Abstract
In this article, a methodology to extract Flash EEPROM memory contents is presented. Samples are first backside prepared to expose the tunnel oxide of floating gate transistors. Then, a Scanning Electron Microscope (SEM) in the so called Passive Voltage Contrast (PVC) mode allows distinguishing ‘0’ and ‘1’ bit values stored in individual memory cell. Using SEM operator-free acquisition and standard image processing technique we demonstrate the possible automating of such technique over a full memory. The presented fast, efficient and low cost technique is successfully implemented on 0.35 \(\mu m\) technology node microcontrollers and on a 0.21 \(\mu m\) smart card type integrated circuit. The technique is at least two orders of magnitude faster than state-of-the-art Scanning Probe Microscopy (SPM) methods. Without adequate protection an adversary could obtain the full memory array content within minutes. The technique is a first step for reverse engineering secure embedded systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bauer, E.: Low energy electron microscopy. Rep. Prog. Phys. 57(9), 895 (1994). http://stacks.iop.org/0034-4885/57/i=9/a=002
Brown, W., Brewer, J.: Nonvolatile Semiconductor Memory Technology: A Comprehensive Guide to Understanding and Using NVSM Devices. IEEE Press Series on Microelectronic Systems. Wiley, New York (1997)
Cole Jr., E.I.: Beam-based defect localization techniques. In: Ross, R.J. (ed.) Microelectronics Failure Analysis: Desk Reference, 6th edn., pp. 246–262. ASM International (2011)
Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: Increasing the efficiency of laser fault injections using fast gate level reverse engineering. In: IEEE International Symposium on Hardware-Oriented Security and Trust, HOST (2014)
Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: A high efficiency hardware trojan detection technique based on fast SEM imaging. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, DATE 2015, Grenoble, France, 9–13 March 2015, pp. 788–793 (2015)
De Nardi, C., Desplats, R., Perdu, P., Beaudoin, F., Gauffier, J.-L.: Oxide charge measurements in EEPROM devices. Microelectron. Reliab. 45(9–11), 1514–1519 (2005). http://dx.doi.org/10.1016/j.microrel.2005.07.055. ISSN: 0026–2714
De Nardi, C., Desplats, R., Perdu, P., Gurin, C., J.-L., G., Amundse, T.: Direct measurements of charge in floating gate transistor channels of flash memories using scanning capacitance microscopy. In: ISTFA 2006 (2006)
De Nardi, C.: Techniques d’analyse de défaillance de circuits intégrés appliquées au descrambling et à la lecture de données sur des composants mémoires non volatiles. Ph.D. thesis, Toulouse, INSA (2009)
Dhar, R., Dixon-Warren, S., Campbell, J., Green, M., Ban, D.: Direct charge measurements to read back stored data in nonvolatile memory devices using scanning capacitance microscopy (2013)
Dhar, R., Dixon-Warren, S., Kawaliye, Campbell, J., Green, M., Ban, D.: Read back of stored data in non volatile memory devices by scanning capacitance microscopy (2013)
Hanzii, D., Kelm, E., Luapunov, N., Milovanov, R., Molodcova, G., Yanul, M., Zubov, D.: Determining the state of non-volatile memory cells with floating gate using scanning probe microscopy. vol. 8700, p. 87000V–87000V-11 (2013)
Humes, T.: Ensuring data security in logic non-volatile memory applications: Floating-gate versus oxide rupture. In: Virage logic (2009)
Jenkins, M., Tangyunyong, P., Cole Jr., E., Soden, J., Walraven, J., Pimentel, A.: Floating substrate passive voltage contrast. In: ISTFA 2006 (2006)
Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. In: Proceedings of the USENIX Workshop on Smartcard Technology, WOST 1999, p. 2 (1999)
Konopinski, D.: Forensic applications of atomic force microscopy (2013)
Korchnoy, V.: Investigation of choline hydroxide for selective silicon etch from a gate oxide failure analysis standpoint (2002)
Ramkumar, K.: Cypress SONOS technology, Cypress (2008)
Skorobogatov, S.P.: Semi-invasive attacks - a new approach to hardware security analysis (2005)
Smith, G.: Addressing security concerns of flash memory in smart cards, Sharp (2005)
Smith, K.C., Wells, O.C., McMullan, D.: The fiftieth anniversary of the first applications of the scanning electron microscope in materials research. Phys. Procedia 1(1), 3–12 (2008)
Sugawara, T., Suzuki, D., Fujii, R., Tawa, S., Hori, R., Shiozaki, M., Fujino, T.: Reversing stealthy dopant-level circuits. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 112–126. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44709-3_7
Torrance, R., James, D.: The state-of-the-art in IC reverse engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 363–381. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04138-9_26
Watanabe, Y., Fukuda, Y., Jinno, T.: Analysis of capacitive coupling voltage contrast in scanning electron microscopy. Jpn. J. Appl. Phys. 24(10R), 1294 (1985)
Weingart, S.H.: Physical security devices for computer subsystems: A survey of attacks and defences. In: Proceedings of the Cryptographic Hardware and Embedded Systems - CHES 2000, Worcester, MA, USA, August 17–18, 2000, pp. 302–317 (2000)
Zajac, C.: Protect your electronic wallet against hackers, Synopsys (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Courbon, F., Skorobogatov, S., Woods, C. (2017). Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy. In: Lemke-Rust, K., Tunstall, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2016. Lecture Notes in Computer Science(), vol 10146. Springer, Cham. https://doi.org/10.1007/978-3-319-54669-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-54669-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54668-1
Online ISBN: 978-3-319-54669-8
eBook Packages: Computer ScienceComputer Science (R0)