HK1129772B - Chip attack protection - Google Patents
Chip attack protection Download PDFInfo
- Publication number
- HK1129772B HK1129772B HK09109565.7A HK09109565A HK1129772B HK 1129772 B HK1129772 B HK 1129772B HK 09109565 A HK09109565 A HK 09109565A HK 1129772 B HK1129772 B HK 1129772B
- Authority
- HK
- Hong Kong
- Prior art keywords
- shield
- signal
- chip
- antenna
- circuit
- Prior art date
Links
Description
Technical Field
The present invention relates to protecting chips from attack, and in particular to protecting chips from attack through the chip substrate.
Background
By way of introduction, security chips are vulnerable to attacks on the physical structure of the chip. In particular, attackers seek to modify circuits to obtain information stored in the chip and/or to change the operational characteristics of the chip to characteristics that are advantageous to the attacker. Attacks are typically in the form of probing, and more recently Focused Ion Beam (FIB) modification. Interconnect traces and other circuit elements can be interrogated or signals injected into them. The circuit may be rerouted to be damaged or discarded. There are many possible attacks that depend on physical modification.
The most common defense against attacks is the use of shields.
Passive shields are typically effective in preventing observation of the circuit and making attacks more time consuming. However, the passive shield can be removed without affecting the operation of the device. Passive shields are typically constructed of the upper layers of metal interconnects in a multilayer circuit. However, in passive shields, gaps in the shield are not detected.
The active shield looks similar to the passive shield. However, gaps in the active shield are typically probed and often result in damage to the chip. Avoiding active shields is possible, but avoiding is typically more difficult and time consuming, and is generally limited to a small number of small select areas of the chip under attack. Complex knowledge and experience is generally required to make an active shield attack successful.
Reference is now made to fig. 1, which is a cross-sectional view of a chip 10 being subjected to a Focused Ion Beam (FIB) backside attack. A new form of FIB attack occurs whereby the attack is not through the front side 12 of the chip 10, but through the silicon substrate via the back side 14 of the chip 10. A new form of attack is commonly referred to as a FIB back attack. FIB backside attacks have evolved from the need for FIB to perform circuit modifications to flip-chip devices or to perform circuit modifications on lower metal layers of multilayer stacked chips. For example, for chip designs having seven or more layers, it is easier to reach lower metal layers, for example, via the back side 14 than to drill through many interconnect layers from the front side 12. A typical attack is described below.
The chip 10 is reverse engineered to reveal the layout of the chip 10 and to identify the points of the chip 10 to attack. Based on the attacker's experience, the attacker typically selects useful circuit nodes that can give the secret information needed to break the chip 10.
The chip 10 is then typically removed from the package (not shown) and preferably mounted such that the chip 10 operates normally. The preferred means of providing power and operating signals is in the form of a plurality of wire bonds 16.
The die 10 is typically thinned from the reverse side 14 to about 50 or 100 microns using physical grinding techniques.
Deep grooves 18 are typically milled from the reverse side 14 in the area where attack is to occur. The chip 10 is locally thinned to a few microns (3-10 microns) and thinning is stopped just before the active device (implanted doped well) is reached. The thinned lateral area is typically in the range of 50-200 square microns.
A thin insulating layer is typically deposited in the deep trench 18 and various navigation techniques are applied to find the exact location of the attack.
Typically milled to a plurality of individual traces 20 of the chip 10. A plurality of metal contacts 22 are typically deposited on the individual traces 20 for use in the attack process. The trace 20 may then be measured for secret data content or severed into damaged circuit portions.
