 So our next presentation is the key extraction using thermal laser Stimulation a case study on the Xilinx ultra-scale FPGAs and this was authored by Heiko Laker, Shahin Tajik, Thilo Krakkenfels, Christian Bolt and Jean-Pierre Seifert and we'll be presented by both Heiko Laker and Shahin Tajik. Okay. 600 seats here, so nobody should have to stand, but maybe make sure that if there's an empty space next to you compress that you have more places for people to get in and actually sit down. There are lots of people in the back who by now probably have sore legs, but there's no reason for that. We have plenty open seats here. Okay. Thanks for the introduction. I'm Heiko Laker. I will give the first part of this talk and then later Shahin will give the second part and we'll actually talk about the case study that we did using a technique called thermal laser stimulation to extract keys from FPGAs and I will first give some background. Now on FPGAs you start the device by configuring it and if implemented something on your FPGA usually that contains IP or other secrets that you want to hide from an attacker. So since the FPGA has to load that data when it boots or when it starts and attacker could actually eavesdrop on that communication because it's loaded externally and the solution to that is bitstream encryption which is what I will now give you a quick background about. So bitstream encryption works in the following way. You generate a key and this key is then transferred into the FPGA into some sort of key memory and in the case of the board that we've used there are two options to save the key eFuses, which we will not discuss and BB RAM which is short for battery backup SRAM. So that's a very low power SRAM that uses a backup battery to keep the key in memory when the device is powered off. So then you have your key in the FPGA and then you take your design which you want to protect. You also encrypt it in the trusted field and then you put this encrypted configuration file into non-volatile memory and then in the untrusted field you can start your board. The FPGA will load the data, the encrypted bitstream data from non-volatile memory, will decrypt it and then it can use the plaintext bitstream to configure itself and then it will boot your implementation or run your implementation or whatever you wanted to put on your FPGA. Now what we will be looking at is this key storage and we will use thermal laser stimulation, which is a technique which is used in failure analysis usually. Thermal laser stimulation works in the following way. So the idea is that you use a laser that has mainly thermal interaction. So in this case 1.3 micrometer wavelength and you scan the silicon die of your chip in a setup similar to this. So this is the silicon surface and then use your laser to scan over this device and this will introduce localized heating into the structures inside the silicon die. Now at the same time you have your power supply and you measure your current that is drawn by the power supply. Now the laser beam will actually influence stuff like your leakage current and similar parameters in your device and you can then measure that and if you are sampling and this current amplifier generates a voltage signal from the current consumption of your device while you are scanning your device with laser. So this allows you to later use the sample so that you have acquired synchronously with the laser scanning process and then that will give you a 2D map of the reaction of this device to the laser stimulation and that is what we call a stimulation response map. Now how can you use this simulation response map to read out SRAM cells? As I said the key memory is just a low-power SRAM with a battery backup. For that we first need to understand how a single transistor behaves under thermal laser stimulation. Now this is a cross-section of a MOSFET transistor. We are using in this case a laser beam to heat the drain as an example of the transistor and this will create a thermal gradient and because of the dissimilar materials you will get an effect that will generate a C-back voltage and if this transistor is on you have a conducting channel here and the C-back voltage will generate a voltage source here. So you will basically get a voltage source which is connected between drain and source of the transistor in the moment where you hit it with the laser. Now for an SRAM cell the basic memory element of an SRAM cell is a cross-coupled inverter which consists of four transistors and to explain this process on the SRAM cell I will first start with a simpler example which is just two inverters. So assume we have a high input here that means this PMOS transistor is off and this NMOS transistor is on and then this will pull this output to ground. But if we shine the laser on this transistor we will generate a small voltage here which will influence the output voltage and this output voltage is connected to the next inverter and because the output voltage changes the gate input of these two transistors changes this transistor is already on there's not much happening here, but this transistor is off and now we slightly increase the gate voltage using the thermal laser stimulation, so this means this transistor turns on very slightly and since we have supply voltage here already an on transistor here and now a transistor that is coming on just a little that is decreasing its resistance just a little bit we get a leakage path from here to ground. So if we hit this transistor, we will see an increase in