Since the birth of MCU in the 1970s, the technology for cracking chips and the solutions to prevent chip cracking have been in a constant “cat and mouse” game, with each side trying to outdo the other.
This article will share the development history of microcontrollers in terms of security protection and summarize the advantages and disadvantages of the currently highest security level smart card chips at the end of the article.
Single Board Computer Era
In the early 1970s, embedded systems were composed of separate components such as: CPU, ROM, RAM, I/O cache, serial ports, and other communication and control interfaces.
During this period, there were almost no protective measures, apart from legal ones, to prevent intruders from copying data from the ROM area of single board computers.
With the development of large-scale integrated circuit technology, the central processing unit (CPU), data memory (RAM), program memory (ROM), and other I/O communication ports were integrated into a single microcontroller chip, replacing the single board computer.As shown:
During this period, the internal memory EEPROM and MCU were sealed separately within the same package. Intruders could use micro-probes to obtain data.
With the increase of intruders, MCUs later added security fuses to prohibit access to data for their own safety.As shown:
Advantages: It is easy to implement and does not require a complete redesign of the MCU architecture, only using fuses to control data access.
Disadvantages: Fuses can be easily located and attacked. For example, the state of the fuse can be modified by directly connecting the bit output to power or ground. Some can be cut using lasers or focused ion beams to sever the sensing circuit of the fuse. Non-invasive attacks can also succeed, as a separate fuse layout differs from the normal storage array, allowing external signals to force the bits into a state that cannot be correctly read, thus accessing information on the internal chip. Semi-invasive attacks can enable attackers to quickly succeed, but require opening the chip’s package to access the die. A well-known method is to use ultraviolet light to erase the security fuse.
Security Fuses Become Part of the Memory Array
Later, MCU manufacturers made security fuses part of the memory array, as shown:
General fuses are located close to the main memory, or even share some control lines, manufactured using the same process as the main memory, making fuses difficult to locate. Non-invasive attacks can still be used, allowing external signals to force the fuse bits into a state that cannot be correctly read. Similarly, semi-invasive attacks can also be used. Of course, attackers will need more time to find the security fuses or the control circuits responsible for security monitoring, but this can be done automatically. Conducting invasive attacks will be very difficult and require manual operation, which will incur higher costs for cracking.
Using Part of the Main Memory to Control External Data Access
Utilizing the locking of specific address areas at power-up as a security fuse.Or using passwords to control access to memory.For example, Texas Instruments’ MSP430F112 can only perform read-back operations after entering the correct 32-byte password.If not entered, only after erasing the byte password can read-back operations be performed.Although this protection method seems more effective than previous ones, it has some drawbacks that can be cracked using low-cost non-invasive attacks, such as timing analysis and power consumption.If the security fuse state is part of the memory after power-up or reset, this gives attackers the opportunity to crack using power noise, forcing the path into an erroneous state in the memory.
Using Top-Level Metal Networks
Using top-level metal network designs to increase the difficulty of intrusion.All grids are used to monitor short circuits and open circuits, and once triggered, will cause the memory to reset or clear.As shown:
Ordinary MCUs do not use this protection method because the design is more difficult, and it can also be triggered under abnormal operating conditions, such as high-intensity electromagnetic field noise, low or high temperatures, abnormal clock signals, or poor power supply. Therefore, some ordinary MCUs use cheaper pseudo-top-level metal grids, which can be attacked by highly efficient optical analysis for micro-probing. Additionally, these grids cannot prevent non-invasive attacks. Similarly, they cannot effectively prevent semi-invasive attacks, as capacitance exists between the wires, and light can reach the effective area of the circuit through the wires. In smart cards, there are also such grid lines laid between power and ground. Some programmable smart cards go further by eliminating standard programming interfaces and even removing EEPROM read interfaces, replacing them with boot modules that can erase or shield themselves after code is loaded, and then only respond to functions supported by the user’s embedded software. This effectively prevents non-invasive attacks.
Smart Card Chip Security Design
In recent years, some smart cards have used memory bus encryption technology to prevent probing attacks.As shown:
Data is stored in encrypted form in memory. Even if an intruder gains access to the data bus data, they cannot know the key or other sensitive information (such as data restoration methods). This protective measure effectively prevents invasive and semi-invasive attacks. Some smart cards can even achieve different bus encryption keys for each card, so even if an intruder completely cracks it, they cannot produce chips with the same functionality, because each smart card chip has a unique ID number, which cannot be purchased with the same ID number. Additionally, it is worth mentioning that some smart cards use similar ASIC logic to design standard module structures such as decoders, register files, ALUs, and I/O circuits. These designs become hybrid logic designs. Hybrid logic makes it practically impossible to obtain card information through manual signal or node searches for physical attacks, greatly enhancing the performance and security of the CPU core. Hybrid logic design makes it almost impossible to know the physical location of the bus, effectively preventing reverse engineering and micro-probing attacks.
The ongoing struggle between groups attempting to break protective mechanisms and manufacturers continually introducing new security measures is endless.“The higher the road, the higher the devil”, or “evil cannot suppress justice”, will continue to unfold between the two sides!