An active shield (not shown) is typically used to protect the front side 12 of the chip 10 from attack. However, it is particularly difficult to place an active shield on the reverse side 14 of the chip 10 to prevent an attack through the reverse side 14 via the substrate. The main difficulty is due to establishing communication between a processor (not shown) on the front side 12 and the shield on the back side 14. Communication is required so that an attack on the back side 14 results in the turning off of the chip 10, which is typically performed by a processor on the front side 12. The shield on the back side 14 must typically be connected to the processor on the front side 12 through the chip 10 using vias (not shown). Vias are thus apparent and vulnerable to attack, for example, but not limited to, by shorting the vias or by signals mimicking active shielding. In addition, the vias typically need to be very deep into the chip 10, thereby making the fabrication of the backside shield very difficult. Furthermore, the fabrication of vias is generally incompatible with current processing techniques.
The following references are believed to represent the state of the art:
et al, U.S. published patent application 2001/0033012;
PCT published patent applications WO 01/50530, et al;
an article entitled "Aligned rock-temperature binding of silicon wafers in vacuum by radical guide surface activation" by Hideki Takagi and Ryutaro Maeda in journal of Micromechanics and Microengineering, published by Institute of Physics Publishing, UK, on page 290-295 of volume 15; and
anders Hanneborg, Martin Nese and PerAn article entitled "Silicon-to-Silicon analog binding with organic glass layer" on pages 139-144 of volume 1 in the Journal of Micromechanics and Microengineering published by the Institute of physical bathing, UK.
The disclosures of all of the above references and throughout this specification, as well as all of the references described in those references, are hereby incorporated by reference.
Disclosure of Invention
The present invention seeks to provide a system and method for protecting a secure microprocessor on both sides from attack.
Three preferred embodiments are briefly described in the following. A preferred embodiment of the invention uses active circuitry disposed on the back side of the chip in wireless contact with the front side of the chip. Another preferred embodiment of the invention uses passive circuitry disposed on the reverse side of the chip in wireless contact with the front side of the chip. Yet another preferred embodiment of the present invention includes two chips connected back-to-back to provide mutual protection. These three examples are described in more detail in the following summary of the invention and in the detailed description of the invention.
According to a preferred embodiment of the invention, the protection system preferably comprises two circuits, a front side circuit disposed on the front side of the chip and a back side circuit disposed on the back side of the chip. Each circuit typically includes an antenna therein. The reverse side circuitry preferably includes shielding means to shield the reverse side of the chip. The front side circuitry preferably transmits an ac signal via the antenna to the back side circuitry, thereby providing power to the back side circuitry. Typically rectifying the signal received by the inverse circuit. The rectified signal is typically used to power a verifier that verifies the integrity of the shielding device. If the shielding is intact, the echo signal is typically sent via an antenna to the front side circuitry. A notch in the shielding generally causes a change or cessation of the echo signal. The signal analyzer in the front side circuit preferably detects a breach in the shielding device based on a change or break in the echo signal. The chip controller in the front side circuitry typically performs an action on the integrated circuit, such as a chip reset, in response to detecting a breach.
According to the most preferred embodiment of the invention, the negative circuit is implemented using only passive components. The use of passive components makes the commonly understood communication impossible. However, communication can still be achieved, for example by implementing the back side circuit as a resonant circuit responsive to signals transmitted by the front side circuit. The antenna of the opposite circuit is typically an inductor. Other passive components of the circuit typically include capacitors and resistors added using simple circuit printing techniques. The resistors are typically formed as long, thin conductive traces covering a large area in some serpentine paths. Other components, including antennas and capacitors, also typically form part of the shield. If the shield is intact, the back side circuit generally responds to the signal of the front side circuit with a signal preferably having a resonant frequency and a Q factor. If the shield is notched, the resonant frequency and/or the Q factor will preferably change. If the shield is completely cracked, the opposite circuit will generally not respond at all. The signal analyzer in the front side circuit preferably detects a notch in the shielding device based on a change in the resonance frequency and/or the Q-factor of the echo signal or a pause in the echo signal. The chip controller in the front-side circuit typically performs an action on the integrated circuit, such as a chip reset, in response to detecting the breach.
