Note: Regarding COVID-19 safety, Hardwear.io will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Hardwear.io will follow all applicable health regulations required by the local (Santa Clara) and government (State of California) authorities.
The primary goal of our trainings is to provide security professionals and team leaders the skills, mindset and background information necessary to successfully perform the reverse engineering of Integrated Circuits (ICs), circumvent their hardware countermeasures and extract the data from them (Hardware and Firmware).
This intermediate training is focused on ROM memories as they often are the primary target of a security analysis at the transistor level. Rather than focusing on a particular device, the training was designed so it can be used as a starting point to deal with any type of ROMs.
As ROM content is encoded physically, it is possible to take pictures of the bits and convert them to a proper binary. Of course, chip vendors are using different techniques such as data scrambling to make these optical dumps not practical.
This training aims at giving a complete understanding of how ROMs are constructed at the transistor level and will describe how analyzing the circuitry can be done to extract scrambling information necessary for the reconstruction of a proper binary. Therefore, it starts with a theoretical sections where ROMs and their building blocs will be explained. This includes the different types of ROMs, the different types of bit encoding, the ROM circuitry (logic, row and column decoders). With that knowledge in mind, the attendees will then be working on the hands-on section which will consists in the extraction of a ROM from pictures only. The attendees will have the oportunity to work from Scanning Electron Microscope pictures and to follow a step by step approach to extract a binary using python, Fiji (imageJ), photoshop and HDL (Hardware Description Language) tools.
At the end of the session, attendees will be familiar with ROM technologies and will be able to adapt the acquired knowledge to real life scenarios.
ROMs inside Integrated Circuits are a pretty interesting target as they can contain cryptographic material, boot sections, hidden booting modes such as programing and / or test modes, etc...
Knowing about the code contained in ROMs can be used for a wide variety of targets such as extracting Flash content from non-accessible boot modes or seting up non-, semi- and fully-invasive attacks for a deep security evaluation. These different tasks are interesting for people such as Law Enforcement Agencies for digital forensics, security evaluators, counterfeiters, hackers and of course pirates.
ROMs have their content physically encoded meaning the bits are actually visible. In such a context where a Scanning Electron Microscope can be used to image the content and the memory control circuitry, it is possible to extract at a rather low cost sensitive information.
This hands-on training is designed to give attendees a deep understanding of ROMs and how to dump them. It will rely on a theoretical sections that will describe the different circuits involved in reading from the memory. This knowledge base will be used on a practical case where pictures will be analyzed to extract the content but also to reverse-engineer the control circuitry that can be used to scramble the data.
The theoretical introduction will deal with the following topics:
The hands-on section will take this knowledge and expand it by exploring the following topics:
The different chapters are organized so as to let the attendees discover each new topic in a progressive manner that reflects the Reverse-Engineering specific mindset. This way, attendees will be able to derive their own workflows and methods while working on their own projects after the training session.
Finally, this training is also useful to discuss the current state of Integrated Circuits security and embedded counter-measures which can help chip designers improve their own security or help OEMs and integrators choosing the right device for their application.
Without being fully exhaustive, the learning objectives of the training are:
To follow the training efficiently, the attendees are asked to come with a laptop with the following softwares installed:
For this training, micro-electronics prior knowledge is not mandatory. The attendees should nevertheless be familiar with python scripting and have some knowledge or understanding of HDL language. The training is designed in VHDL as it is closer to the actual design than verilog but people with verilog skills will have no difficulty to adapt to VHDL. To accommodate attendees with no prior experience with HDL (Hardware Description Language), the assignments are provided with scripts and files with blanks to fill.
The participants will be given slides that will cover the theoretical and hands-on sections. The hands-on section will be explained step by step with partial answers for attendees not familiar with the different used languages. Pictures will be provided as photoshop files.
Olivier THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Then, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the creator of ChipJuice, a software toolchain that efficiently operates the recovery of hardware designs, independently from their technology node, architecture.