Journal of Hardware and Systems Security (2020) 4 :1 –10

https://doi.org/10.1007/s41635-019-00068-8

Practical Partial Hardware Reverse Engineering Analysis

For Local Fault Injection and Authenticity Verification

Franck Courbon1

Received: 31 May 2018 / Accepted: 15 March 2019 / Published online: 6 April 2019
© The Author(s) 2019

Abstract
Reverse engineering typically requires expensive equipment, skilled technicians, time, a cross section of the component
to be sliced out and a dedicated reconstruction software. In this paper, we present a low-cost alternative, combining fast
frontside sample preparation, electron microscopy imaging, error-free standard cell recognition and within and between-die
standard cell statistical analysis (SCSA). Step-by-step, we depict the process to access the transistor’s drain/source area,
to acquire the full area of a single chip layer, to adapt pattern recognition for standard cells and to analyze the standard
cell width, local/global location and occurrences number. The inner workings of each step are accompanied by results on
45–65-nm FCBGA devices enabling to locate specific areas (e.g. registers, hardware accelerator). We particularly point out
the importance of such design information extraction for local fault injection and hardware assurance. The primary goal is
to analyze how much design information of a complex integrated circuit can be retrieved with minimal costs and without
outsourcing.

Keywords Standard cell · Partial reverse engineering · Pattern recognition · Statistical analysis · Countermeasures

1 Introduction detection and can be performed by analytical laboratories.

X-ray-based reverse engineering (non-destructive) is widely
Hardware-based vulnerabilities of integrated circuits (ICs) under investigation but currently requires highly sophisti-
running security applications allow an attacker to retrieve cated equipment and has only been applied to a very small
sensitive data or bypass security mechanisms. Reverse engi- subset (some μm3 ) of an IC [3, 4]. While some interesting
neering [1], a specific kind of attack, is seen as an expansive FIB/SEM techniques [5] have so far been applied to parts
approach compared to side-channel or even fault attack of a circuit, they are quite demanding in terms of knowl-
approaches. However, products include more and more edge, time and equipment, as illustrated in Table 1. There
countermeasures regarding side-channel and fault attacks at are also ongoing multi-electron beam source and X-ray
the development stage, thus reducing such attack schemes. detector investigations to allow local X-ray analysis without
On the other hand, reverse engineering, due to time and synchrotron [6].
cost constraints, is not typically considered a standard solu- To counteract the difficulty of the standard reverse engi-
tion. Indeed, typical reverse engineering involves perfectly neering process, we propose to retrieve sensitive infor-
accessing each layer of a circuit, acquiring images and pro- mation of a component (e.g. registers location and hard-
cessing them. It requires skills, expertise, expensive equip- ware accelerator) by only analyzing where the transistors’
ment, high precision and time [2]. Reverse engineering is drain/source are located. Having such information is enough
utilized for circuit integrity verification or IP infringement to reduce the area of interest for a subsequent local-
ized attack (e.g. electromagnetic or laser attack); check
the authenticity of the circuit (e.g. hardware trojan detec-
 Franck Courbon tion); or understand the underlying hardware layer after a
franck.courbon@cl.cam.ac.uk side-channel technique such as photon-emission analysis.
Our goal is not to reverse engineer a complete chip but
1 Department of Computer Science and Technology,
instead to gain partial design information for particular pur-
University of Cambridge, William Gates building, poses. They lie in the area of malicious circuit modification
15 JJ Thomson Avenue, CB30FD, Cambridge, UK detection but also in combined attacks where such technique
2 J Hardw Syst Secur (2020) 4 :1–10

Table 1 Hardware reverse engineering techniques comparison multi-field steps to localize standard cells in Section 2.
Then, we introduce the device under investigation in
RE technique Cost/time/exp. Applied on
Section 3, and put into practice the methodology in
Standard [1] ++ Full volume possible Section 4. Finally, we investigate partial reverse engineering
FIB/SEM [5] +++ Hundreds μm3 applications in Section 5 and present ways on how to extend
X-ray [4] + + ++ Few dozens μm3 this work in Section 6.
Drain/source – Full single-layer surface

