means of a voltage generator. They can be conducted in phase (temporally) compared to the operating cycles and the clock of the circuit. The consequence of the attack is always rather random, which means that the number of combinations to try to extract the key remains high, but this technique is quite easy to implement if one has access to the circuit. 3- Lastly, the more powerful techniques allow to inject faults at selected times and with perfectly controlled localizations (in theory, one specific bit can be chosen). The attacker is then able for example to modify one by one the bits containing the key, or to interrupt an operation of deciphering This is the case of attacks by focused and pulsed laser [4] or micro beams of ions. These techniques are difficult to implement because they require high level technologies and an access to the die, i.e. the opening of the package. To prevent this kind of attacks the crypto-processor manufacturers set up countermeasures more or less effective to prevent the package opening.
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
junction, this structure can turn on and allow the passage of a strong current between the supply contact and the ground. If current is not limited, it is able to induce irreversible damage and the component breaks definitely
Figure 1: parasitic bipolar structures in a CMOS inverter This phenomenon is particularly studied and observed in the case of the natural aggression or not of the electronic components by particles, neutrons, protons or heavy ions (Single Event Latchup). Nevertheless, for the most sensitive components, they can also occur following an electrostatic discharge, a sharp variation of supply voltage or an electromagnetic perturbation. Figure 2 shows the typical evolution of the current in the structure as a function of the applied voltage. Vhold corresponds to a threshold: below its value, it is not possible to establish a latchup in the structure. Above its value, for a given voltage, there are two different current states: Part I : Low current, it corresponds to the normal operation mode (blocked state of the thyristor) Part II : Instable part, the thyristor structure is being triggered Part III : High current, it corresponds to latchup (low impedance state of the thyristor) When the operating voltage exceeds Vtrig, an electrical latchup is triggered.
latchup effect to protect the data stored in from fault injections. Indeed, if the latchup trigger threshold is sufficiently low so that it is impossible to modify information stored in the component by fault injection without triggering latchup, data will be fully protected: in the case of a fault (charge) injection by any way, the parasitic structure will be triggered, leading to a brutal rise of the supply current. If the current delivered by the power supply is monitored and limited, the destruction of the circuit will be avoided, but the circuit will not be functional any more, making any data read-out impossible. In order to make it work again, one will have to switch off the supply, then switch on again. . A latchup sensitive crypto-processor combined to a current limiting circuit is then able to detect and prevent the attack.: the crypto-processor itself is used as a detector of the attack. To summarize: 1- the parts of the crypto-processor susceptible to be attacked by fault injection will be chosen or manufactured in order to get a latchup triggering threshold (in term of charges deposition) slightly lower than the threshold to change the state of the bits. The areas which are interesting to make sensitive to latchup are in particular: - the buffer memory (protection against fault injection of category 1, 2 and 3 described in part II.B) - the combinational part (protection against fault injection of category 1, 2 and 3 described in part II.B) - inputs/outputs (I/O) (protection against fault injection of category 2 described in part II.B) - the power supply of the circuits will be monitored and the current delivered will be limited. We will now show that it is possible to find such parts on the commercial market or to manufacture it on purpose.
III II I
Figure 2 : static I(V) latchup curve
CMOS technologies more sensitive to latchup than to upsets are not exotic. In fact, it can be easily found on the commercial market. Most electronic components used in space environment are tested with heavy ions prior to their use on-board satellites, and the data bases of test results are available (NASA, JPL, ESA database). One example of this type of results for various SRAM is shown in Table 1.
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
The ionizing power of heavy ions is measured with LET (Linear Energy Transfer), which represents the charge deposited per unit of length inside the component. The threshold LET is the minimum LET for which latchup is triggered. For the technologies presented here, the threshold LET for bit-flip (called SEU, Single Event Upset) is typically between 1 and 10 MeV/cm2-mg. As a consequence, the five last components are probably naturally protected from fault injection. Here are presented extraordinary sensitive devices, but it is also possible to find very sensitive microcontrollers (one example is described in part B). It is usually estimated that currently (for technologies 0.18m and 0.13m), approximately 10% of the components on the market are latchup sensitive. In fact, a few crypto-processors are certainly already protected !
