- Sample prep
Higher end chips such as found in military devices and even commercial crypto devices can contain anti-tamper devices to protect designs and keys even if someone has gone this far. This page is for protections that physically render the chip inoperable, not obscurification techniques. Most common is to put a wire mesh over the chip. The idea being that if someone were to open up the IC, the mesh would get disturbed and turns the chip off. However, it is usually somewhat trivial to defeat this simply by connecting the entry and exit point of the mesh and bypassing the entire mesh network.
A number of chips contain a key. If the key can be sniffed from the live running chip, the cards are compromised. A common way to prevent live analysis is to put a wire interlock mesh over the top of the top metal layer to ensure any breakages in the mesh causes the chip to be non-functional. However, these can usually be re-connected using probes. Example wire mesh:
Another technique, as used in the IBM 4758 crypto accelerator (http://www.cl.cam.ac.uk/%7Ernc1/descrack/ibm4758.html) is to pot the entire system inside a rubberized material which has had conductive paths doped through it. Any attempt at removing the material will disturb the wires and cause the card to zeroize itself. (This technique is especially powerful with units like the 4758 which are expected to be under power 24/7, with battery backup as needed: keys may be stored in RAM so the wires cannot be cut even with power removed.)
Obscurification techniques to make analyzing die images difficult. Most common is to make wires into a maze such that a human would get confused tracing them. However, computer aided techniques are largely immune to this.
Depending on technologies, circuits react differently to UV light. Metal shielding may be placed over circuitry to try to reduce the effectiveness of resetting/setting security fuses by UV light.
National, Xilinx, and many other vendors have unique per-chip serial numbers stored in some sort of OTP memory on the chip. The user's firmware presumably uses this in a licensing scheme. Might make for a halfway decent anti-cloning system (until the check is found and nopped out) but is useless for preventing RE.
Very rare. I've been told that some high end military chips may have a thin layer of alkali metal put into them. The idea being if exposed to most techniques, it will react violently and destroy the chip. With proper chemical treatment and machining, such high end chip protections can usually be avoided. It may be best to destroy one chip to analyze protections and then attacking the actual chip to be imaged/tested.
We've read that some mil chips can have alkali metals to react with the strong acids typically used during decapsulation. This can be dangerous to the tech as well as destroy the specimen with the strong heat.
In our assessment, while it may look interesting at a first glance this is very unlikely to be used in practice simply because alkali metals diffuse very fast and destroy CMOS devices. The problems involved in keeping them separate are likely to be great enough that an alternative self-destruct method would be used.
Developed by LLNL as part of the “Connoisseur project”. Very little public information.
It's not clear what this material is. Various public sources give conflicting definitions:
LOPPER was an experimental program to plant “tiny, non-violent, shaped charges in critical junctures in our circuits that could be triggered by the application of external voltage.” Originally intended for VINSON, but the added cost, questioned need, program delays caused it to stop after working prototypes [A history of US COMSEC, page 148]. So, unlikely the rumored nuclear systems this is not designed to harm a technician but rather to physically destroy information as needed.
They conclude by saying they are currently in pursuit of “burying a resistor in the chip substrates which will incinerate micro-circuitry with the application of external voltage” [A history of US COMSEC, page 149].
A recent NYT article cites a large rock in Iran exploding and throwing fragments of destroyed PCBs around. LOPPER, or a successor, is apparently alive and well as of 2012.
Would react explosively with all wet decap chemistries we're aware of. MSDS and safety documentation suggests it's sensitive to physical shock and heat as well (though perhaps not quite as much as, say, flash powder).
Much safer to the chip (until detonated) than alkali metals since it's based on heavy metals (Ni and Al) which don't diffuse nearly as easily. Could be treated much like a conventional metalization layer from the fab's perspective.
Without reading too much on the chemistry, it looks like it'd be triggered by heating regardless of the presence of oxygen. This means that even plasma-based etches would have to be done very carefully and slowly to prevent heating the sample to the point of detonation.
The best way of defeating such protection would most likely be something along these lines: (In all steps emphasis would be on slow, deliberate etches with a minimum of heat released or required.)
US5468990: Structures for Preventing Reverse Engineering of Integrated Circuits