This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| classes:rpi_re [2013/11/22 18:14] – [Schedule] azonenberg | classes:rpi_re [2014/01/25 06:33] (current) – removed azonenberg | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | |||
| - | ====== Overview ====== | ||
| - | |||
| - | ===== Notes ===== | ||
| - | |||
| - | CSCI/ECSE 4xxx/6xxx Semiconductor Reverse Engineering | ||
| - | |||
| - | This page is a DRAFT. As of this writing the course has not been submitted for approval to the department or registrar and may change substantially or not be offered at all. | ||
| - | |||
| - | The current target is to offer this course during the spring 2014 semester at RPI. | ||
| - | |||
| - | RPI's IP policy states that lecture slides, etc remain the property of the creator(s). We plan to release them under CC-BY-SA. | ||
| - | |||
| - | If allowed by department/ | ||
| - | |||
| - | ===== Course Description ===== | ||
| - | |||
| - | Reverse engineering techniques for semiconductor devices and their applications to competitive analysis, IP litigation, security testing, supply chain verification, | ||
| - | |||
| - | ===== Prerequisites ===== | ||
| - | |||
| - | The course is largely self-contained and will introduce the necessary chemistry, physics, and layout technologies required for a qualitative (rather than quantitative) understanding of the functioning of semiconductor devices. ECSE 2610, MATH 2800+CSCI 2500, or equivalent understanding of gate-level Boolean logic is required. | ||
| - | |||
| - | ===== Textbook ===== | ||
| - | |||
| - | There is no textbook. Students may find the siliconpr0n.org wiki a valuable supplement to the lecture materials and are encouraged to read other papers, etc. which may be linked from the wiki or mentioned in class. | ||
| - | |||
| - | ====== Grading policy / academic integrity ====== | ||
| - | |||
| - | Your grade will be based on four components, weighted equally. There is no final exam. | ||
| - | |||
| - | ===== Quizzes ===== | ||
| - | |||
| - | About once a week, at the start of a lecture, there will be a short (15) minute in-class quiz covering the most recently used material. The primary emphasis of the quizzes will be demonstrating your ability to apply knowledge, not memorize facts. For example, you may be given a photo of a simple standard logic cell and asked to produce a transistor-level schematic and describe the logical function it implements. | ||
| - | |||
| - | // Quizzes are to be taken individually with no help from other students or use of outside resources (textbooks, computers, etc). // | ||
| - | |||
| - | ===== Labs ===== | ||
| - | |||
| - | About once a month, there will be a laboratory demonstration showing off sample preparation, | ||
| - | |||
| - | // You may discuss labs freely with other students but must write up reports individually. // | ||
| - | |||
| - | ===== Homework ===== | ||
| - | |||
| - | There will be several homework assignments over the course of the semester. These will be similar in nature to the quizzes but involve larger-scale problems. For example, instead of simply creating a schematic from a single gate, you may be given photos of a larger part of a device and expected to produce a gate-level schematic. | ||
| - | |||
| - | // You may work in groups on the homework but must write up solutions individually. You may not receive direct help from any person who is not a student of the class without the permission of the instructor, however you may consult any outside websites/ | ||
| - | |||
| - | ===== Project ===== | ||
| - | |||
| - | The final project will run in parallel with the second half of the course. A (simple) commercially available IC will be photographed at each layer and each team will be assigned a portion of the device to reverse engineer. Your goal is to generate a gate-level schematic of the circuit as well as a report describing any challenges you faced, the techniques you used, and a high-level description of what role your module plays in the functioning of the chip as a whole. Depending on enrollment, we may reverse the entire device or only a portion of it. | ||
| - | |||
| - | // The policy on use of outside resources is the same as for homework. // | ||
| - | ====== Schedule ====== | ||
| - | |||
| - | ^ Week ^ Lecture ^ Subject ^ | ||
| - | | 1 | 1 | Motivation, course overview, legal/ | ||
| - | | 1 | 2 | Package construction, | ||
| - | | 2 | 3 | Depackaging techniques, bond removal, live analysis considerations | | ||
| - | | 2 | 4 | **Quiz 1:** Given photos of packaged devices and the analysis requested, describe how to decap them \\ ** Lab 1 (MRC EM lab): ** Demo of several types of decap (die recovery, nitric dropper, etc) | | ||
| - | | 3 | 5 | Intro to CMOS layout, Mead-Conway layout notation, standard cells (part I) | | ||
| - | | 3 | 6 | Intro to CMOS layout, Mead-Conway layout notation, standard cells (part II) | | ||
| - | | 4 | 7 | Fabrication processes, determining technology level \\ **Quiz 2:** Given SEM/optical micrographs or schematic layout of cells, describe what they do | | ||
| - | | 4 | 8 | Delayering and staining | | ||
| - | | 5 | 9 | Microscopy, image capture, stitching, registration \\ **Quiz 3:** Given top-metal photos, estimate the process node and describe how to deprocess to reveal a specific feature (poly, implants, metal 3, etc) | | ||
| - | | 5 | 10 | ** Lab 2 (MRC EM lab): ** SEM imaging of a couple of samples at varying stages of deprocessing | | ||
| - | | 6 | 11 | Mask ROM layout \\ **Homework 1 due:** Given photos of portions of a device (1um 2-metal, use SecurID and ST 24C02 as case studies), extract a schematic | | ||
| - | | 6 | 12 | PROM/ | ||
| - | | 7 | 13 | SRAM layout | | ||
| - | | 7 | 14 | Non-invasive attacks (glitching, DPA, JTAG, etc) \\ **Quiz 4:** Given photos of various memory arrays, determine what you're looking at | | ||
| - | | 8 | 15 | Microprobing, | ||
| - | | 8 | 16 | Anti-tamper / anti-analysis techniques \\ **Quiz 5:** Given top-metal photos of various devices, recommend the best way to extract contents of a given memory array \\ ** Lab 3 (in class): ** Demo of UV light attack on previously decapped PIC12F683 | | ||
| - | | 9 | 17 | I/O pads, buffers, tri-states, ESD protection | | ||
| - | | 9 | 18 | Programmable logic: product term CPLDs (including XC2C32A bitstream analysis) | | ||
| - | | 10 | 19 | Programmable logic: FPGAs | | ||
| - | | 10 | 20 | Machine vision, automated RE tools (Degate, etc) | | ||
| - | | 11 | 21 | TODO | | ||
| - | | 11 | 22 | TODO | | ||
| - | | 12 | 23 | TODO | | ||
| - | | 12 | 24 | TODO | | ||
| - | | 13 | 25 | TODO | | ||
| - | | 13 | 26 | TODO | | ||
| - | | 14 | 27 | TODO | | ||
| - | | 14 | 28 | TODO | | ||
| - | | 15 | 29 | TODO | | ||
| - | | 15 | 30 | Final project presentations | | ||
| - | |||