Figure 3: Well and substrate resistances in the CMOS inverter A larger V will trigger more easily the source/well junction. Then, for larger values of L (that is, impact far from the well contact), the bipolar transistor turns on more easily [6] [7] [8]. This confirms that, from the manufacturer point of view, the design of the device layout (mainly the positions of the Vcc and GND contacts) can be adjusted to increase the sensitivity to latchup. Regarding the possible adjustment of electrical parameters to favour latchup, one can use voltage. Indeed, another interesting property is the fact that latchup threshold diminish when applied voltage increases. On the contrary, upset threshold is higher when applied voltage increases since the critical charge necessary to flip the bit is increased. So, for a given IC whose latchup threshold is superior to upset threshold, an increase of the applied voltage will allow to get the protective property. For instance, in [9], the authors report an important increase of the latchup sensitivity of a microprocessor when the power supply voltage was changed from 4.5V to 5.5V.
V = R W .I =
.L
S
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
established for simulation of various SEE effects: Single Event Upset, Single Event Transient, Single Event Burnout, and Single Event Latchup. This facility has the same characteristics than the one dedicated to crypto-processor attacks. The facility is described in Figure 6: the wavelength of the laser is 1,06m, and pulse duration is 600 ps. The laser is focused thanks to a lens, and spot size diameter is 4m Figure 4 : Schematic of the latchup detection part of the test board
Figure 5 : Schematic of the latchup detection in the test board The circuit monitors the supply current of the IC. When its value exceeds a threshold value, the current is hold on (during a time defined prior to the test). If the current remains at the threshold value, it indicates that the increase of the current is due to a latchup, and not to a normal operation of the IC like a write cycle. Then, the next step is to switch off the device. At the end, the power is switch on and the IC returns to a normal current state.
Figure 6: schematic of the EADS laser test facility The main features of this facility are: An industrial design: its components are widely used and robust. The facility is compact and eye safe: the beam is guided into an optical fiber. A fully automated bench: a motorized attenuator is used to change the laser energy and the DUT is placed on XYZ motorized stages. A CCD camera enables to visualize the DUT and the laser spot. The whole facility is driven by a computer A quick sample preparation of ICs: it requires only a localized opening of the package and for backside testing, no wafer thinning is needed. The test board monitoring the circuit is able to write pattern in the DUT (Device Under Test), wait for the laser shot, then read the potentially modified pattern in the IC, and to monitor the power supply of the circuit as described in part IV C. When a latchup is detected, the power supply is switch off and on again. 3- Upset and latchup sensitivity mapping for 2 commercial circuits One of the major advantages of the laser is its ability to precisely localize the sensitive areas of a device. Laser mappings have been performed on different SRAMs. It consists in scanning a part of a device with given steps along the X axis and Y axis. For each step of the scan, the laser energy is adjusted to reach the threshold of the event(s) (cf. Figure 7). In
2- Presentation of EADS France laser facility: EADS France has settled a laser facility dedicated to the industrial testing of Single Event Effects (events induced by ionising particles) in electronic component. The suitability of this laser facility has already been
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
the case of SRAMs, both upsets and latchup were investigated at the same time. Results will be presented for two different commercial ICs, widely used in different types of applications: the first one which presents an upset threshold lower than the latchup threshold (8 bit PIC microcontroller), the second one with the inverse property (4 Mbit SRAM).
Y High threshold energy Low threshold energy Sensitive areas
(b)
Figure 8 : physical mapping of logic address inside the memory of the PIC microcontroller. Same colour corresponds to same logic word Here, one can remark that the 8 bits of the same word are scattered in the memory. This information can be very useful when one wants to know if several bit flips can occur in the same logic word, for example, in case of particle ionisation (SWMBU, Single Word Multiple Bit Upsets). Indeed in case of SWMBU, usual error correction codes are inefficient.
Figure 9 shows the results of scan on a surface of 200 m per 200 m, that represents around 2 bits per 2 bits. The left part of the figure shows thanks to a colour scale the laser energy necessary to flip a bit in each position. The separation of each bit can be clearly seen. The right part show the same surface scanned, but this time it is the laser energy necessary to trigger latchup that has been shown. The pink and red areas are the most sensitive, the dark one, the less sensitive. From this figure, it can be seen that the memory part of this microcontroller is naturally sensitive to latchup when used at nominal voltage. But the energy (quantity of charge deposited by unit length) required to trigger latchup is, for every position, higher than the energy required to flip (or upset) the bit.