According to an alternative preferred embodiment of the invention, two chips are connected together back-to-back for providing protection to each other. The active shield is preferably disposed on the front side of each of the two chips. The two chips are then typically mechanically connected, preferably by directly bonding the opposite sides of each chip together. Thus, the active shield of one chip generally protects the back side of the other chip, and vice versa. The two chips are typically connected by a physical data connection, wherein the data between the two chips is encrypted. Alternatively, the two chips may be connected by a wireless connection using an antenna device.
According to another preferred embodiment of the invention, the integrity of the shield is verified based on a function performed by the shield if the shield is intact.
According to an alternative preferred embodiment of the present invention, backside attacks are addressed by deploying metal silicide between gaps in a polysilicon layer of an integrated circuit to prevent infrared navigation based attacks.
According to another alternative preferred embodiment of the invention the active shield is comprised in a polysilicon layer of the integrated circuit.
According to a preferred embodiment of the present invention, there is thus provided. There is also provided in accordance with another preferred embodiment of the present invention a chip security system for protecting a chip from backside attacks, the chip having a first surface and a second surface opposite the first surface, the first surface including an integrated circuit disposed thereon, the system including: a first antenna disposed on the first surface; a signal generator disposed on the first surface, the signal generator operatively connected to the first antenna, the signal generator for providing an output signal transmitted by the first antenna; a circuit device disposed on the second surface, the circuit device comprising: a second antenna to wirelessly receive the output signal transmitted by the first antenna, thereby providing power to a circuit device; and shielding means to at least partially shield the second surface, wherein the circuit means is for wirelessly transmitting an echo signal from the second antenna to the first antenna such that a gap in the shielding means causes a change in or cessation of the echo signal; a signal analyzer disposed on the first surface, the signal analyzer operatively connected to the first antenna, the signal analyzer to detect a breach in the shielding device from the change in the echo signal or the cessation of the echo signal; and a chip controller disposed on the first surface, the chip controller operatively connected to the signal analyzer, the chip controller for performing an action on the integrated circuit in response to detection of a breach by the signal analyzer.
Furthermore, in accordance with a preferred embodiment of the present invention, the antenna is included in the shielding device.
Further in accordance with a preferred embodiment of the present invention the action of the chip controller includes resetting at least a portion of the integrated circuit.
Further in accordance with a preferred embodiment of the present invention the output signal includes a radio frequency signal.
Also in accordance with a preferred embodiment of the present invention, the circuit arrangement includes an active circuit component, the circuit arrangement including: a rectifier to rectify the output signal received by the second antenna; a checker operatively connected to the rectifier, the checker for checking the integrity of the shielding device; and a reporter operatively connected to the verifier and the second antenna, the reporter for reporting the integrity of the shielding device back to the signal analyzer via the second antenna and the first antenna using the echo signal.
Furthermore, in accordance with a preferred embodiment of the present invention, the echo signal is a pulse signal.
Further in accordance with a preferred embodiment of the present invention the echo signal is a continuous signal.
Further in accordance with a preferred embodiment of the present invention the reporter is operative to form the echo signal by amplitude modulating the output signal.
Also in accordance with a preferred embodiment of the present invention the circuit arrangement includes passive circuit components and does not include active circuit components.
Furthermore, in accordance with a preferred embodiment of the present invention, the circuit arrangement includes a resonant circuit having an associated resonant frequency.
Further in accordance with a preferred embodiment of the present invention the echo signal has a Q factor.
Further in accordance with a preferred embodiment of the present invention the output signal comprises a swept frequency signal such that the echo signal is at a maximum when the swept frequency signal is at the resonant frequency.
Also in accordance with a preferred embodiment of the present invention the output signal includes a range of frequencies simultaneously.
Further in accordance with a preferred embodiment of the present invention the signal generator forms the series of frequencies by generating white noise.