2 From Integrated Circuit Design

would decrease the number of samples and attack time to Standard Cell Physical Extraction
needed. Thus, a complete attack could be applied thanks to
some extracted spatial information combined with standard 2.1 IC Design
side-channel (e.g. power) extracted temporal information.
Also, extracted spatial information can be analyzed once An IC designer uses a certain number of off-the-shelf
chip sub-functions have been roughly localized with a more macros (IP royalty fees apply) combined with a certain
global technique. number of standard cells (from a chosen process design
Most of the drawbacks of hardware reverse engineering kit (PDK)), a ratio that primarily depends on project cost
disappear (cost, time, manual corrective action), and we and design (i.e. timing) constraints. For instance, ARM
retrieve the standard cells function or a specific group cores hard macros are widely present at the moment
of standard cells by location (absolute and cell-to-cell), in embedded devices, such as mobile phones and smart
occurrences number, and width/shape analysis, which we cards. There are similarities between products, as standard
refer to as standard cell statistical analysis (SCSA). The cells and hard macros are re-used across a large variety
methodology herein is depicted from sample acquisition to of devices. Herein, we analyze standard cells and hard
a few recognition examples. macros XY localizations. In the era of specialization (i.e.
Utilizing such an approach, locating specific cells can dedicated ASIC for machine learning/server) and open-
be done regardless of the device technology node and source hardware (based on RISC V instruction set archi-
package. For instance, it can reduce attack rating for the tecture (ISA)), investigating hardware implementation is
identification and exploitation phase and can be used in paramount.
conjunction with laser fault attacks [8] to bypass security
mechanisms [7]. Multi-spot (bypass/fault capability) and 2.2 IC Geometries
high-power (through the substrate capability) platforms are
commercially available, increasing security threat (redun- Integrated circuit area (length and width expressed in mm)
dancy and software check can be defeated). While tech- is wider compared to the thickness of each metal layer
nology node approaches 7 nm, the size of the implemented (few hundreds nm), hence the planarity problem when
transistor/single standard cell is larger, and laser energy delayering. Adding to the high density of transistors per
(pulse duration/power) can be reduced enough to only per- mm2 , this leads to long imaging time. The smallest feature
turb a single standard cell below the peak of the Gaussian (for not advanced process) is generally the transistor gate
shape beam. width, corresponding to the technology node. A transistor
In the past, Nohl [9] reversed a ciphering circuit made of controls how much current flows through from source to
400 NAND gate equivalent (GE) from optical images using drain, depending on the voltage applied on the gate. Such
normalized cross-correlation. Also, Courbon [10] retrieved capability is used to obtain various Boolean functions (or
the location of a single type of standard cell (a flip-flop to create a current amplifier). Drain and source are created
cell) on a 0.5-mm2 area device manufactured in a 130-nm by local doping (boron, phosphorus) of the semiconductor
process. To the best of our knowledge, we are the first to substrate which is silicon based. From bottom to top,
develop, and explain step by step, a low-cost full area (sin- following the substrate, we find poly-silicon that forms
gle layer) standard cells extraction methodology on a 45-nm the transistors’ gates (separated by a dielectric Si02
device (Mgates), while analyzing IC design requirements, down to 32 nm, then replaced by Hafnium-based (higher
methodology limits and countermeasures. The aforemen- permittivity) dielectric). Typically, a first metal layer is then
tioned methodology takes its sample preparation roots in the used to interconnect transistors, thus forming standard cells
failure analysis world, its image processing roots in the cell (NAND, OR, FLIP-FLOP). Then, non-basic functions, such
(biology) analysis world. as a 32-bit counter, are formed by interconnecting multiple
The paper is organized as follows: we start by talking standard cells together, while power/clock are routed in
about IC design and geometries, before introducing the top metal layers. Metal layers are separated by a dielectric
J Hardw Syst Secur (2020) 4 :1–10 3

