This is an old revision of the document!
This page is a DRAFT. As of this writing the course has not been submitted for approval to the department or registrar and may change substantially or not be offered at all.
The current target is to offer this course during the spring 2014 semester at RPI.
Reverse engineering techniques for semiconductor devices and their applications to competitive analysis, IP litigation, security testing, supply chain verification, and failure analysis. IC packaging technologies and sample preparation techniques for die recovery and live analysis. Deprocessing and staining methods for revealing features below top passivation. Memory technologies and appropriate extraction techniques for each. Study of contemporary anti-tamper/anti-RE methods and their effectiveness at protecting designs from attackers. Programmable logic microarchitecture and the issues involved with reverse engineering programmable logic. Real-world case studies built around off-the-shelf commercial ICs ranging from above the 1 μm node down to 45nm and below.
Prerequisites: The course is largely self-contained and will introduce the necessary chemistry, physics, and layout technologies required for a qualitative (rather than quantitative) understanding of the functioning of semiconductor devices. ECSE 2610, MATH 2800+CSCI 2500, or equivalent understanding of gate-level Boolean logic is required.
There is no textbook. Students may find the siliconpr0n.org wiki a valuable supplement to the lecture materials.
RPI's IP policy states that lecture slides, etc remain the property of the creator(s). We plan to release them under CC-BY-SA.
If allowed by department/institute policy, we would like to tape the lectures and make them available online to the public. (The IP policy is a little unclear on this, need to talk to some folks).
Your grade will be based on four components, weighted equally:
Week | Lecture | Subject |
---|---|---|
1 | 1 | Motivation, course overview, legal/ethical issues, review of CMOS logic (schematic level only) |
1 | 2 | Package construction, wire bonding |
2 | 3 | Depackaging techniques, bond removal, live analysis considerations |
2 | 4 | Quiz 1: Given photos of packaged devices and the analysis requested, describe how to decap them Lab 1: Demo of several types of decap (die recovery, nitric dropper, etc) |
3 | 5 | Intro to CMOS layout, Mead-Conway notation, standard cells (part I) |
3 | 6 | Intro to CMOS layout, Mead-Conway notation, standard cells (part II) Quiz 2: Given SEM/optical micrographs or schematic layout of cells, describe what they do |
4 | 7 | Fabrication processes, determining technology level |
4 | 8 | Delayering and staining Quiz 3: Given top-metal photos, estimate the process node and describe how to deprocess to reveal a specific feature (poly, implants, metal 3, etc) |
5 | 9 | Microscopy, image capture, stitching, registration |
5 | 10 | Lab 2: SEM imaging of a couple of samples at varying stages of deprocessing |
6 | 11 | Mask ROM layout Homework 1 due: Given photos of portions of a device (1um 2-metal, use SecurID and ST 24C02 as case studies), extract a schematic |
6 | 12 | PROM/EPROM/EEPROM/efuse/Flash layout |
7 | 13 | SRAM layout |
7 | 14 | Non-invasive attacks (glitching, DPA, JTAG, etc) Quiz 4: Given photos of various memory arrays, determine what you're looking at |
8 | 15 | Microprobing, semi-invasive attacks, backside analysis |
8 | 16 | Anti-tamper / anti-analysis techniques Quiz 5: Given top-metal photos of various devices, recommend the best way to extract contents of a given memory array Lab 3: Demo of UV light attack on previously decapped PIC12F683 |
9 | 17 | I/O pads, buffers, tri-states, ESD protection |
9 | 18 | Programmable logic: product term CPLDs (including XC2C32A bitstream analysis) |
10 | 19 | Programmable logic: FPGAs |
10 | 20 | TODO |
11 | 21 | TODO |
11 | 22 | TODO |
12 | 23 | TODO |
12 | 24 | TODO |
13 | 25 | TODO |
13 | 26 | TODO |
14 | 27 | TODO |
14 | 28 | TODO |
15 | 29 | TODO |
15 | 30 | Final project presentations |