Further in accordance with a preferred embodiment of the present invention the signal analyzer is operative to analyze changes in at least one of the resonance frequency and the Q-factor of the echo signal to detect a notch in the shielding device.
Further in accordance with a preferred embodiment of the present invention, the resonant circuit includes an inductor, a capacitor and a resistor, and the second antenna is included in the inductor.
Also in accordance with a preferred embodiment of the present invention, the capacitor is included in a shielding device.
Furthermore, in accordance with a preferred embodiment of the present invention, the circuit device is formed on a film mechanically connected to the second surface.
Further in accordance with a preferred embodiment of the present invention, the film is a plastic film.
There is also provided in accordance with another preferred embodiment of the present invention a chip security system including two chips, each of the chips including: a first surface and a second surface opposite the first surface; an integrated circuit disposed on the first surface; a shield disposed on the first surface; and a shield manager disposed on the first surface for verifying the integrity of the shield and for performing an action on the integrated circuit in response to detecting a breach in the shield, wherein the chips are mechanically connected together via the second surface of each of the chips.
Further in accordance with a preferred embodiment of the present invention the chips are mechanically connected together by direct bonding.
Also in accordance with a preferred embodiment of the present invention, the chips are surface activated bonded together by argon beam bonding.
Furthermore, in accordance with a preferred embodiment of the present invention, the integrated circuit of one of the chips is operatively connected to the integrated circuit of another of the chips.
Further in accordance with a preferred embodiment of the present invention the system includes a substrate, wherein the integrated circuit of the one chip is electrically connected to the integrated circuit of the other chip via the substrate.
Further in accordance with a preferred embodiment of the present invention the one chip is flip-chip mounted on the substrate.
Also in accordance with a preferred embodiment of the present invention the further chip is electrically connected to the substrate via a ball bond connection.
Furthermore in accordance with a preferred embodiment of the present invention the integrated circuit of each of the chips is operative such that communication between the integrated circuit of the one chip and the integrated circuit of the other chip is encrypted.
Further in accordance with a preferred embodiment of the present invention the communication is encrypted using a session key.
Further in accordance with a preferred embodiment of the present invention the integrated circuit of each of the chips includes a secret shared by the chips for use in encrypted communications.
Also, in accordance with a preferred embodiment of the present invention, the thickness of the chips together is between 200 microns and 400 microns.
Furthermore, in accordance with a preferred embodiment of the present invention, each of the chips comprises silicon.
According to another preferred embodiment of the present invention, there is provided a chip security system including: a chip arrangement having a first surface and a second surface; a plurality of shields including a first shield disposed on the first surface and a second shield disposed on the second surface; an integrated circuit disposed on one of the first surface and the second surface; a shield manager disposed on the same surface of the chip device as the integrated circuit, the shield manager operatively connected to the shield and the integrated circuit, the shield manager including a number generator that generates a number, the shield manager to send the number to the first shield, the first shield to perform a first function on the number, thereby producing a first value if the first shield is intact, the second shield to receive the first value and perform a second function on the first value, and producing a second value if the second shield is intact, the shield manager including a verification module to: receiving the second value; and verifying the validity of the second value based on the number generated by the number generator to determine the integrity of the shield.
Further in accordance with a preferred embodiment of the present invention, wherein the verification module is to: performing a calculation using the first function and the second function with the number as an input to the calculation; and comparing the result of the calculation with the second value to determine the integrity of the shield.
Further in accordance with a preferred embodiment of the present invention the chip arrangement comprises a unique chip.
Also in accordance with a preferred embodiment of the present invention, the chip arrangement includes a plurality of chips mechanically connected to each other.
Furthermore, in accordance with a preferred embodiment of the present invention, the chips are mechanically connected together by direct bonding.
Further in accordance with a preferred embodiment of the present invention the first surface and the second surface are disposed substantially parallel to each other on opposite sides of the chip arrangement.
