INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Sunday, February 14, 2010

Infineon / ST Mesh Comparison

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon's design compares to the ST implementation.Â

We took a few pictures of an area of each device with an electron microscope to give you a better idea.  Both devices are a 4 metal ~140 nanometer process.  Rather than have us tell you who we think is stronger (it's pretty obvious), we'd like to see your comments on what you the readers think!Â


In the picture above, the left side is the standard Infineon mesh with the standard ST mesh on the right.   Both images were taken at 3,500 magnification.Â

The Infineon mesh consists of 5 zones with 4 circuits per zone.  This means the surface of the die is being covered by 20 different electrical circuits.

The ST mesh consists of a single wire routed zig-zag across the die.  It usually begins next to the VDD pad and ends at the opposite corner of the die.  The other wires are simply GND aka ground fingers.  On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe).Â


Zooming in at 15,000 magnification, the details of each mesh really begin to show.  Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.



In the Infineon scheme above, each colored wire is the same signal (4 of them per zone).  Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.

The ST simply has the single conductor labeled in red.  All green are the fingers of ground which can be usually cut away (removed) without penalty.  The latest ST K7xxx devices have a signal present that appears analog.  A closer look and a few minutes of testing proved it to simply need to be held high (logic '1') at the sampling side of the line.  Interesting how ST tried to obscure the signal.

Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up.Â

ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low ('0') with power applied (irrelevant of reset/clock condition).

You tell us your opinion what you think security wise.   Make sure you study the images closely beause there are other things we didn't mention such as line spacing, etc. between the two designs which should be considered.

14 comments:

  1. I think that the Infineon has a better physical layout. The ST scheme seems to a lot of empty space that (assuming that you already knew the layout of the chip) drilled through to access the the wires underneath.

    But I think that the bulk erase on compromise feature of the ST stuff is a much better then what Infineon does. Without a hard penalty there is nothing to stop a person from trying until you have it working.


    --Aygar

    ReplyDelete
  2. We believe the reason Infineon chose not to bulk-erase NVM was due to the complexity of the mesh design.

    ReplyDelete
  3. Pardon my ignorance.
    Current Assumptions
    1. Mesh defects are only created in the fab.
    2. A mesh defect that could break the mesh would do so in the fab.
    3. A Chip with a broken mesh won't work.
    4. unintentional mesh damage would be catastrophic enough to render the entire chip unusable regardless of whether the mesh could be repaired.
    5. A mesh can't fail by chance during routine use or if it can, the mesh can't self heal.

    Given these assumptions I can't see why it is advantageous not to bulk-erase the NVM (except for cost). For any normal usage scenarios a mesh failure would permanently disable the chip so why not assume that mesh failure mean someone is attempting to compromise the chip.

    Where is my reasoning going wrong?

    --Aygar

    ReplyDelete
  4. security-wise, the ST mesh should be much easier to bypass - this should be easily achievable with two needle probes. you can even remove parts of the gnd line and put down larger metal contacts or permanently bypass the entire mesh by putting down a wire defined by burnback photolitography, metal deposition + liftoff on one edge of the chip.. and if there is just one wire covering the entire chip, you are free to do whatever you want with the chip once it's shorted on an edge.

    that being said, it's probably a good idea to implement a verification step by means of signal delay / resistance measurements on a grid with MUX'd/DEMUX'd wires.

    ReplyDelete
  5. [...] acids and rust-remover solutions to dissolve first the outer casing of the chip, then the wire grid tamper-proofing shields [...]

    ReplyDelete
  6. [...] to dissolve first the outer casing of the chip, then the wire grid tamper-proofing shields inside (http://www.flylogic.net/blog/?p=86). Once “undressed” he was able to probe and monitor what was going on inside [...]

    ReplyDelete
  7. I find it interesting that Infineon invested in a higher density top metal as a way to increase security. They're really going after a very small separation between tracks at about 0.4 microns. I'll bet the width of the wires is triple the space to make it more difficult to see between the wires. How easy is it to tell which wire belongs to which net? Are the wires regularly toggled, like with a random sequence?