(SiO2 (glass)), and vias allow vertical connections between option (if a SEM without large-area acquisition dedicated
the subsequent layers. software is used) is to directly use SEM APIs to write
an acquisition recipe and use offline tools for alignment.
2.3 Sample Preparation Herein, we demonstrate the use of an offline artefact-free
alignment tool.
ICs running secure applications come in various formats—
smart card, system-on-chip (SoC), package-on-package 2.6 Pattern Recognition
(PoP) (the die thickness being 130 μm for smart cards and
PoPs due to fitting requirements). However, we reckon There has been an attempt to automate or semi-automate
that it is possible to extract the die of any circuit at integrated circuit reverse engineering in the open-source
almost no cost: a combination of sharp cutting tools, acids community, Degate [12]. This software is quite interesting
(i.e. H NO3 ), hot plates and protection equipments [11]. as the user can load images and directly process them.
Once the die is extracted, it is possible to easily reach However, we found some limitations in terms of pat-
the transistors’ active region using HF acid. This has very tern recognition rate, timing performance, adjusting grid
interesting features in terms of cost, full area application, lines or loading large images. While we also implement a
speed and required skills, while the technique allows several normalized cross-correlation function [13] as a kernel to
samples to be prepared at once. There is no need of recognize patterns, we specifically create a lighter custom
cross-sectioning, and the technique is independent of the tool dedicated to single-layer analysis, fast and robust with
technology node. In this paper, we show how easily one respect to possible SEM images (sample preparation and
can reach such layer of a circuit, manufactured with a 45- foundry). We propose an algorithm taking into account the
nm process and packaged in a flip-chip ball grid array possible artefacts arising from previous methodology steps.
(FCBGA). A single missing pattern could ruin our statistics, and there-
fore we ensure that no false recognition is obtained with
2.4 Sample Imaging standard pattern recognition algorithms. We are thus able to
automatically collect labelled data (error-free) and create a
Scanning electron microscopy (SEM) is a standard for standard cell (single layer) library. This library can be used
imaging deep sub-micron integrated circuits as optical as it is or be the starting point for multi-sample analysis
microscopy has a smaller depth of focus and is limited by using machine learning techniques to speed up analysis.
light diffraction (coating techniques can limit the impact of
the latter but requires an extra step and thus variable). Detec- 2.7 Statistical Analysis
tor type, aperture size, probe current, accelerating voltage,
magnification, scanning speed and image resolution can be At the layer of interest, various repetitive shapes are
easily tuned. Despite being less prompt to contrast changes visualized. They correspond to basic functions such as
compared to optical microscopy, it is worth ensuring that INV, AND, OR, MUX, DEC, half adder, DFF and latch.
the prepared integrated circuit remains as flat as possible Having only drain and source remaining on our images,
after attaching it with carbon tape, given the large area to be we cannot directly retrieve the function of a standard
acquired. The SEM only gives a grayscale intensity for each cell (as poly and M1 layers are missing). Whatever the
pixel (a certain secondary or backscattered electrons detec- device type, the number of these base functions is very
tor count), and the image is thus saved in a single-channel low (few tens only). Additionally, base functions are
format (saving memory space). There are many parameters split [14] into different instances as the number of inputs,
to set (mainly accelerating voltage, probe current and time the presence of signal such as reset/clock, the drive strength
per pixel), impacting acquisition time and signal-to-noise and different voltage domains (for a SoC) differ. Those
ratio. Here, we particularly point out practical features and instances are each optimally designed depending on speed,
considerations, pros and cons of SEM imaging with respect power, area requirements and foundry capabilities. The
to our application. chip designer uses such instances from the design kit to
implement all his/her functions (or directly use other IPs),
2.5 Images Alignment resulting in a chip with about 200kGE (gate equivalent)
for a smart card digital logic, versus a SoC with several
Newer SEMs include proprietary tools (e.g. ZEISS ATLAS, tens/hundreds millions standard cell occurrences for the
FEI MAPS) dedicated to large-area acquisition; it is thus logic only. In this paper, the goal is to give a first approach
easy to scan a specified area with a specific magnification, on recognizing cells based on absolute/relative location,
image rotation, time per pixel (dwell) and image overlap and number of occurrences, width and shape of pattern within a
then have the tool performing the alignment task. Another single chip and between chips.
4 J Hardw Syst Secur (2020) 4 :1–10

