Xhani Marvin Saß Security in Telecommunications Berlin, Germany

Jean-Pierre Seifert Security in Telecommunications Berlin, Germany Thilo Krachenfels Security in Telecommunications Berlin, Germany

> Christian Große Fraunhofer IMWS Halle, Germany

> > ппппппг

2

Blackbox

IC

Frederik Dermot Pustelnik Security in Telecommunications Berlin, Germany

> Frank Altmann Fraunhofer IMWS Halle, Germany

> > וחחחחחח

Functional blocks



Physical attacks form one of the most severe threats against secure computing platforms. Their criticality arises from their corresponding threat model: By, e.g., passively measuring an integrated circuit (IC)'s environment during a security-related operation, internal secrets may be disclosed. Furthermore, by actively disturbing the physical runtime environment of an IC, an adversary can cause a specific, exploitable misbehavior. The set of physical attacks consists of techniques that apply either globally or locally. When compared to global techniques, local techniques exhibit a much higher precision, hence having the potential to be used in advanced attack scenarios. However, using physical techniques with additional spatial dependency expands the parameter search space exponentially. In this work, we present and compare two techniques, namely laser logic state imaging (LLSI) and lock-in thermography (LIT), that can be used to discover sub-circuitry of an entirely unknown IC based on optical and thermal principles. We show that the time required to identify specific regions can be drastically reduced, thus lowering the complexity of physical attacks requiring positional information. Our case study on an Intel H610 Platform Controller Hub showcases that, depending on the targeted voltage rail, our technique reduces the search space by around 90 % to 98 %.

## **CCS CONCEPTS**

• Security and privacy  $\rightarrow$  Hardware reverse engineering; • Hardware  $\rightarrow$  Transistors.

## **KEYWORDS**

Hardware Security, Reverse Engineering, Integrated Circuits, ASIC

#### **1** INTRODUCTION

Physical attacks, such as fault injection (FI) attacks or side-channel analysis (SCA) attacks, form one of the most severe threats against secure computing platforms. Their criticality lies within their corresponding threat model. By, e.g., passively measuring a processing unit's environment during a security-critical operation, sensitive information may be leaked unintentionally, which leads to the disclosure of internal secrets [6]. Moreover, by actively disturbing the physical runtime environment of an integrated circuit (IC), an adversary can deliberately cause specific misbehavior, which can be exploited afterward [8]. Hence, these powerful attacks can introduce vulnerabilities into systems where from a functional point of view, none exist.



LIT/

LLSI

Targeted

analysis

A way to classify different physical attack scenarios is by their area of consideration. While global techniques (e.g., power analysis, voltage FI, or clock FI) always consider the entire device under test (DuT), local techniques affect or measure only a spatially restricted area. Local techniques, such as laser fault injection (LFI), electromagnetic FI (EMFI), body-biasing injection (BBI) or electromagnetic side channel (EMSC) analysis, make highly targeted attacks viable, as the considered region can be restricted to a specific target region. By exclusively covering a sub-region of interest of the IC, any side effects from and to surrounding components are avoided. Nonetheless, even for the class of localized techniques, there are differences to be considered: while EMFI, EMSC, and BBI all provide means of spatial resolution, LFI can be executed at a much finer granularity. In other words, the higher the spatial restriction is, the more precise an attack becomes. However, the gain in precision comes for the sake of complexity. As every additional parameter that has to be discovered during a physical attack increases the search space by exponential means [4, 12], introducing locality in addition to the fault's parameters (i.e., X-, Y-, and Z-position) results in a combinatorial explosion. If an adversary has to identify the target circuitry's position on the entire silicon die, the resulting expansion of the search space leads to the impracticability of an otherwise feasible attack.

Due to the aforementioned expansion, a vast amount of research has been proposed to counter the expansion of search space under specific circumstances. Selmke et al. [10] proposed a method based on optical inspection to exclude specific regions of interest. In addition, they proposed the exploitation of side-channel information to further narrow the search space. By measuring the current while stimulating the IC's backside with a laser, Schellenberg et al. [9] showed for a given micro-controller unit (MCU), that flip-flops (FFs) can be identified, which represent lucrative targets for LFI in general. While previous work successfully identified areas of interest in specific circumstances, the general identification of regions on a black box silicon die still poses a hard task [4].

