IC Packaging and Security: Do They Affect One Another?

Devices are available in many package types—you might choose between TQFP or BGA nowadays depending on the physical size your product needs. But some of the ultra-small packages such as CSP expose the backside of the IC die. In this article, Colin takes you through how this makes it easier to perform certain classes of attacks, and demonstrates how they can be done in practice.

If you’ve followed this column, hopefully you’ve noticed that I’ve introduced all sorts of attacks. Among those have been side-channel power analysis and fault injection, and for fault injection we’ve used clock glitching, voltage glitching and electromagnetic glitching. But those are far from the only possible attack methods!

That said, some of the other methods involve a lot more work. And they don’t fall well into the categories of “low-cost” or “DIY” attacks. While there is lots we can do with $50,000 to $100,000 worth of gear, the number of people spending that much money on attacks is also fairly limited. One of those “more advanced” methods is called Biased Body Injection (BBI). This fault injection method typically involves exposing the “backside” of an IC. The backside typically means we have access to the IC substrate (silicon). This silicon has some connectivity to the individual transistors that build up the IC itself.

This technique was introduced in the paper “Yet Another Fault Injection Technique: by Forward Body Biasing Injection” by P. Maurine et al [1]. The idea behind it is that we can inject a voltage onto that backside surface. A probe (wire) is put into contact with the backside, and a voltage is pulsed onto the surface. This will couple small voltage perturbations into the internal chip itself, which will allow us to perform normal fault injection type work.

EXPOSING A CHIP’S BACKSIDE
As you can guess, the most difficult part of this operation is exposing the “backside” of a chip. If you think of a normal package such as a TQFP IC, you are literally milling down the underside of the epoxy that surrounds the IC. But how can we skip that step? The answer is that we can take advantage of some different packaging types!

In particular, I’m going to look at wafer level chip scale packaging (WLCSP). This package type is designed to have the absolute minimum “waste” outside of the actual IC die. Figure 1 shows the underside of this package on a test PCB—the nearby capacitors are a 0603 size. This package is basically a cut piece of the silicon wafer itself, and is almost as physically small as possible.

The great part of this—for the attacker—is that the silicon wafer backside is the top-side of the IC package! As a result, we can experiment with BBI by just building a simple test board using a WLCSP device. I’m going to experiment on a STMicroelectronics (ST) STM32F415OG IC, which is one of many parts available in WLCSP. I chose the STM32F415 in particular because it’s a “regular target” for my ChipWhisperer target boards. For example, the NewAE Technology NAE-CW308T-STM32F4HWC target board uses the STM32F415 but in TQFP-64 package. Therefore, we can do some comparisons between the TQFP and WLCSP package in the future.

The downside of WLCSP is how small it is! The solder balls are typically on a very small grid—0.4mm in this case. This requires a complicated PCB, which will use “via-in-pad” technology. With via-in-pad, the vias are actually placed inside of the pads the BGA balls will contact. To avoid solder wicking down the pads, the vias are filled with conductive epoxy and capped over. This processing step avoids having a hole in the middle of your pad.

Why is that a downside? It’s because if you are ordering a small number of PCBs—such as ordering just 10 or 20 for a prototype—using via-in-pad is a large cost increase. If you are doing a moderate-sized production run (even a few hundred boards) this is less of an issue. But because I’m just doing a small test board, you might notice I’ve cheated on the PCB shown in Figure 1, and have deleted some pads to allow me to route out the inner ball connection. This PCB is already at 3-mil trace/space, so it would not be possible to otherwise route between the balls without going to via-in-pad.

To solder the IC, I’m using only flux (no solder paste) to avoid the requirement of a high-quality stencil. This is not typically recommended for production environments, but for our test board it’s more than enough. You may also notice I have alignment marks that are etched into the copper layer itself. While it would be normal to have a package outline on the silkscreen layer, the alignment of silkscreen layers is typically not as high. By putting alignment marks into the actual top copper layer, it guarantees the alignment marks will be perfectly aligned with the pads for the WLCSP that are also on the top copper layer.