current consumption or in leakage current. Now to get an SRAM cell to get a cross-coupled inverter for the memory element of an SRAM cell you just connect this output to this input and then you can see that the cell will keep one of two states and that is how you save a bit and that will then just looks like this. So this is basically the same circuit just with the output connected to the input and this is a situation that I've just explained. If you stimulate this part you will influence this transistor and get a leakage current here but because the cell is symmetrical you will have the same here. If you stimulate this transistor, you influence this output, then you will get a small leakage current through the left side of this cross-coupled inverter. Now the interesting thing is if you change the bit in this cell, all transistors will switch their state. So this will mean that these sensitive spots will also switch their position. So if you scan this bit state, if you scan this cell with this bit set you will see if you hit these transistors you will see an increase in current consumption and if you grayscale and quote your stimulation response map you would expect something that has like an increased current in the top right and bottom left corner and these two corners will just not react to the stimulation. But now if you switch your bit state, all the transistors switch to their inverted state so this also means that your stimulation response map will change to its inverted state. So if you take a look at the thermal laser stimulation response map you can from the pattern deduce which bits are saved in this memory cell. We then use this to read out, we will try to use this to read out the SRAM memory that stores the key. Now for our experimental setup we used an AFNAT Kintax Ultra Scale Development Board. The Ultra Scale FPGA is built in 20 nanometer technology and as you can see here it's a flip chip with an exposed silicon die so there's no preparation necessary. We just soldered a connection to the backup battery and then for the laser part we use a Hamamatsu FEMOS with 1.3 micrometers and the setup is like this. We have a laser scanner which moves the laser beam over the BB RAM over the key memory and then at the same time we measure the current consumption at the backup battery port and we do this while the FPGA is powered off. So the key memory is only supplied by the backup battery which we have replaced with this current amplifier and this then allows us to measure the current consumption during laser stimulation and we acquire this simultaneously with the scanning process and then that will give us the 2D map and now Shain will present the results. Thank you. So now let's take a look first at the Xilin Kintax Ultra Scale chip in its package. So as you can see in the picture, it's a flip chip as Haiko mentioned so basically that means that we have access to the silicon on the backside of the chip directly so we don't really need to do any polishing or tinning which means if you if you put this flip chip package under our laser scanning microscope with the 1.3 micrometer laser we directly can get a reflected image like this that the whole die from the backside and the whole active region is visible to us. So now the question is where we should search for the key so where is the BB-RAM that is actually our main target. If you look more closely, you can see that we have a lot of regular structures on this die which are actually related to the configuration logic blocks of the FBGA and on the bottom part which we highlighted with the red line you see some irregular structure and if you check it with the fellow planner in the Xilin IDE software you can assume that this area is actually related to the configuration logic which is responsible for decryption for authentication and for distributing the bitters stream all over the FBGA. Now let's zoom in this area and we see this. So still we don't know where the memory is where the memory is or where the key storage is, where the AES is and so on so in this case we are interested only for the BB-RAM now we are starting our experiment with the laser stimulation and we take a look to see how this area reacts to our you know the stimulation experiments. So after stimulating with the laser you see that two structures we highlighted them with yellow color. They are reacting to our stimulation. So basically what we have done, the lasers scan this area and we monitor the changes in the current on the battery line and only these two structures when the laser hits these two structures we see changes on the battery line. Now let's zoom. So in the first experiment actually we set a random key inside the BB-RAM and then we did our laser stimulation experiment. Again we see these two structures and then in the second phase we have deactivated the BB-RAM so the right structure goes off. So and then so from this we understood okay the right structure should be the battery background which we are searching for and please note that in all of our experiments the FBGA was powered off. So we just need to stimulate and then measure the current changes on the battery line. Now let's take a look at the BB-RAM itself. So I should mention that this is not a reflected image. Basically this pattern that you see is the changes on the current on the battery line which we mapped to a 2D pattern, right? So it looks like an image, but it's it's actually the changes in the current on the power line and so the bright areas are the areas on the configuration