3 Device Under Investigation SEM imaging prevents the visualization of surface scratches
(SEM image in Fig. 1).
The circuit used for demonstration in this paper is a The Kapton film (polyimide) is now the top layer; it is
9.3×10.4 mm SoC manufactured in a 45-nm technology detached, and dielectric/metal layers are etched away using
node and packaged in a FCBGA, the standard for reducing a 50% hydrofluoric acid (HF) bath (less than 10 min). After
size and increasing speed of a device compared to wire the metal layers have been removed, only drain and source
bonding. Within this case study, the main part of interest, implants remain. Samples are first rinsed with acetone,
the digital logic, is expected to include several millions of before an ultrasonic bath with deionized water only is used.
standard cells. For information, the typical layer stack (start- This perfectly cleans the die surface in less than 10 min.
ing from bottom to top) of such devices is the following: Last but not least, a nitrogen gun is used to avoid any water
residues. The sample is, at this stage, ready for imaging. One
– Silicon substrate (650–850 μm)
can note the possibility to obtain the technology node (from
– Doped areas (transistors’ drain and source)
45 nm) with a high magnification SEM image, Fig. 2.
– Poly-Silicon (transistors’ gate)
To sum up the whole sample preparation process, its main
– Stack of 7+ metal layers and dielectrics (ascending
benefits are its speed (less than 40 min), cost per sample
about 0.2 to 0.9 μm)
(few $), whole sample surface application (about 100 mm2 ),
– Passivation: Si3 N4 /SiO2 /Si3 N4 (0.6/0.1/0.6 μm)
technology node independence (45-65-90-130 nm in this
– Polyimide (5 μm)
paper), effectiveness (100% success rate) and accessibility
– Die bumps
(no required skills).
– PCB substrate
– Copper balls
4.2 Frontside Image Acquisition

Regarding the sub-polyimide surface, imaging layer ICs’

4 Step by Step Practical Implementation
features are quite large at the top metal layers. However,
using an optical microscope requires a nicely polished sur-
4.1 Frontside Sample Preparation
face. Also, the lack of imaging depth of field is problematic
for large areas. In fact, SEM remains the most interesting
Under a fume cupboard, we first heat up the complete device
tool for direct imaging (without required signal process-
on a 400 ◦ C (command) hot plate for a few minutes. Placing
ing), and this layer needs far less scans due to the top layer
a sharp knife under the die, we subsequently detach the die
geometries. Unless a shield is present, the top metal layer
from its package. At this stage, the die comes with Copper
can thus be directly imaged.
balls—we use the same sharp knife to scratch the surface
In this work, we perform SEM image acquisition at
to remove all of them. We perform this until we reach the
the source/drain layer. We choose a horizontal field width
polyimide layer (Kapton). Due to the hardness of the Kapton
(200 μm) for this sample covering the standard cell fixed
material, we do not scratch inferior layers. We can perform
height (across the device) by 29 pixels. This choice gives
some SEM imaging at this stage to visualize the top metal
enough pixels to then correctly characterize an inverter (the
layer (Fig. 1).
standard cell with the smallest width). The accelerating
If this layer is satisfactory for your reverse engineering
voltage is set low to improve image resolution (5keV). The
application (chip identification, integrity verification), a
scanning speed choice is based on a signal-to-noise
quick manual polishing (not done in either Fig. 1 images)
ratio (SNR) trade-off. This trade-off depends on the
removes copper residues, while backscattered electrons
subsequent image processing capabilities. We use a standard
3072×2048 image resolution and a 1-μs dwell time (time
per pixel) without multiple image integration. Our overnight

Fig. 1 At polyimide layer optical and SEM image at × 600 Fig. 2 At drain/source layer: optical and SEM image at × 63k
J Hardw Syst Secur (2020) 4 :1–10 5

Fig. 3 Left, Multi-chip

acquisition; right, logic area
select

scan is a 87×52 image matrix (about 4,500 images), which negatively impact the subsequent methodology step
requiring 8.5h of automatic acquisition. With our practical (pattern recognition).
approach, we noted the following observation: As images are also individually saved, we thus move to
an offline alternative for alignment. The same set of images
– Astigmatism can be set at the centre of the device.
has been aligned with this second approach (example image
– Three focus points (for interpolation) can be taken at
with bottom image on Fig. 4). We are able to align all
three chip sides.
images together, making compatible large image acquisition
– Contrast/luminosity is a tricky parameter, different
and pattern recognition. It only takes several minutes and is
secondary electrons re-emission rates (no coating, not
completely automated (matrix dimension detection, overlap
uniform in SEM chamber) can be problematic.
calculation). Image alignment is still an area of research
Multi-chip acquisition is possible (weekend acqusition (mainly for speed concerns) but 2D image alignment
for instance), including the possibility to set a focus point problematics have been resolved time ago in other fields
for each integrated circuit. The only drawback is the such as biology where electron microscopy is also used or
impossibility to set a certain contrast/brightness per chip standard optical acquisition.
(against SEM chamber artefact/samples different electron
emission rates), Fig. 3. 4.4 Image Processing
Also, using a multi-beam SEM (up to 91 simultaneous
beams) would have decreased the acquisition time to less 4.4.1 Standard Cell Statistical Analysis Flow
than 10 min. We used a proprietary SEM manufacturer
software (additional) to acquire the full area that added Pattern recognition is then performed on obtained images.
a 10% overlay between each image. It individually saves The former is specifically tuned for our task. After automat-
images, but also provides a globally aligned image. ically checking for preparation/imaging artefacts, patterns
are found on the chip along power lines and ranked per
4.3 Image Alignment size. Standard correlation techniques with multiple iter-
ations loops (with decreasing correlation coefficient) are
The proprietary SEM tool provides a reconstructed whole used to avoid false detection. Information about pattern
chip image (142k×159k pixels). Artefacts are present at the location, size and occurrences are saved. Then, co-location
images’ junctions (example given with top image on Fig. 4), information combined with computer architecture and
technology/tool-specific constraints allow making hypothe-
sis on the retrieved standard cells. The main aim is to ensure
that no false positives are obtained with the tool allowing on
one side to have non-false positive for statistical purposes
but also to obtain a dictionary of error-free patterns.