If you’d like to see the full board design, a link to the its GitHub page [2] is available in the RESOURCES at the end of this article. The board in this article is an early revision one—by the time you read this article, a slightly later revision will be posted in to that GitHub page. The changes are designed to flip some of the extra parts to the bottom side of the PCB. In the future, this will allow “thinning” of the backside silicon die with a precision grinder.

BUILDING A BBI PROBE
Performing fault injection with BBI requires you to inject a variable voltage into the device. The level of that voltage depends on how thick the backside silicon is. In our case, we’re using an off-the-shelf device which has a fairly thick silicon layer. So, we’re going to generate a pulse with somewhere between 200V-500V as a maximum voltage. Due to the high impedance of the connection between the backside of the IC die and the internal transistors, this high voltage doesn’t result in blowing up the internal transistors. It just results in a “reasonable” voltage levels at the internal nodes.

In previous articles, I have introduced the ChipSHOUTER electromagnetic fault injection tool. This tool can generate a high-voltage pulse, but this pulse is designed to be injected into a coil. Therefore, for simplicity I built a 1:1 transformer, which we can inject onto the backside of the IC. This is shown schematically in Figure 2.

The nice thing about this design is you can modify it easily with different winding ratios. Using a 1:10 ratio for example would let you get similar results with only a 50V pulse generator in theory. Or if you had a thinner die, you might actually need a lower voltage, and thus could use a different winding ratio. The physical probe itself is shown in Figure 3—the two coils are wound on one ferrite core. One side of the secondary coil goes to a spring-tip probe. The other end goes to a pin header which can be connected to the ground of the target device. With that, let’s check out the target device.

BUILDING A TARGET DEVICE
The target device itself is shown as an overview in Figure 4. As mentioned before, the schematic and PCB details are posted on GitHub in the “chipwhisperer-target-cw308t” repository [2]. There is one more trick I need to mention. The right side of Figure 4 shows a STM32F415OG device in WLCSP mounted as it comes from the supplier. The top of the WLCSP has a small covering over the wafer back.

This covering is required because the devices are also highly susceptible to bright light flashes. In fact, it’s yet another form of fault injection that we can use, but we’ll talk about in a future article. But this cover is electrically isolating so we’d like to remove it.

You can physically scrape the covering off. A slightly less damaging option is to soak the IC package in acetone, which will also remove the covering. I found it took a day or so for this to work, but was reliable and had no risk of cracking the wafer backside itself. The left side of Figure 4 shows a prepared device. This device has a very shiny backside. There is no covering on the wafer. This means we’re ready to prepare for performing a fault injection attack on the device.

We once again need some example code to glitch. I’ve covered glitchy code in many of previous articles. The real end goal of glitching is to bypass some check, for example in Listing 1 we have a secure boot check that we want to bypass by having the incorrect value returned from signature_ok() (or just bypassing the check of that value). When we are exploring the device, it’s easier to use some more basic code to confirm our fault injection hardware is working. Attacking an unknown device, with an unknown fault injection tool, is not going to be a trivial attack!

if (signature_ok(&target_image) == SIG_FAIL){
    //Boot failed - stop now.
    while(1);
} else {
    //Boot OK - continue
    boot_image(&target_image);
}

Listing 1
Some example code that checks for a signature validation, and, if it fails, goes into an infinite loop. Fault injection would allow us to bypass this security mechanism.

Instead see the code in Listing 2—this just repeatedly performs an operation that should print the value of 62500 (250 × 250), the result of running completely through both loops. If we skipped out of one loop or the other, the result would be that the number of iterations change. While changing the iteration number doesn’t sound too exciting, in reality if we can succeed with that, then we know our attack device is working successfully!

void glitch_infinite(void)
{
    char str[64];
    unsigned int k = 0;
    //Declared volatile to avoid optimizing away loop.
    //This also adds lots of SRAM access
    volatile uint16_t i, j;
    volatile uint32_t cnt;
    while(1){
        cnt = 0;
        trigger_high();
        trigger_low();
        for(i=0; i<250; i++){
            for(j=0; j<250; j++){
                cnt++;
            }
        }
        sprintf(str, "%lu %d %d %d\n", cnt, i, j, k++);
        uart_puts(str);
    }
}

Listing 2
Our more obvious calibration code runs two loops in a sequence. Any sort of program flow interruption will become apparent in the loop output.