In this work, we propose the identification of sub-circuitry based on the modulation of specific, physically isolated voltage supplies. The modulation of a particular circuitry of interest via its voltage supply causes local physical effects, which can be measured by techniques commonly encountered in the IC failure analysis (FA) domain. By modulating a single voltage rail while leaving the others unmodified, the external modulation manifests, e.g., in local temperature variation or a change in amplitude and phase of the reflected light when scanning over the chip with a laser.

**Our contributions.** We propose lock-in thermography (LIT) and laser logic state imaging (LLSI) as techniques for fast and targeted reverse engineering to simplify and speed up following analysis and attacks. As a case study, we evaluate our approach on a recent and highly complex technology, i.e., a system-on-chip (SoC) manufactured by Intel along their 12<sub>th</sub> Gen. processor series. In this regard, we build a custom printed circuit board (PCB) in order to be able to precisely control the individual power rails in an isolated manner. Based on our prototype, we show that the position of isolated functional blocks can be identified on the die. Finally, we compare LIT and LLSI concerning their reverse engineering capabilities, resolution, and acquisition time.

#### 2 BACKGROUND

Failure analysis (FA) represents one of the last steps of the overall application-specific integrated circuit (ASIC) manufacturing process. After a wafer of ICs has been manufactured by the semiconductor fabrication plant, the so-called yield determines the ratio of functional and non-functional ICs. For a semiconductor product to be profitable and manufacturers to remain competitive, the yield must be maximized at all costs. However, the semiconductor manufacturing process of advanced ICs is tremendously complex, i.e., not every part of the process can be controlled in its entirety. While this so-called process variation may be utilized positively to build intrinsic physical unclonable functions (PUFs) [13], it also implies that a certain percentage of manufactured silicon malfunctions once the variation exceeds a given threshold.

FA is centered around localizing and characterizing a single IC's malfunctioning to tweak future production parameters, thus increasing the yield of future production runs. A variety of FA techniques exists, each exhibiting advantages and disadvantages in localizing or characterizing a specific kind of fault. In this work, we utilize two such FA methods, namely lock-in thermography (LIT), which is based on thermal principles, and laser logic state imaging (LLSI), which is based on laser scanning microscopy. In this section, both techniques are briefly introduced. Moreover, power delivery networks (PDNs) of modern SoCs are briefly discussed, as they are key to our approach.

## 2.1 Thermal Analysis of Integrated Circuits

In FA, LIT is employed to localize thermally active regions, which indicate resistive defects in ICs. Failure analysts use this method to,



Figure 2: Typical LIT setup.

for example, localize resistive shorts between different metal lines, gate oxide breakdowns, and other faults that cause an increase in contact resistance. These resistive defects lead to higher power dissipation and, thus, to a *local* temperature increase. As the local temperature increase implies an increase in mid-range infrared (IR) emanation (i.e.,  $\lambda \in [3..5] \mu m$ ), it can be captured by an IR-sensitive camera with high resolution. LIT is based on capturing the thermal radiation in the mid-range IR spectrum emitted by an object.

Resistive defects usually cause power dissipation in the  $\mu$ W range, which translates to local temperature differences in the  $\mu$ K range. However, the sensitivity of high-end IR sensors lies in the 10 mW range. Hence, to be able to measure the small temperature differences, lock-in amplification is mandatory. In LIT, we inject a periodic signal into the DuT, which is also fed into the lock-in amplifier as a reference. The lock-in amplifier then relates the thermal signal captured by the IR camera to the reference, filtering and amplifying the thermal information correlating to the induced modulation.

Moreover, it is worth noting that even a fully powered-off IC may exhibit a strong IR contrast in emissivity at room temperature due to the difference in emissivity of different materials and structures used in manufacturing. Hence, thermographic sensors can be used to record an IC's pattern through the backside.

Figure 2 depicts a typical LIT setup. In this work we exclusively consider complex SoCs exhibiting multiple voltage supplies as DuT. Further, a high-resolution mid-range IR camera is required to capture temperature deviations based on a fine scale. Different lenses can be used to increase the spatial resolution of the IR camera. Every LIT setup requires an external electrical stimulus fed into the DuT. This is commonly achieved using a switchable power supply unit (PSU) that provides the external modulation in the form of a square wave of a given amplitude. The lock-in amplifier detects a low-amplitude thermal signal that correlates with the induced signal by performing integration over time. Finally, the PC receives temperature amplitude and phase information and stores the results for later analysis.