There is also provided in accordance with another preferred embodiment of the present invention a chip security system including: a chip arrangement having a first surface and a second surface; a plurality of shields including a first shield disposed on the first surface and a second shield disposed on the second surface; an integrated circuit disposed on the first surface; and a shield manager disposed on the first surface, the shield manager operatively connected to the shield and the integrated circuit, the shield manager including a plurality of number generators that generate numbers, the shield manager to send test data to the second shield based on the numbers, the second shield to perform a function that produces a value if the second shield is intact, the shield manager including a verification module to: receiving the value; and performing an operation on the value to determine an integrity of the second shield.
Further in accordance with a preferred embodiment of the present invention the test data is equal to the number, and wherein the verification module is operative to: performing a calculation using the function with the number as an input to the calculation; and comparing the result of the calculation with the value to determine the integrity of the second shield.
Also in accordance with a preferred embodiment of the present invention, the chip arrangement includes a unique chip.
Furthermore, in accordance with a preferred embodiment of the present invention, the chip arrangement comprises a plurality of chips mechanically connected to each other.
Further in accordance with a preferred embodiment of the present invention the chips are mechanically connected together by direct bonding.
Further in accordance with a preferred embodiment of the present invention the first surface and the second surface are arranged substantially parallel to each other on opposite sides of the chip arrangement.
Also in accordance with a preferred embodiment of the present invention, the chip arrangement includes a first chip including the first surface and a third surface, the first surface being opposite the third surface, and a second chip including a second surface and a fourth surface, the second surface being opposite the fourth surface, wherein the chips are mechanically connected together via the third surface and the fourth surface.
There is also provided in accordance with another preferred embodiment of the present invention an integrated circuit protection system including: a silicon substrate having a surface; an integrated circuit disposed on the surface of the silicon substrate, the integrated circuit comprising: a first layer comprising a plurality of structures, the structures comprising at least one bilayer structure comprising a polycrystalline silicon sublayer and a metal silicide sublayer; and a second layer comprising a plurality of metal elements, the first layer being closer to the surface than the second layer; and a shield arrangement comprising a polycrystalline silicon sublayer and a metal silicide sublayer, the shield arrangement being disposed in the first layer such that the shield arrangement does not perform an electronic function in the integrated circuit.
Furthermore, in accordance with a preferred embodiment of the present invention, the shield arrangement is disposed in the first layer such that a view of at least one of the metallic elements as seen by the infrared microscope is at least partially obscured when an infrared micromirror is imaged through the silicon substrate onto the integrated circuit.
Further in accordance with a preferred embodiment of the present invention, the shield arrangement is disposed in the first layer such that when an infrared micromirror is imaged through the silicon substrate onto the integrated circuit, a view of at least one of the metal elements as seen by the infrared microscope is blocked.
Further in accordance with a preferred embodiment of the present invention, wherein the one metal element forms a bus for transporting data to be encrypted.
Also in accordance with a preferred embodiment of the present invention the one metal element forms a signal trace of a defense mechanism of the integrated circuit.
Furthermore, in accordance with a preferred embodiment of the present invention, the shield arrangement is disposed in the first layer such that when an infrared micromirror is imaged through the silicon substrate onto the integrated circuit, views outside the first layer seen by the infrared microscope are at least partially obscured.
Further in accordance with a preferred embodiment of the present invention, the shield arrangement is disposed in the first layer such that when an infrared micromirror is imaged through the silicon substrate onto the integrated circuit, views outside the first layer seen by the infrared microscope are blocked.
Further in accordance with a preferred embodiment of the present invention, the first layer defines a plane, the shield arrangement being disposed in the first layer such that at least one of the shield arrangement and the structure forms a region, the region including at least one gap having a smallest dimension measured parallel to the plane of less than about 550 nanometers.
Also in accordance with a preferred embodiment of the present invention the gap has a smallest dimension, measured parallel to the plane, of less than about 550 nanometers.
