| This paper searched how to use semi-invasive and invasive attack techniques to extract contents from nonvolatile semiconductor memories(NVSM). As sensitive information such as keys of encryption algorithms and passwords which needs to be kept for long time are stored in this kind of memories, storage security of NVSM is the core part of chip security. Only after grasping attack methods can effective defensive strategies be designed. Therefore, this paper explored which attack techniques can be used to extract contents from NVSM.There are three classes of attack technologies. They are non-invasive attack, semiinvasive attack and invasive attack. In this paper, several semi-invasive and invasive attack methods would be used to extract contents from NVSM.This paper proposed four attack methods, showed their process and results. Four methods are optical fault injection, light chemistry invasive attack, probing attack aiming at memory block, and probing attack aiming at a single memory cell. The first method used laser to inject fault when a smartcard executed codes to guess contents more easily with brute force attack. It is hard to inject laser from front side because of multiple metal layers of the target chip, and injecting form back side should be tried. The creative point of this method is trying to inject faults at exact moment to control the faults. The second experiment used scanning electron microscope to observe a preprocessed general EEPROM memory chip to distinguish and locate different storage state cells. Although the result showed contents could not be read directly but every single transistor of memory cells could be located. The creative part and meaning of this experiment is combining analysis ways of failure analysis and data security, and the result can be used to help with reducing time cost of reverse engineering. The third experiment used needles to test signals by placing needles on PAD which connected data output ports of EEPROM, and the process showed the possibility of this attack way, but this method is difficult to execute from engineering perspective. The creative point of this attack lies in its unique attack point and it successfully remove the passive influence of dummy metal. The last experiment used probing needles to test working signals of a single memory cell by contacting PADs which connected electrodes of memory cell transistors to distinguish different cells, and the result showed that different state of memory cells could be shown directly, which verified this attack could work. This attack method is direct and it can be launched even without any information of target chips. Meanwhile, this experiment successfully removed background noise which does harm to probing, and found better way to deposit PAD..Overall, using invasive and semi-invasive attack methods to extract contents from NVSM is difficult in engineering perspective, but this topic deserves further research because theses attack ways are direct, and they can cover the shortage of noninvasive attack. |
PDF Full Text Request