Reverse engineering and analytic code extraction: techniques and threat analysis

Due to the pervasiveness of microprocessors, security has become a very important matter. Breaching the security of a device used for sensitive applications, such as a smart card, has devastating effects, since all the devices of the same model will be affected. This thesis aims at showing how reverse engineering can lead to such a scenario, as it can grant an attacker with enough knowledge to carry out a dangerous exploit. In particular, this thesis describes the reverse engineering of a ROM of a highly secure chip. The final goal is to extract the ROM's content, a very common objective for an attacker. The process of dumping the content of a ROM by inspecting its physical layout is called analytic ROM extraction. The first step to reverse engineer the aforementioned ROM consisted in depackaging the microprocessor and in using failure analysis techniques to delayer it in order to expose the various metal layers and image them, using an SEM (Scanning Electron Microscope). The successive step consisted in combining the pictures together, realizing a multi-layer view of the ROM and starting the reverse engineering process: the single standard cells were reverse engineered and the metal connections between them were identified in order to reconstruct the netlist of the control circuitry. The observed netlist was then translated to VHDL, while the ROM bits were extracted from the pictures. The ROM was then simulated using ModelSim and, by feeding it with all the possible addresses in increasing order. The output of the ROM was sampled during the simulation in order to dump its content and complete the analytic code extraction. In the introductory chapter the general concepts of hardware security are addressed to provide the reader with the basic information and mindset to understand the following chapters. The second chapter details the concept of reverse engineering, both from a legal and technical perspective. The third chapter describes in detail the result of the reverse engineering process, namely the architecture of the ROM. The last chapter concludes the thesis by commenting the obtained results and observing how this work would be evaluated in terms of security threat by the Common Criteria standard. The appendix, lastly, describes the evolution of the hardware security domain. This thesis has been realized during an internship at Texplained, a hardware security firm based in Sophia Antipolis. Due to the confidential nature of this work, the chip's name, its manufacturer and other sensitive data are omitted from this thesis.