#### 2.2 Laser-Based Analysis of Integrated Circuits

Modern ICs are comprised of numerous metal layers on the chip's front side, making any analysis through the front side impossible. Therefore, analysis is commonly executed through the chip's backside. Since silicon is transparent to near-infrared (NIR) light, laser scanning microscopes (LSMs) can be used to access the active area containing the transistors without preparing the silicon backside of the chip. One approach to localizing faults is stimulating the

DuT with a laser and measuring the change in resistance, voltage, or current consumption at the device's terminals. On the other hand, some part of the laser irradiation is modulated by the electrical characteristics in the chip and reflected at metal interfaces, see Fig. 3a. Consequently, this reflected light contains information about the internal voltages of the chip. In LSM, a detector captures the reflected light and translates its magnitude and phase into a corresponding signal. The approach is part of a family of FA methods, referred to as optical probing techniques. When pointing the laser at one location of interest, a waveform depicting voltage over time can be acquired. The corresponding technique is called electrooptical probing (EOP). Besides, an activity map can be created when scanning the laser over a larger area of interest and analyzing the reflected light at each point. The technique is called electro-optical frequency mapping (EOFM), and due to its spatial capabilities, we will focus on EOFM in the following.

2.2.1 Electro-Optical Frequency Mapping. EOFM is an optical probing technique that allows the creation of a two-dimensional activity map of a circuit area. Provided a particular frequency and a bandwidth, EOFM analyzes the reflected light using a narrow-band frequency filter and maps the resulting amplitude onto the scanning position. In this way, all transistors switching at the frequency of interest appear as bright spots in the activity map. To not influence the electrical behavior of the DuT, wavelengths above 1.1 µm are used for optical probing techniques. Apart from debugging internal signals in ICs, optical probing can be used to attack devices. For instance, EOFM in combination with EOP has been used to extract sensitive data from a field-programmable gate array (FPGA) [11] or to break logic locking schemes [7].

2.2.2 Laser-Logic State Imaging. LLSI is an extension of EOFM proposed by Niu et al. [5]. Instead of setting the frequency of EOFM to the frequency of a logic signal generated by the device, a periodic signal is injected into the DuT's power supply, as depicted in Fig. 3b. In other words, the DuT's power supply is modulated around the nominal supply voltage with a small peak-to-peak sine signal. EOFM is then used to search for activity based on the introduced modulation frequency. Using LLSI, the logic states of combinatorial and sequential logic can be extracted under the constraint that the clock is stopped for the duration of the measurement [2, 3]. Apart from transistor states, LLSI measurements reveal the location of capacitive elements, such as decoupling capacitors. Consequently, LLSI can be used to localize circuitry connected to the power supply rail under modulation.

## 2.3 Power Delivery Networks in ASIC Design

The PDN of an ASIC is responsible for transmitting current from the package pads to the logic blocks and single transistors. Its design poses a special difficulty since it is responsible for maintaining a stable voltage during load, voltage fluctuations, and spikes. Several other factors, such as the prevention of abrasion effects, overly excessive heat in single spots, and parasitic effects, make the design of PDNs a hard task.

Since modern SoCs consist of a vast number of different components and all of these components have different characteristics w.r.t. their power consumption, hardware designers decided to supply



Figure 3: Principle of optical probing (a) and electrical setup for LLSI (b). The supply voltage modulation leads to a detectable pattern in the reflected light, mapped onto the scanning position and shown as a 2D activity map.

different components with different physically isolated voltage rails. Furthermore, a SoC might require different voltages, where I/O cells operate at a different voltage level than internal logic cells. It is further possible to perform power gating on specific supplies during low power sleep, while only powering the wake-up logic. Other reasons might be that only one component on the SoC consumes excessive power, such as in modern desktop processors, where the high-performance power network is cut off from other maintenance logic. All these requirements lead to modern complex SoCs having complex PDNs with multiple voltage rails.