4.4.2 Enhanced Pattern Recognition Robustness

via Artefacts Correction

It is important to understand what could go wrong in the

previous preparation steps, in order to adapt the pattern
recognition tool accordingly:

Fig. 4 Alignment example: SEM manufacturer tool (top) and offline – If any tungsten remains on the surface, it will be
non-proprietary technique (bottom) adjacent to a NMOS/PMOS area, and therefore only
6 J Hardw Syst Secur (2020) 4 :1–10

affects the background of the image. Such artefact can retrieved by analyzing intensity values across the pat-
thus be easily spotted (based on edge detection). tern height. For instance, a pattern is found at a location
– Large stains can be present on a circuit (non-cleanroom if the intensity (gradient) is not continuous (a change
environment) but can be detected as nothing should of intensity is found between NMOS drain/source
be located over the substrate polarization contact (or, and Si and then between Si and PMOS drain/source).
in other words, no crossing element between two
Figure 5 shows a typical case where a standard cell with
transistors of the same type).
a different current drive strength (fan-out) (compared to
– Part of a shape can be missing (over etching, as seen
the selected standard cell) has not been recognized. There
in Fig. 5); therefore, the tool checks the presence
are also two standard cells with a partly missing transistor
of NMOS and PMOS components (we cannot have
side that are recognized. We expect this behaviour with
one without the other). If missing, an analysis of the
the aforementioned parameters. We want to be independent
specified area is performed and some filtering enables
of possible within-cells imaging fluctuations or missing
the retrieval of the original missing shape (as would still
substrate polarization contacts.
let a trace in the silicon).
Combining the number of occurrences (local or full area)
of a pattern, their global position, their relative position
4.4.3 Enhanced Statistical Analysis via Design Rule
to each other and their shape, it is possible to classify
patterns and make a strong hypothesis on their function.
The following features, derivated from computer architec-
Typically, assumptions can be first made on the pattern
ture standards, need to be taken into account to ensure
width—patterns 1 and 3 are made of 4 to 8 transistors while
pattern recognition efficiency and reduce timing impact:
pattern 2 is made of 20+ transistors. The main difficulties
– A small pattern can be part of a larger pattern. One are to recognize the full standard cell and not a subset of it,
approach is to recognize larger patterns first. and slight differences between gates due to the presence of
– Patterns are present along power rails; therefore, possi- an extra input (e.g. reset/clock/signal) or a different fan-out
ble rotations of the pattern are limited. For instance, the (larger current to drive) as highlighted on Fig. 6.
PMOS side (usually larger than NMOS) will be located
on the positive rail side. Also, the highest correlation 4.5 Single-Chip Information Extraction
points will only be located at the same extremity of the
patterns. In this section, we applied the methodology flow on a subset
– The size of the complete layer has quite a large print, of the fully scanned IC. The image is 11840 × 7536 pixels
e.g. for this 10 × 10 mm die results in a 22.7-GB image that corresponds to 0.40% (1/250) of the IC (analog + digital
(even if grayscale encoded only on 8bits (1byte)). + memory parts). The original SEM image is fully covered
We need a clever manipulation of the image (RAM with standard cells (and memory blocs). From each initial
constraint). pattern size and appearances, we can derive the hypothetic
– The logic only can be acquired (or another part can be number of transistors and the number of inputs/outputs.
acquired with less resolution; SEMs do not provide this Using standard image processing, each pattern is associated
function yet). with a certain number of occurrences, Fig. 7 and co-location
– While substrate polarization contacts may not be information regarding other pattern. The second image
present in all circuits, background can always be output highlights the presence of a given FF/latch design
occurrence in a restricted location. Globally, one can make
hypotheses on a shape’s function based on:
– The area analysis (e.g. a flip-flop is usually the largest
element)
– The number of transistors (e.g. a NAND cell has 4
transistors)
– Localization (e.g. a group of gates next to the memory
could be used for deciphering)
– Co-localization (e.g. two groups of cells often linked)
– Occurrences (e.g. 32 spatially close occurrences for a
specific 32-bit register or counter (analyzing the shape
too), or 64 spatially close occurrences for a XOR-based
ciphering circuit)
Fig. 5 A close-up on a pattern recognition example – Global number of occurrences in the chip
J Hardw Syst Secur (2020) 4 :1–10 7