    The ST top metal I'm guessing has a pitch of about 1.4 microns (or it's a multiple of something for manufacturing). The mesh pattern seems like it's protecting the chip from fat-fingering a probe or a some accidental shorting. It looks easier, although I sure wouldn't call it easy.

    I sure would hate to deal with all the extra wiring capacitance in the Infineon... just three layers of metal to work with, and all having high capacitance.

    What happens when the Infineon chip starts up with a bad mesh? Does it act like a dead chip, or just allow a debug mode to confirm the chip is dead?

    ReplyDelete
  8. Infineon's design is obviously better, as you mentioned...

    'Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up.'

    I think it is the reason that the OS in the chip haven't set the correlative SFR which is implemented to control the mesh operation.

    Is there the OS inside the chip?

    ReplyDelete
  9. Thanks for continuing this blog, I love reading it.

    As you have a FIB / wirebonder, it’s probably quite easy for you to fix the Infineon mesh, if there are no connections from the middle of the mesh in down into the chip.
    With a little help from the FIB / wirebonder you can simply bridge all green, blue, violet and yellow lines at the edge of the chip and then chemically dissolve / plasma etch the lines in the middle of the chip and then micro probe it.

    The ST mesh looks meaner, but not impossible, especially if there are several chips available for analysis, and you can so you can which points of the red line are connected have connections into the chip and which are irrelevant. Then it should be possible to wirebond the interesting lines to Vcc.

    BTW, is it possible to look through the protection mesh with high acceleration voltage? If the wires are made of aluminum (low atom number, high penetration depth) and the isolation made of SiO2 (also low atom number), then the electron beam with say 30keV (as in the picture) could perhaps have enough penetration depth to reach the layer below?!

    If it does so, you could probably be able to have a limited vision through the top layer by using a backscatter / EDX detector, as the backscattered electrons / X-Rays have more energy and thus a limited ability to reach the detector through a few 100 nm of material.

    But I know that it’s hard to distinguish between Al, Si and SiO2 in a Backscatter-SEM picture (little material contrast, because atom number are similar), so it might be be hard/impossible to get a good picture.

    Secondary electrons are only able to penetrate a few nm of material, so SEs created inside the sample don’t reach the detector. Because of that you get sharper pictures by using a SE detector.

    ReplyDelete
  10. What would be the characteristics of an ultimate mesh
    and do you think there are better smart cards out of the
    market than Infineon or ST ?

    ReplyDelete
  11. Bonjour!
    Here only Infineon and STM is showed. What is about others,,,
    I just see the NXP chip at your page (Safenet iKey 2032) and they even have no mesh!
    Now NXP say that you cannot hack them: In newspaper interview a NXP guy named Steve Owen says "with our chip hacking would not be possible."
    Dont they understand your skils or do they have extra protection in the chip?
    Are NXP chips realy unhackable??

    ReplyDelete
  12. Bonjour! Good Blog. But here only Infineon and STM is showed. What is about others,,, I just see the NXP chip at your page (Safenet iKey 2032) and they even have no mesh! Now NXP say that you cannot hack them: In newspaper interview a NXP guy named Steve Owen says "with our chip hacking would not be possible." Dont they understand your skils or do they have extra protection in the chip? Are NXP chips realy unhackable??

    ReplyDelete
  13. the ST mesh is allot easier, i believe u can jump mesh to vdd or any 3.3 v source and then etch over bus lines and probe each one on start up with a logic analyzer. the Infineon design is by far superior cause of the random spacing and is why the chip has remained secure (well atleast until u got to play with it lol nice job)

    ReplyDelete
  14. Randell GeddingsMay 23, 2012 at 8:29 PM

    Thanks for taking the time to talk about this, I feel strongly about it and love studying more on this subject. If achievable, as you gain experience, would you mind updating your weblog with more info? It is very helpful for me.

    ReplyDelete