## **3 EXPERIMENTAL SETUP**

#### 3.1 Device under Test

In order to thoroughly evaluate our novel approach, we decided to utilize a complex, recent-technology SoC manufactured by Intel, which is referred to as the Platform Controller Hub (PCH) [1]. In the past, an Intel mainboard's chipset was defined by a north bridge and a south bridge, which determined the interconnection between different components. The north bridge was handling highfrequency signaling, whereas the south bridge was taking care of lower-frequency communication. Due to the constant increase of integration in microelectronics, the north bridge has been integrated into the central processing unit (CPU) silicon die, whereas the south bridge's functionality as well as other communication protocols (e.g., USB-3 or PCIe) have been merged into another silicon die, referred to as PCH. It is worth noting that Intel's root of trust is a sub-component of the PCH, whereas, for AMD-based systems, the root of trust is placed within the CPU silicon. Because of the high degree of integrated components, Intel's PCH exposes 12 physically isolated voltage rails, which need to be supplied by five different voltage levels. For saving space and resources, the rails requiring the same voltage level are typically tied together on a PCB level whenever possible. While this holds true for all commercially available mainboards, tying together the supply of multiple voltage rails prevents isolated modulation.

## 3.2 Custom Printed Circuit Board

As the goal of this work is to detect several regions of interest by modulating their supply voltages, we have placed our DuT on a



Figure 4: DuT mounted on a custom designed PCB in order to physically isolate the voltage supplies.

custom designed PCB, which grants us isolated access to each of the voltage rails. Our custom PCB is depicted in Fig. 4. The PCH must be supplied with 5 different voltage levels, which are used to supply power to 12 different, physically isolated voltage rails. Different voltage levels may be provided by the SMA connectors 1, a jumper 2 then either connects or disconnects a specific voltage rail to the external voltage. A set of specific voltage rails has further been connected indirectly via shunt resistors and current sense amplifiers 4 to the DuT 3. By this, power-based SCA attacks are possible for a selected number of voltage rails. However, we keep performing SCA on the different voltage rails of the PCH as future work. Moreover, different boot configurations can be chosen by configuring the jumpers in 5.

## 3.3 Measurement Setup

3.3.1 *LIT Setup.* The LIT setup is equal to the one depicted in Fig. 2. The DuT is represented by Intel's PCH, which is mounted on our custom PCB. By exposing each voltage rail in a physically isolated fashion, we are able to modulate each rail without affecting the others. Here, the modulation takes place based on a periodic square wave signal in the 40-60 Hz range, which can be generated directly by a software controlled PSU. The silicon die's mid-IR emanation in the field of view of the optical lens is sampled by the camera. The recorded data is forwarded to the lock-in amplifier, which is also provided with the switched power supply as a reference.

*3.3.2 LLSI Setup.* While using the same DuT (i.e., Intel's 610 PCH on custom PCB), each voltage rail can be modulated by a much higher frequency than it is possible for LIT, thus decimating noise. As common PSUs are incapable of providing modulation in the MHz range, a Bias-Tee in combination with a function generator and a DC PSU have been used to generate a 2 MHz sine-modulated voltage supply signal. For conducting the LLSI measurements, we use a Hamamatsu PHEMOS-1000 FA microscope, which offers lenses of 5×, 20×, and 50× magnification.

## 4 EVALUATION

In this section, we showcase the effectiveness of our technique. By modulating different voltage rails of the PCH utilizing our PCB design, we can clearly distinguish between different regions. We present the results of two different measurements, namely modulating vcc\_core\_0p82 as well as vcc\_usb\_0p82<sup>1</sup>. We have selected these two scenarios as a representative subset, as they highlight the different outcomes of our measurements.

As a metric to quantify the reduction in search space achieved by our technique, we compute the area that responds to the external modulation. The evaluation takes place based on thresholding, i.e., if a signal within a region exceeds a threshold, we classify it as being affected by our modulation, otherwise, it is classified as unaffected. As without modulation an adversary is required to scan the entire die, we compare the die's overall area to our identified regions to quantify the area reduction using our technique.

The minimum time a physical attack with spatial information requires can be approximated by considering the number of positions to be tested, the time per attempt, and the number of attempts per position. In addition to the aforementioned parameters, when considering FI also all combinations of the fault's parameters have to be considered (e.g., offset and strength).

$$t_{\text{scan}} = \frac{\text{area width}}{\text{step size x}} \times \frac{\text{area height}}{\text{step size y}} \times n \times t_{\text{attempt}} \times \text{comb}_{\text{params}}$$

As an example, when considering LFI, a magnification of  $50\times$  is commonly required to induce enough energy within a spatially limited radius for the photoelectric effect to cause logical misbehavior at the transistor level. A  $50\times$  lens commonly corresponds to a transistor-focused laser spot size of about 1 µm. Hence, a step size in either x or y of 1 µm must not be exceeded. In our case study, the silicon die is 8 mm wide and 12 mm high, which – based on a step size of 1 µm in x and y – results in 96,000,000 possible positions. Even when considering a single attempt per position (n = 1), a single combination of fault parameters (comb<sub>params</sub> = 1) and a time per attempt of 0.1 s ( $t_{attempt} = 0.1$ ), 111 days would be required to scan the whole die area. For this simplified approximation, the time required to move the stage and re-focus the laser along the Z-axis is neglected.