PERFORMING THE GLITCH
Finally, we come to the actual attack. The physical setup is shown in Figure 5. The ChipWhisperer target board is mounted in a normal CW308 UFO board to provide power, clock and so forth. You can see the target probe from Figure 3 is resting on the surface of the WLCSP package—again with the back covering removed. To drive the probe, a ChipSHOUTER is used which generates a high-voltage pulse, with the ChipSHOUTER set to about a 400V maximum voltage at the output of the ChipSHOUTER. Again, we have a 1:1 transformer so the pulse being injected onto the die will be a similar voltage.

The position of the probe on the backside of the device was critical. This was mentioned in the original paper introducing BBI, which makes sense as different sections of the chip will be “closer” to the probe than others. If we consider that the physically closest section of the chip is the most likely to be affected by our injected voltage pulse, it seems likely we need to move the probe around until it is as close as possible to transistors or circuitry we are trying to corrupt or change—over the top of them, for example.

The code in Listing 2 was run, with the output printed to a serial port. You can see the results in Listing 3. The normal output shows the correct count, but a different count of 399 is also printed! This might not sound too exciting for you, but the result of this is that the program flow has been changed, and thus we are able to use this to bypass code such as in Listing 1.

62500 250 250 0
62500 250 250 1
62500 250 250 2
399 250 250 3
62500 250 250 4

Listing 3
Iteration 3 has an obviously incorrect value, showing one of the loops exited too early!

WLCSP WORRY
What is the takeaway here then? You should see from this article that BBI isn’t too difficult to perform when you are using a WLCSP device. The WLCSP will inherently expose the backside of the die, meaning that BBI becomes a new threat model. But remember that attacks such as electromagnetic fault injection (EMFI) didn’t require any access to the die backside, and were also highly effective for many devices.

So, while WLCSP means a new attack vector is more accessible, for most devices it’s not likely to be much worse than existing attack vectors. Where WLCSP becomes interesting is if a device has built in defenses for EMFI attacks, but might still be vulnerable to BBI attacks.

You can build your own BBI-type instrument by generating a high-voltage pulse. If you don’t have a ChipSHOUTER, you might use a different winding ratio on your BBI probe transformer. For example, using a 1:10 winding ratio should generate a high-voltage output pulse with a lower-voltage input pulse. 

RESOURCES

References:
[1] “Yet Another Fault Injection Technique : by Forward Body Biasing Injection” by P. Maurine et al. (https://hal-lirmm.ccsd.cnrs.fr/lirmm-00762035/document ).
[2] https://github.com/newaetech/chipwhisperer-target-cw308t/tree/master/CW308T_STM32F_CSP

NewAE Technology | www.newae.com
STMicrolectronics | www.st.com

PUBLISHED IN CIRCUIT CELLAR MAGAZINE • SEPTEMBER 2020 #362 – Get a PDF of the issue

Colin O'Flynn

Website | + posts

Colin O’Flynn has been building and breaking electronic devices for many years. He is an assistant professor at Dalhousie University, and also CTO of NewAE Technology both based in Halifax, NS, Canada. Some of his work is posted on his website (see link above).

• Colin O'Flynn

  https://circuitcellar.com/author/colin-oflynn/

  Fault Injection and Power Analysis
• Colin O'Flynn

  https://circuitcellar.com/author/colin-oflynn/

  Keeping Your Memories Secret
• Colin O'Flynn

  https://circuitcellar.com/author/colin-oflynn/

  Exploring RSA Power Analysis (Again)
• Colin O'Flynn

  https://circuitcellar.com/author/colin-oflynn/

  Breaking the Loop with Fault Injection