Archive for December, 2012

PostHeaderIcon Avoid holes on security design

Any security system, either software or hardware, could also have holes in its design and there is always a small chance that an attacker would eventually find one with brute force random testing. Careful design of the security protection, followed by proper evaluation, could help avoid many problems and make such attacks virtually impossible.

PostHeaderIcon Exploite Access Interface

The IC attacker could be also applied to the device communication protocol in order to find any hidden functions embedded by the software developer for testing and upgrade purposes. Chip manufacturers very often embed hardware test interfaces for postproduction testing of their semiconductor devices. If the security protection for these interfaces is not properly designed, the attacker can exploit it to get access to the on-chip memory. In smartcards such test interfaces are normally located outside the chip circuit and physically removed after the test operation, eliminating any possibility of use by outsiders.

PostHeaderIcon Brute Force Eeprom Attack

Another possible brute force eeprom attack, applicable to many semiconductor chips, is applying an external high voltage signal (normally twice the power supply) to the chip’s eeprom pins to find out whether one of them has any transaction like entering into a factory test or programming mode. In fact, such pins can be easily found with a digital multimeter because they do not have a protection diode to the power supply line. Once sensitivity to a high voltage is found for any pin, the eeprom  attacker can try a systematic search on possible combinations of logic signals applied to other pins to figure out which of them are used for the test/programming mode and exploit this opportunity.

PostHeaderIcon Brute Force Chip Break Application

Brute force chip break can be also applied to a hardware design implemented into an ASIC or a CPLD. In this case the chip breaker tries to apply all possible logic combinations to the input of the device while observing all its outputs. That kind of chip break could be also called black-box analysis because the chip breaker does not have to know anything about the design of the device under test. He only tries to understand the function of the device by trying all possible combinations of signals. This approach works well only for relatively small logic devices. Another problem the chip breaker will face is that designs implemented in CPLDs or ASICs have flip-flops, so the output will probably be function of both the previous state and the input. But the search space can be significantly reduced if the signals are observed and analysed beforehand. For example, clock inputs, data buses and some control signals could be easily identified, significantly reducing the area of search.