## 4.1 Modulation of vcc\_core\_prim\_0p82

As the name implies, vcc\_core\_prim\_0p82 appears to power the primary core logic contained inside the PCH, whereas 0p82 indicates an electrical potential of 0.82 V. In the following, we present the results of performing LIT as well as LLSI based on a modulation of vcc\_core\_prim\_0p82. As the hereby identified regions represent core logic components, these form potentially lucrative areas for further physical attacks.

4.1.1 *LIT*. The results of modulating vcc\_core\_prim\_0p82 and performing LIT as described in Section 3.3.1 are depicted in Fig. 5a. Here, a yellow overlay indicates that after the LIT process, a strong increase in temperature was recognized in the corresponding region, whereas purple indicates, that minor temperature deviation has been noted which matches the induced modulation frequency. The

<sup>&</sup>lt;sup>1</sup>Following Intel's nomenclature: https://www.intel.com/content/www/us/en/ products/sku/218829/intel-h610-chipset/specifications.html



(a) LIT, captured with 1× magnification.
(b) LLSI, captured with 20× magnification (stitched from 204 images)
Figure 5: LIT and LLSI amplitudes overlaid on the optical image for the vcc\_core\_prim\_0p82 rail.

remaining regions are completely unaffected by the external modulation. By modulating vcc\_core\_prim\_0p82, we obtained a LIT signal that covers about 18.9% of the chip area. This corresponds to a search space reduction of 81.1% compared to an exhaustive scan. However, in order to even further narrow down the search space, we continue to analyze the different emissivity characteristics of different structures. As depicted in the thermal image, different areas of different intensity values were captured. While the solid yellow areas, where the highest intensity is observed, can be expected to belong to power supply circuitry (i.e., PDN structures), the yellow-purple sprinkled areas are promising candidates for synthesized logic cores. The difference is depicted in more detail in Fig. 6a. Using bare eyes, the remaining search space can therefore be cut again, leading to a potential target chip area of only 15.4%.

4.1.2 LLSI. The results of modulating vcc\_core\_prim\_0p82 and scanning over the die as described in Section 3.3.2 are depicted in Fig. 5b. Again, yellow indicates that the modulation in the reflected light shows a strong correlation in amplitude with our injected stimulus, whereas purple indicates, that the modulation of the reflected light slightly diminishes. All remaining regions are not affected by modulation at all. It is worth noting that the regions appearing speckled in the LIT measurements show up as speckled again. However, the regions identified by LLSI as well as the speckle pattern are much more precise and sharp. Their difference in the same region as before is depicted in Fig. 6b. By modulating vcc\_core\_prim\_0p82, we obtained an LLSI signal that covers about 16.3 % of the chip area, i.e., 2.6 % less area than measured by LIT. This corresponds to a search space reduction of 83.7 % compared to an exhaustive scan. Same as before, by considering the differences of solid PDN area and speckled logic area, this time the search space can even be reduced to 10.9%, i.e., 4.5% less than with LIT.

#### 4.2 Modulation of vcc\_usb\_0p82

While the previous measurement revealed that LIT and LLSI are both capable of identifying PDNs as well as their supplied logic, with this experiment we would like to show that these techniques



Figure 6: Comparison of LIT and LLSI in one region of interest to show the possibility of distinguishing between power supply and logic areas.

can also be used to uniquely identify regions that are right next to each other without any interference. The vcc\_usb\_0p82 appears to power the USB logic contained inside the PCH, whereas 0p82 indicates an electrical potential of 0.82 V. In the following, we present the results of performing LIT by modulating vcc\_usb\_0p82. While the results of performing LLSI are similar, they have been omitted due to space constraints. However, high-resolution images of applying LLSI are provided in the appendix in Fig. 13.

