Click the blue text above to follow us
Author: Wu Zhe
Since the birth of the MCU in the 1970s, the technology for cracking chips and the solutions to prevent chip cracking have been in a constant battle of “the higher the skill, the higher the devil,” with each new advancement surpassing the last. This article shares the development history of microcontroller security protection. At the end of the article, we summarize the advantages and disadvantages of the currently highest security level smart card chips.
1. The Era of Single Board Computers
In the early 1970s, embedded systems consisted of separate components such as CPU, ROM, RAM, I/O buffers, serial ports, and other communication and control interfaces. As shown in the figure: during this period, there were almost no protective measures, except for legal ones, to prevent intruders from copying data from the ROM area of the single board computer.
2. The Era of Microcontrollers
With the development of large-scale integrated circuit technology, the central processing unit (CPU), data memory (RAM), program memory (ROM), and other I/O communication ports were integrated into a single microcontroller chip, replacing single board computers. As shown in the figure:
During this period, the internal memory EEPROM and MCU were sealed separately within the same package. Intruders could use micro-probes to obtain data.
3. Security Fuses (Security Fuse)
With the increase in intrusions, MCU later added security fuses to prohibit data access for its own security. As shown in the figure:
Advantages: It is easy to implement, requiring no complete redesign of the MCU architecture, only using fuses to control data access. Disadvantages: Fuses can be easily located and attacked. For example, the fuse state can be modified by directly connecting the bit output to power or ground. Some can be cut using laser or focused ion beams to sever the fuse’s sensing circuit. Non-invasive attacks can also succeed, as a separate fuse layout differs from the normal memory array, allowing external signals to force bits into states that cannot be correctly read, thus accessing information stored within the chip. Semi-invasive attacks can quickly lead to success but require opening the chip’s package to access the die. A well-known method is to use ultraviolet light to erase security fuses.
4. Security Fuses Become Part of the Memory Array
Later, MCU manufacturers integrated security fuses into the memory array, as shown in the figure:
Typically, fuses are located very close to the main memory or even share control lines, manufactured using the same process as the main memory, making fuses hard to locate. Non-invasive attacks can still be used, employing external signals to force fuse bits into states that cannot be correctly read. Similarly, semi-invasive attacks can also be executed. Of course, attackers need more time to find security fuses or control circuits responsible for security monitoring, but these can be automated. Conducting invasive attacks becomes very difficult and requires manual operation, which incurs higher costs to crack.
5. Using a Portion of the Main Memory to Control External Data Access
By locking specific address regions during power-up, this can serve as a security fuse. Alternatively, passwords can be used to control access to memory. For example, Texas Instruments’ MSP430F112 only allows read-back operations after entering the correct 32-byte password. If not entered, only after erasing the password can read-back operations be performed. Although this protection method appears more effective than previous ones, it has some drawbacks that can be exploited through low-cost non-invasive attacks, such as timing analysis and power consumption. If the state of the security fuse is part of the memory after power-up or reset, this gives attackers the opportunity to exploit power noise to force the memory into an erroneous state.
6. Using Top Metal Networks
Using top metal network design increases the difficulty of intrusion. All grids are used to monitor shorts and opens; once triggered, they will cause memory to reset or clear. As shown in the figure:
Ordinary MCUs do not use this protection method due to the difficulty of design and the potential for triggering under abnormal operating conditions, such as high electromagnetic field noise, low or high temperatures, abnormal clock signals, or poor power supply. Therefore, some ordinary MCUs use cheaper pseudo-top metal grids, which can be attacked through highly effective optical analysis and micro-probing. Additionally, these grids cannot prevent non-invasive attacks. They also cannot effectively prevent semi-invasive attacks, as there is capacitance between the wires, and light can reach the effective area of the circuit through the wires. In smart cards, some such grid lines are laid between power and ground. Some programmable smart cards go further by eliminating standard programming interfaces, even removing EEPROM read interfaces, replacing them with boot modules that can erase or shield themselves after code is loaded, responding only to functions supported by the user’s embedded software. This effectively prevents non-invasive attacks.
7. Security Design of Smart Card Chips
In recent years, some smart cards have utilized memory bus encryption technology to prevent probing attacks. As shown in the figure:
Data is stored in encrypted form in memory. Even if an intruder obtains data from the data bus, they cannot know the key or other sensitive information (like data restoration methods). This protective measure effectively prevents invasive and semi-invasive attacks. Some smart cards can even use different bus encryption keys for each card, so even if an intruder completely cracks it, they cannot produce chips with the same functions, as each smart card chip has a unique ID number, and it is impossible to buy a smart card with the same ID number. Additionally, some smart cards redesign standard module structures such as decoders, register files, ALUs, and I/O circuits using similar ASIC logic. These designs become mixed logic designs. Mixed logic makes it practically impossible to obtain card information through manual signal or node searching. It greatly enhances the performance and security of the CPU core. Mixed logic designs make it almost impossible to know the physical location of the bus, effectively preventing reverse engineering and micro-probing attacks.
The advantages and disadvantages of smart card chip encryption schemes
For developers, choosing more secure designed microcontrollers can provide better protection. Compared to most microcontrollers, even smart cards designed ten years ago can offer better protection. Modern smart cards provide more anti-attack protections, internal voltage sensors protect against power noise attacks (Power Glitch attacks), overvoltage, and undervoltage protection. Clock frequency sensors prevent attacks that reduce clock frequency through static analysis. They can also prevent clock noise (Clock glitch attacks) that increase clock frequency. Top metal grids and internal bus hardware encryption help prevent micro-probing attacks. However, compared to microcontrollers, smart card chips also have disadvantages, such as high chip prices, difficulty in obtaining small batches. Development tools are expensive and require signing confidentiality agreements with manufacturers; even manuals must be treated this way. Many manufacturers only sell large quantities of smart cards to specific customers. Another drawback is that the functionality of I/O is limited; ordinary smart card chips typically only have ISO7816 interfaces, with very few having separate I/O ports. This makes them unable to replace microcontrollers in most applications and limits their use to industries with very high security requirements, such as pay TV set-top boxes, bank cards, SIM cards, second-generation ID cards, and high-end encryption chips. The application of smart card chips in encryption chip fields will be a promising direction. Because smart card chips have high security levels and limited I/O resources, while ordinary MCUs have abundant hardware resources but lower security levels, key algorithms and operating parameters can be stored in special forms within smart card chips, achieving powerful functions with high security strength.
Postscript
The ongoing struggle between groups attempting to break protection mechanisms and manufacturers continuously introducing new security measures is endless. “The higher the skill, the higher the devil,” or “good cannot suppress evil,” will continue to play out between the two factions!
Related Articles
How to Avoid Automotive Chip Security Vulnerabilities? ISO/SAE 21434 Provides New Mechanisms
Functional Safety and Cybersecurity Become Key Focuses for New Energy Vehicle Development | Requirements for Chip Devices Will Become Stricter
Self-research Chips Guard National Security, Can Xinda Jie’an Turn the Internet of Vehicles Around?
SELECTED EVENTS
Long press the QR code to identify and follow
