This is an old revision of the document!
CSCI/ECSE 4xxx/6xxx Semiconductor Reverse Engineering
This page is a DRAFT. As of this writing the course has not been submitted for approval to the department or registrar and may change substantially or not be offered at all.
The current target is to offer this course during the spring 2014 semester at RPI.
RPI's IP policy states that lecture slides, etc remain the property of the creator(s). We plan to release them under CC-BY-SA.
If allowed by department/institute policy, we would like to tape the lectures and make them available online to the public. (The IP policy is a little unclear on this, need to talk to some folks).
Reverse engineering techniques for semiconductor devices and their applications to competitive analysis, IP litigation, security testing, supply chain verification, and failure analysis. IC packaging technologies and sample preparation techniques for die recovery and live analysis. Deprocessing and staining methods for revealing features below top passivation. Memory technologies and appropriate extraction techniques for each. Study of contemporary anti-tamper/anti-RE methods and their effectiveness at protecting designs from attackers. Programmable logic microarchitecture and the issues involved with reverse engineering programmable logic. Real-world case studies built around off-the-shelf commercial ICs ranging from above the 1 μm node down to 45nm and below.
The course is largely self-contained and will introduce the necessary chemistry, physics, and layout technologies required for a qualitative (rather than quantitative) understanding of the functioning of semiconductor devices. ECSE 2610, MATH 2800+CSCI 2500, or equivalent understanding of gate-level Boolean logic is required.
There is no textbook. Students may find the siliconpr0n.org wiki a valuable supplement to the lecture materials and are encouraged to read other papers, etc. which may be linked from the wiki or mentioned in class.
Your grade will be based on four components, weighted equally:
At the start of the second lecture of each week, there will be a short (15) minute in-class quiz covering the most recently used material. The primary emphasis of the quizzes will be demonstrating your ability to apply knowledge, not memorize facts. For example, you may be given a photo of a simple standard logic cell and asked to produce a transistor-level schematic.
Quizzes are to be taken individually with no help from other students or use of outside resources (textbooks, computers, etc).
About once a month, there will be a laboratory demonstration showing off sample preparation, invasive attacks, data capture, etc. Depending on enrollment and available resources, there may or may not be a hands-on component to some or all of the labs. You will be expected to write a short (1-2 page max) report after each lab session describing the procedures performed and the results obtained.
You may discuss labs freely with other students but must write up reports individually.
There will be several homework assignments over the course of the semester. These will be similar in nature to the quizzes but involve larger-scale problems. For example, instead of simply creating a schematic from a single gate, you may be given photos of a larger part of a device and expected to produce a gate-level schematic.
You may work in groups on the homework but must write up solutions individually. You may not receive direct help from any person who is not a student of the class without the permission of the instructor, however you may consult any outside websites/textbooks/papers or freely available software that you wish. You must cite your sources/tools appropriately.
The final project will run in parallel with the second half of the course. A (simple) commercially available IC will be photographed at each layer and each team will be assigned a portion of the device to reverse engineer. Your goal is to generate a gate-level schematic of the circuit as well as a report describing any challenges you faced, the techniques you used, and a high-level description of what role your module plays in the functioning of the chip as a whole. Depending on enrollment, we may reverse the entire device or only a portion of it.
The policy on use of outside resources is the same as for homework.
| Week | Lecture | Subject |
|---|---|---|
| 1 | 1 | Motivation, course overview, legal/ethical issues, review of CMOS logic (schematic level only) |
| 1 | 2 | Package construction, wire bonding |
| 2 | 3 | Depackaging techniques, bond removal, live analysis considerations |
| 2 | 4 | Quiz 1: Given photos of packaged devices and the analysis requested, describe how to decap them Lab 1: Demo of several types of decap (die recovery, nitric dropper, etc) |
| 3 | 5 | Intro to CMOS layout, Mead-Conway notation, standard cells (part I) |
| 3 | 6 | Intro to CMOS layout, Mead-Conway notation, standard cells (part II) Quiz 2: Given SEM/optical micrographs or schematic layout of cells, describe what they do |
| 4 | 7 | Fabrication processes, determining technology level |
| 4 | 8 | Delayering and staining Quiz 3: Given top-metal photos, estimate the process node and describe how to deprocess to reveal a specific feature (poly, implants, metal 3, etc) |
| 5 | 9 | Microscopy, image capture, stitching, registration |
| 5 | 10 | Lab 2: SEM imaging of a couple of samples at varying stages of deprocessing |
| 6 | 11 | Mask ROM layout Homework 1 due: Given photos of portions of a device (1um 2-metal, use SecurID and ST 24C02 as case studies), extract a schematic |
| 6 | 12 | PROM/EPROM/EEPROM/efuse/Flash layout |
| 7 | 13 | SRAM layout |
| 7 | 14 | Non-invasive attacks (glitching, DPA, JTAG, etc) Quiz 4: Given photos of various memory arrays, determine what you're looking at |
| 8 | 15 | Microprobing, semi-invasive attacks, backside analysis |
| 8 | 16 | Anti-tamper / anti-analysis techniques Quiz 5: Given top-metal photos of various devices, recommend the best way to extract contents of a given memory array Lab 3: Demo of UV light attack on previously decapped PIC12F683 |
| 9 | 17 | I/O pads, buffers, tri-states, ESD protection |
| 9 | 18 | Programmable logic: product term CPLDs (including XC2C32A bitstream analysis) |
| 10 | 19 | Programmable logic: FPGAs |
| 10 | 20 | Machine vision, automated RE tools (Degate, etc) |
| 11 | 21 | TODO |
| 11 | 22 | TODO |
| 12 | 23 | TODO |
| 12 | 24 | TODO |
| 13 | 25 | TODO |
| 13 | 26 | TODO |
| 14 | 27 | TODO |
| 14 | 28 | TODO |
| 15 | 29 | TODO |
| 15 | 30 | Final project presentations |