The results of modulating the vcc\_usb\_0p82 voltage and performing LIT as described in Section 3.3.1 are depicted in Fig. 7. It is important to note that compared to the previous measurement, a relatively small area of the die shows a thermal correlation to the modulation. As before, a yellow overlay indicates a strong increment in local IR emissivity correlating to the modulation, whereas purple indicates a weaker emissivity. All other regions are unaffected by the external modulation of vcc\_usb\_0p82. By modulating the USB supply voltage, we successfully identified this part of the SoC, which handles the USB protocol communication. It only covers 1.2 % of the die area. Moreover, when superimposing the results of the previous measurement (i.e., the modulation of vcc\_core\_prim\_0p82), the proximity of the results becomes observable. By this, we provide proof that our technique for reverse engineering can be used with high spatial resolution.



Figure 7: LIT amplitude for the vcc\_usb\_0p82 rail captured with  $1 \times$  (left) and  $2.5 \times$  (right) magnification. The adjacent regions previously identified to belong to vcc\_core\_prim\_0p82 are depicted in green.

#### 5 DISCUSSION

In this work, we have utilized LIT and LLSI to discover the position of a specific circuitry of our target. For both setups, we provided external modulation of a given frequency to discover regions connected to physically isolated PDNs. Since LIT and LLSI exhibit similar capabilities and results during our evaluation, we discuss the main differences between both techniques before concluding this work.

#### 5.1 Spatial Resolution and Acquisition Time

In this work, the spatial resolution of LLSI was much higher than this of LIT. This is due to the fact that for LIT, commonly only low-magnification lenses with sufficiently good optical properties are available. Due to the poor properties of the lenses, a higher magnification drastically increases the measurement time. During our measurements, only weak signals have been recorded with lenses of 10× magnification. Nevertheless, the LIT images presented in this work, captured with a  $1 \times$  lens, could compete with the results obtained by applying LLSI. Vice-versa, LLSI measurements with a reasonable signal-to-noise ratio could only be obtained with the 20× lens and above, making the scan comparably slow. While for LIT the scanning time was in the range of a few hours for the entire chip, scanning the die in an automated fashion using LLSI with the 20× lens took roughly one day. Consequently, for a first overview, LIT can deliver sufficient and fast results. When higher magnification for more detailed analysis is required, LLSI should be considered.

## 5.2 Setup Cost and Availability

While the LIT setup used in this work can be acquired for around \$200K, a setup for optical probing costs at least \$1M. Consequently, LIT can be considered the more cost-efficient solution. However, there is always the possibility to rent FA equipment or even to hire a failure analyst in a much more affordable way.

#### 5.3 Backside Silicon Access

Direct access to the silicon surface is a strict requirement for optical probing methods. Moreover, the silicon substrate must fulfill specific properties (e.g., polished surface, no highly-doped silicon). Although flip-chip packages have become more relevant over the past years, less complex ICs are still packaged by other means, which often encapsulate the IC in a plastics or ceramic case. Hence, to perform optical inspection, the IC has to be decapsulated and polished, which is a tedious and risky process, as it may result in a broken DuT. Methods used range from chemical to mechanical processes, and each step must be taken carefully to leave the device operable after decapsulation.

In this regard, LIT has an advantage over LLSI: it is a FA method that does not strictly require the silicon backside to be exposed. LIT measurements are typically also possible through a package, though the spatial resolution decreases when compared to silicon is accessible. We expect that LIT delivers results that are acceptable for EMFI, as it is a less location-dependent physical attack than, e.g., LFI. Although we did not perform experiments with this scenario, it is an intriguing approach for further investigation.

#### 6 CONCLUSION

In this paper, we presented a novel method leveraging LIT and LLSI to identify specific parts of circuitry on a large, fully unknown SoC. Advanced high-performance ICs always expose multiple voltage rails, which provide the power to different sub-circuitry. The modulation of different voltage supplies allows optical as well as thermal techniques to map a voltage rail to specific regions that are powered by the corresponding supply. As voltage rails commonly need to be labeled, an adversary may deduce semantic information about the identified circuitry. While not focusing on introducing a specific attack, we provide a building block that makes physical attacks requiring spatial information even feasible.

Moreover, we have provided proof that our method works well for a recent-technology Intel PCH, where we were able to identify subcircuits with ease. By using our novel approach, it was possible to identify the exact positions and sizes of USB, RTC, and core logic, thus drastically reducing the search space of a subsequent attack.