Fig. 6 Differences over similar 20+ transistors standard cells

Subsequently, an area with possible XOR gates, large 5 Single-Cell Localization Direct Applications
quantities of possible NAND gates and possible DFF gates
may be the hint for a crypto coprocessor location (e.g. DES). 5.1 Spatial Information for Laser Setup
The presence of ‘rare’ occurrences standard cell in a limited
area may indicate the presence of a crypto coprocessor too. Despite the main sample of the study being a 45-nm
Post pattern recognition, it is possible to display occurrences technology node SoC, we note that a single standard cell
of pattern that appear everywhere before moving to an (several μm2 ) can be perturbed at once. Indeed, the laser
empty area to vizualize recognized pattern. beam has a Gaussian shape, a spot diameter of a μm and an
For some circuits such as the processor under investiga- easily controllable energy (duration by power) reaching the
tion, motherboard manufacturers require information on the area of interest [16]. This single-layer reverse engineering
processor; a datasheet is thus made public. Using the lat- will help to place the laser spot at the area we are interested
ter, one can thus assume a certain number of 8-/16-/32-bit in. Symmetrically, we can first launch a laser fault attack
registers or a certain function being in a certain area (based to then analyze the situation using the underlying hardware
on registers description and ballout definition respectively) structure. However, if a secure device is attacked this
or a certain number of expected core registers or specific way, detectors might detect the intrusion leading to extra
function registers (each FF will be next to the other, tim- consideration to be taken for the attack (e.g. remove power
ing constraint) present in a certain voltage domain (possible before sensitive data erase). One can also think about the
thick pwell). For some circuits, it is a complete black box potential of such an approach together with photon counting
approach despite knowing the general architecture of the techniques (specifically without timing capabilities, e.g.
device (e.g. ARM based) or accessing public documents only a CCD camera is used).
(e.g. public parts of certification results). Unfortunately, the
complexity of the circuit does not permit to continue further 5.2 Spatial Information for Integrity Checking
statistics on the chip.
In the following, we discuss how practical it is to use Another use case is a fabless chip designer/manufacturer
standard cell statistical analysis outputs (text, file or graph (or anyone with a design reference) that would like to
format) for the two main aspects of this paper: precise laser analyze the integrity of its components at wafer reception.
fault attacks and hardware trojan detection. The success rate of such technique is only dependant on the

Fig. 7 Single round recognition

of respective pattern (top left to
bottom right)
8 J Hardw Syst Secur (2020) 4 :1–10

Fig. 8 Backside imaging of a

45-nm SoC active region
through a thin remaining Si
layer using secondary (left) and
backscattered detectors (right)