and in the BB-RAM which are reacting to the laser stimulation. So actually you see from still from this pattern we can see that from geometrical shapes we can read out the memory content, but we still don't know how the physical address versus logical address looks like on this. So therefore we did a few experiments for example one of them we as you see on the right side we have programmed one of the beats as BB-RAM to one and then we shifted it eight times. So then we measured eight times also and then we created this animation as you can see the the beat is moving from left to the right. So and we found out that physical address and logical address are actually the same on this device. Another experiment we set all the beats of the BB-RAM to one and zero and as you can see so almost all cells are changing so they the pattern will be changed. Now the question is is it possible to get a real I mean with with with our eyes visually we can we can extract the content but can we do it automatically and the answer is yes. So basically what we need to do we need only to have on the bottom reference image where you you have a BB-RAM with a zeroized key so every beats are set to zero and then you have you get a pattern from your TLX experiment which which has which contains your target key so and then what you need to do you need to subtract them so we developed a Python image processing tool that it does that for us and automatically you can recover the key the 256 bit key which is used for a yes to decrypt the bit of stream. Now I would like to conclude the talk I would like to mention that the required effort for the attack development was less than seven hours which was also surprising to us it was really low and I should mention that this attack is not I mean this was a case study on Xilinx chips but this is applicable also to other S&M-based FPGAs like you know Intel FPGAs which they use as also BB-RAM in principle it's it can be also applied to to any SRAM but we haven't tried that yet but for example if you have for example another FPGA with SRAM path or something like that so it's in principle it should work another thing is that I would that I would like to mention is this attack as you can imagine is much cheaper than other optical attacks that has been already proposed in literature like optical contactless probing or like photon emission which is make which makes this attack even more threatening and we should we should consider it really carefully so and the other the third thing is actually as I mentioned in all of our experiments the FPGA was powered off which means already implemented side-channel content measures or the during configuration or during runtime it cannot help so we need to come up with some new solutions which works also when the FPGA or when the chip is powered off and it should also work actually with I mean if we have some content measure circuit it should be able to work with a battery without draining too much power power from that thank you for your attention any questions so yeah thank you very much for the excellent talk and just for clarification and did I get that correctly you did not decapulate decapsulate no we didn't if you have a modern flip chip device that's also a question we get a lot this is already the silicon oh so it was like that before like on older CPUs maybe some of you remember that it already looked like this but I also didn't know for before I came to this field that this is actually the silicon and then you just laser engrave your mark markings into the silicon and that's why you can actually still see them here yeah okay and then my other question isn't your laser spot quite large relatively to the structures that you're heating up isn't that a problem the this is 20 nanometer technology but that is also I think most people who do design know but 20 nanometer like a common misconception for people who not do design is 20 nanometer doesn't mean that your transistors are 20 nanometers the transistors are as large as the designer chooses them to be and that depends on what the transistors have to do and in this case we have one micron resolution and the cells are large enough to be analyzed with that although it's 20 nanometer technology so you can see here that's 40 micrometers so these cells are something like two or three micron squared and that is because but it's also a design constraint because this has to be low power it has to operate on a battery for 10 years you can't do like minimum size SRAM cells for that because they will leak and then yeah so you didn't have any problems that you're heating more than one cell no I mean you can actually like these are individual cells right this is one cell and you can see that we even have some headroom okay okay excellent thank you so quick question I had a question here so for this particular packaging you didn't have any thermal interface material on the top to spread the heat like normally you know in many devices you will have some kind of a thermal spreader you mean like like a heatsink yeah right and I guess your question is if that would be a problem if we had that yeah yeah like we didn't have it in this case because we need to get the laser in but that is also not a problem because you have to remember when we're doing this attack the device is completely powered off so that it can't generate any heat if it's powered off the only thing that is on is the battery to supply the SRAM so you're free to remove the heatsink okay that's great thanks thank the speaker again