#### REFERENCES

- Intel 2022. Intel 600 Series Chipset Family Platform Controller Hub. Intel. Rev. 004.
- [2] Thilo Krachenfels, Fatemeh Ganji, Amir Moradi, Shahin Tajik, and Jean-Pierre Seifert. 2021. Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1955–1971. https://doi.org/10.1109/SP40001.2021.00029
- [3] Thilo Krachenfels, Tuba Kiyan, Shahin Tajik, and Jean-Pierre Seifert. 2021. Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 627–644.
- [4] Niclas Kühnapfel, Robert Buhren, Hans Niklas Jacob, Thilo Krachenfels, Christian Werling, and Jean-Pierre Seifert. 2022. EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware. In 2022 IEEE Physical Assurance and Inspection of Electronics (PAINE). 1–7. https://doi.org/10.1109/PAINE56030. 2022.10014927
- [5] Baohua Niu, Grace Mei Ee Khoo, Yuan-Chuan Steven Chen, Fernando Chapman, Dan Bockelman, and Tom Tong. 2014. Laser Logic State Imaging (LLSI). In ISTFA 2014: Conference Proceedings from the 40th International Symposium for Testing and Failure Analysis. ASM International, 65–72. https://doi.org/10.31399/asm.cp. istfa2014p0065
- [6] Colin O'Flynn and Zhizhang David Chen. 2015. Side channel power analysis of an AES-256 bootloader. In 2015 IEEE 28th Canadian Conference on Electrical and Computer Engineering (CCECE). IEEE, 750–755.
- [7] Mir Tanjidur Rahman, Shahin Tajik, M. Sazadur Rahman, Mark Tehranipoor, and Navid Asadizanjani. 2020. The Key is Left under the Mat: On the Inappropriate Security Assumption of Logic Locking Schemes. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). https: //doi.org/10.1109/HOST45689.2020.9300258
- [8] Marvin Saß, Richard Mitev, and Ahmad-Reza Sadeghi. 2023. Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M. arXiv preprint arXiv:2302.06932 (2023).
- [9] Falk Schellenberg, Markus Finkeldey, Bastian Richter, Maximilian Schäpers, Nils Gerhardt, Martin Hofmann, and Christof Paar. 2015. On the complexity reduction

of laser fault injection campaigns using OBIC measurements. In 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 14–27.

- [10] Bodo Selmke, Emanuele Strieder, Johann Heyszl, Sven Freud, and Tobias Damm. 2021. Breaking black box crypto-devices using laser fault injection. In International Symposium on Foundations and Practice of Security. Springer, 75–90.
- [11] Shahin Tajik, Heiko Lohrke, Jean-Pierre Seifert, and Christian Boit. 2017. On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1661–1674. https://doi.org/10.1145/3133956.3134039
- [12] Jan Van den Herrewegen, David Oswald, Flavio D Garcia, and Qais Temeiza. 2021. Fill your boots: Enhanced embedded bootloader exploits via fault injection and binary analysis. *IACR Transactions on Cryptographic Hardware and Embedded Systems* (2021), 56–81.
- [13] Ingrid Verbauwhede and Roel Maes. 2011. Physically unclonable functions: manufacturing variability as an unclonable device identifier. In Proceedings of the 21st edition of the great lakes symposium on Great lakes symposium on VLSI. 455-460.

## 7 APPENDIX



Figure 8: Reflected light laser scanning image stitched from 204 images captured with the  $20 \times$  lens.



Figure 9: LIT amplitude overlaid on the optical image for the vcc\_core\_prim\_0p82 rail captured with 1× magnification.



Figure 10: LLSI amplitude overlaid on the optical image for the vcc\_core\_prim\_0p82 rail captured with  $20 \times$  magnification.



Figure 11: LIT amplitude overlaid on the optical image for the vcc\_usb\_0p82 rail captured with the macro lens.

Xhani Marvin Saß, Thilo Krachenfels, Frederik Dermot Pustelnik, Jean-Pierre Seifert, Christian Große, and Frank Altmann



Figure 12: LLSI amplitude overlaid on the optical image for the vcc\_usb\_0p82 rail captured with the 20× lens.



Figure 13: LLSI amplitude overlaid on the optical image for the vcc\_usb\_0p82 rail captured with 20× magnification.