sample preparation/pattern recognition process as there is actually be set to obtain an interesting beam/matter interac-
no triggering element. The standard cell statistical analysis tion. In Fig. 8, we show in practice that it is possible to look
can be applied on a defective device coming from a lot through a thinned Si substrate using backscattered electrons.
(or a defective die taken from a wafer) to no affect cost In Fig 9, we show in practice the capability to visualize
and yield. The correlation is made by comparing the list of various layers of a component backside prepared. The
standard cells physically extracted using our methodology preparation is a mix of polishing (standard polishing) and
and a design output file. Specifically, this could be done wet etching (choline hydroxide) resulting in a fast and
with the Design Exchange Format (DEF) file, where each low technique. Long wet etching is also a possibility if edges
gate instance is listed with its XY position. A DEF file are kept intact (protection needed). The sample preparation
does not include proprietary inner standard cell information, can also be modified to reveal dopant level or type (e.g.
hypothetically more compliant. KOH).
Part of our approach and obtained data can be used as
5.3 Extending Scanning Electron Microscopy Use a starting point for machine learning–based (convolutional
neural networks) fast pattern recognition, as our data is
To complete investigations done at FPGA level [17], it labelled with no false positives. In this paper, we choose
is thus interesting today to look for low-cost approaches a frontside destructive approach. It would be obviously
enabling to retrieve such layers over the complete area of a more interesting to perform standard cell analysis from
circuit. It can start with a frontside wet etching adaptation the backside of the device in a non-invasive way. Laser
(change in HF formula for instance) to a backside infor- scanning microscopy has been used in the past and would be
mation extraction with combined polishing/wet etching an interesting method to compare with (thinning required,
methods. Various imaging parameters (laser/ebeam) can setup, cells distinction (fan-out)).

Fig. 9 0.35-μm circuit imaging

using a backscattered electrons
(BSE) detector
J Hardw Syst Secur (2020) 4 :1–10 9

Fig. 10 Two different

generations of a similar 65-nm
SoC at active

6 Perspectives and Opening would be interesting to propose and share a SEM image
benchmark or an online tool where test images can be loaded
6.1 Chip to Chip Analysis, Different Process Analysis and analyzed according to a specifically trained model.

So far, we depict the different steps for standard cell sta- 6.3 Countermeasures
tistical analysis with few examples on a 45-nm chip. The
low cost and quick data extraction enable to perform reverse The partial reverse engineering main interest is its possi-
engineering at a different scale than previously seen in the ble application on multiple circuits giving thus more data
literature. The idea is to compare multi-chip analysis to to be compared with even in a black box approach to
extract design information from new function implementa- assess countermeasures/extract design information. When
tion to countermeasure analysis. The best approach would designing a circuit for secure applications, countermea-
be to begin with smaller and better known integrated cir- sures against reverse engineering first appeared in the set
cuit (less standard cells, more design information available, of required features, and so before fault attack counter-
single core, single voltage, physically accessible chip on measures. Actually, it exists proprietary countermeasures
board). Figure 10 displays 65-nm devices, anterior version at active/poly/via/metal1 layers to hide functionality of a
of the main product (45nm) used in this article. The gen- component from non through vias to dummy cells and pro-
eral idea is to be able to retrieve direct information from an grammable logic using local oxide breakdown [18] and
already analyzed integrated circuit. used by pay-TV, telecommuncations and smart card indus-
tries [19]. Most countermeasure techniques are based on
6.2 Machine Learning Framework principles such as logic-locking [20] and netlist/physical
obfuscation (doping, dummy via/cell, oxide breakdown,
Machine learning is ideally used for prediction and requires electric charge) [21].
some training data. It particularly makes sense to use it for The idea behind our technique is to analyze how standard
domain where time is the main criteria (speech recognition). cells distribution participate to design information extrac-
The first concern is to be able to reach the same level tion (and for authenticity verification too). In future work,
of detection while drastically reducing the recognition it will be interesting to characterize IC camouflaging pro-
processing time. Retrieved shapes with standard correlation tection with our tool for multiple reasons. IC camouflaging
technique are used as an error-free dictionary to build up the is typically not applied on the entire die. Also, it would be
machine learning model. It would be interesting to evaluate interesting to combine in practice aforementioned statistics
such framework in terms of error rate but also for denoising and local attacks. Common Criteria (CC) attack classifica-
microscopy images. The latter could resolve low-resolution tion would be affected if less samples, expertise and time
images and further reduce methodology time (scanning). It are required.