Figure 9 : Mapping of the Laser Energy necessary to trigger the event (bit flip or upset on the left side, Latchup on the right side) for PIC microcontroller
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
As a consequence (but with a lot of chance since the difference is not so big !), even if latchup exists in this IC, an attacker still have a chance to flip bits by fault injection attacks, without triggering the protective effect of latchup.
The shape of the memory cell (6T) is highlighted. It also indicates that the distance between two Vcc (or ground) rails is about 8m.
Additional comments: From Figure 11, this memory shows two different types of latchup sensitive areas: the one at the top, which corresponds to a part of the memory array, and the one below, which corresponds to driving circuits around the memory plan. The most sensitive position is located in the memory cells (the laser energy required to trigger latchup is less important in the memory cells than in the peripheral parts). Regarding the latchup area corresponding to bit position, on Figure 12, the laser latchup threshold mapping is superimposed to the picture of the device at the silicon level. This clearly shows that each latchup sensitive area is common to several bits (at least 14 cells). It seems to be due to the fact that these cells share the same well.
8m
Vcc GND
Memory cell
Figure 10: Frontside view of the 4Mbit SRAM. Following the same principle than in Figure 9, Figure 11 presents a 50m*50m laser energy threshold mapping of the memory. The left part shows the upset mapping and the right part shows the latchup mapping. Only a few points of the scanned area are detected as sensitive to upsets. It is because the memory exhibits a so high sensitivity to latchup, that almost all the positions have a latchup threshold lower than the upset threshold (upset cant be detected when latchup occurs). This memory is fully protected from fault injection attack, since the fault injection will automatically trigger latchup before bit-flip.
Figure 12: Threshold energy laser mappings (25 m x 25 m) of latchup for 4Mbit SRAM, and correspondence with layout From Figure 12, the distance between two identical sensitive areas can be measured (8m). It has to be correlated with the distance between two Vcc (or ground) rails.
Figure 11: Mapping of the Laser Energy necessary to trigger the event (bit flip or upset on the left side, Latchup on the right side) for 4 Mbit SRAM
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007
to the number of latchup that can be triggered in one hour: SER =Flux (/cm/h).(cm)=6.10-8/h. In other words, it means that one latchup is triggered by the NRE at the ground level every 1900 years. Finally, it shows that this device is still a good choice since, on one hand, it is fully protected against injection attack and, on the other hand, NRE doesnt triggered latchup in an untimely way.
[1] A. Merle et al., Security testing for hardware products: the security evaluations practice, 11th IEEE international On-line Testing Symposium, 6-8 July 2005. [2] F. W. Sexton and al, Destructive Single-Event Effects in Semiconductor Devices and ICs, IEEE Trans. Nuc. Sci, Vol 50, No 3, pp 603-621, june 2003. [3] H. Bar-El et al, The sorcerer's apprentice guide to fault attacks, Proceedings of the IEEE, Vol. 94, Issue 2, Feb. 2006, pp370 382 [4] Sergei P. Skorobogatov et al., Optical Fault Induction Attacks, http://www.cl.cam.ac.uk/~sps32/ches02optofault.pdf [5] T. E. Page et al., Extreme latchup suceptibility in modern commercial-off-the-shelf (COTS) monolithic 1M and 4M CMOS static random-access memory (SRAM) devices, 2005 IEEE Radiation Effects Data Workshop, Seattle, 11-15 July 2005. [6] P. Fouillat, Contribution ltude de lintraction entre un faisceau laser et un milieu semiconducteur. Application ltude du latchup et lanalyse dtats logiques dans les circuits intgrs en technologie CMOS, PHD report, University of Bordeaux I, France, 1990. [7] G. Bruguier et al., Single particle-induced latchup, IEEE Trans. Nucl Sci., vol. 43, pp 522-532, April 1996. [8] A.H. Johnston The influence of VLSI technology evolution on radiation-induced latchup in Space Systems, IEEE Trans. Nucl Sci., vol. 43, pp 505-521, April 1996.
[9] D. K. Nichols et al., An observation of proton-induced latchup, IEEE Trans. Nucl. Sci., vol. 39, pp. 16541656, 1992.
7. References
13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007