Fig. 11 Similar product (90nm,

130nm) from two different IC
manufacturers
10 J Hardw Syst Secur (2020) 4 :1–10

Last but not least, after applying our methodology on 3. Harrod B (2016) Rapid analysis of various emerging nanoelec-
different components, we actually found a single sam- tronics (RAVEN)
4. Holler M, Guizar-Sicairos M, Tsai EHR, Dinapoli R, Müller
ple (90nm, smart card industry) that is quite different,
E, Bunk O, Raabe J, Aeppli G (2017) High-resolution non-
having regular patterns (Fig. 11). We found out that this destructive three-dimensional imaging of integrated circuits.
device is metal-only programmable [22]. This would be Nature 543:402–406
a countermeasure by design to drain/source-based reverse 5. Principe EL, Asadizanjani N, Forte D, Tehranipoor M, Chivas
R, DiBattista M, Silverman S, Marsh M, Piche N, Mastovich
engineering; it would, however, be interesting to charac-
J (2017) Steps toward automated deprocessing of integrated
terize design capability (low power, high gate density) and circuits. ISTFA
robustness against other types of attacks (e.g. side channel). 6. Nanoscale X-ray tomosynthesis for rapid assessment of IC dice,
Richard Lanza AIDA-2020 meeting, 2018
7. Vasselle A., Thiebeauld H., Maouhoub Q, Morisset A, Ermeneux
S (2017) Laser-induced fault injection on smartphone bypassing
7 Conclusion the secure boot FDTC
8. Champeix C, Borrel N, Dutertre JM, Robisson B, Lisart
An alternative to high-cost reverse engineering is presented M, Sarafianos A SEU sensitivity and modeling using pico-
second pulsed laser stimulation of a D Flip-Flop in 40 nm
and applied on a commercial 45-nm SoC. This is a first
CMOS technology. In: 2015 IEEE international symposium on
step towards automatic partial design information extrac- defect and fault tolerance in VLSI and nanotechnology systems
tion. The methodology includes any package die extraction, (DFTS)
drain/source layer access and SEM imaging, pattern recog- 9. Nohl K, Evans D, Starbug S, Plötz H (2008) Reverse-engineering
nition and a new approach called standard cells statistical a cryptographic RFID tag. Usenix
10. Courbon F, Loubet-Moundi P, Fournier JJA, Tria A (2014)
analysis (SCSA). We particularly characterize each step Increasing the efficiency of laser fault injections using fast gate
of the methodology and point out the low cost and time level reverse engineering. International Symposium on Hardware-
resources needed to start partial reverse engineering investi- Oriented Security and Trust, HOST
gations. Single-layer reverse engineering mainly addresses 11. Beck F (1998) Integrated circuit failure analysis: a guide to
preparation techniques
combined attacks (such as EM observation/perturbation and 12. Schobert M (2009) http://www.degate.org/
laser fault attacks) and malicious hardware modification 13. Lewis JP (1995) Fast normalized cross-correlation
detection problematics. 14. Faraday Technology Corporation, 90 nm Logic SP-RVT (Low-K)
Process
Acknowledgments Dr Franck Courbon is an Early Career Fellow 15. Hatami N, Gavet Y, Debayle J (2017) Classification of time-series
jointly funded by The Isaac Newton Trust and The Leverhulme Trust images using deep convolutional neural networks
under the agreement ECF-2017-606. 16. Courbon F, Loubet-Moundi P, Fournier J, Tria A (2014) Adjusting
laser injections for fully controlled faults
Open Access This article is distributed under the terms of the 17. Rajendran J, Sam M, Karri R (2013) Security analysis of
Creative Commons Attribution 4.0 International License (http:// integrated circuit camouflaging, CCS
creativecommons.org/licenses/by/4.0/), which permits unrestricted 18. Cocchi R Camouflage circuitry and programmable cells to secure
use, distribution, and reproduction in any medium, provided you give semiconductor designs during manufacturing. In: 2015 National
appropriate credit to the original author(s) and the source, provide a Aerospace and Electronics Conference (NAECON)
link to the Creative Commons license, and indicate if changes were made. 19. Inside Secure accelerates strategy in Silicon IP business with
SypherMedia acquisition, 7th November 2017
20. Yasin M, Sinanoglu O (2017) Evolution of logic locking, VLSI-
SoC
References 21. Chakraborty RS, Bhunia S HARPOON: an obfuscation-based
SoC design methodology for hardware protection
1. Randy T, Dick J (2009) The state-of-the-art in IC reverse 22. https://www.baysand.com/technology/mcsc-foundation-technology
engineering. CHES
2. Advanced IC reverse engineering techniques: in depth analysis of Publisher’s Note Springer Nature remains neutral with regard to
a modern smart card, Blackhat 2015 jurisdictional claims in published maps and institutional affiliations.