Furthermore, in accordance with a preferred embodiment of the present invention, the shield arrangement comprises a plurality of shield elements, each of which comprises a polycrystalline silicon sublayer and a metal silicide sublayer.
Further in accordance with a preferred embodiment of the present invention the metal silicide is tungsten silicide.
There is also provided in accordance with another preferred embodiment of the present invention an integrated circuit protection system including: a silicon substrate having a surface; and an integrated circuit disposed on the surface of the silicon substrate, the integrated circuit comprising: a first layer comprising a plurality of structures including at least one bilayer structure having a polycrystalline silicon sublayer and a metal silicide sublayer; and a second layer comprising a plurality of metal elements, the first layer being closer to the surface than the second layer; a shield arrangement comprising a polycrystalline silicon sublayer and a metal silicide sublayer, the shield arrangement disposed in the first layer; and a notch detection circuit operatively connected to the shield arrangement such that a notch in the shield arrangement is detected by the notch detection circuit, the notch detection circuit for performing an action on another portion of the integrated circuit in response to detection of the notch.
There is also provided, in accordance with another preferred embodiment of the present invention, a method for manufacturing a chip security system, the method including: providing two chips, each chip having a first surface and a second surface opposite the first surface; deploying an integrated circuit, a deployed shield, and a shield manager on the first surface, the shield manager to verify an integrity of the shield and to perform an action on the integrated circuit in response to detecting a breach in the shield; and mechanically connecting the chips together via the second surface of each of the chips.
There is also provided, in accordance with another preferred embodiment of the present invention, a method for protecting an integrated circuit, including: providing a silicon substrate having a surface; deploying a deployed integrated circuit on the surface of the silicon substrate, the integrated circuit comprising: a first layer comprising a plurality of structures including at least one bilayer structure having a polycrystalline silicon sublayer and a metal silicide sublayer; and a second layer comprising a plurality of metal elements, the first layer being closer to the surface than the second layer; and deploying a shield device in the first layer such that the shield device does not perform an electronic function in the integrated circuit, the shield device comprising a polycrystalline silicon sublayer and a metal silicide sublayer.
There is also provided, in accordance with another preferred embodiment of the present invention, a method for protecting an integrated circuit, including: providing a silicon substrate having a surface; deploying an integrated circuit on the surface of the silicon substrate, the integrated circuit comprising: a first layer comprising a plurality of structures including at least one bilayer structure having a polycrystalline silicon sublayer and a metal silicide sublayer; and a second layer comprising a plurality of metal elements, the first layer being closer to the surface than the second layer; a shield arrangement comprising a polycrystalline silicon sublayer and a metal silicide sublayer, the shield arrangement disposed in the first layer; and a notch detection circuit operatively connected to the shield arrangement such that a notch in the shield arrangement is detected by the notch detection circuit, the notch detection circuit for performing an action on another portion of the integrated circuit in response to detection of the notch.
Drawings
The present invention will be more fully understood and appreciated from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a cross-sectional view of a chip subjected to Focused Ion Beam (FIB) attack;
FIG. 2 is a cross-sectional view of a chip security system constructed and operative in accordance with a preferred embodiment of the present invention;
FIG. 3 is an orthogonal view of the backside shield reverse side circuitry of the system of FIG. 2 formed on a film attached to a chip;
FIG. 4 is a simplified circuit diagram of the back shield of the system of FIG. 2;
FIG. 5 is a graph of echo signal voltage versus frequency of a sweep signal for the back shield of FIG. 4;
FIG. 6 is a simplified circuit layout view of the backside shield of FIG. 4;
FIG. 7 is a simplified circuit diagram of an alternative preferred backside shield for use with the system of FIG. 2;
FIG. 8 is a simplified circuit layout view of the front side circuitry of the back shield of FIG. 7;
FIG. 9 is a simplified circuit layout view of the reverse side circuitry of the back shield of FIG. 7;
FIG. 10 is a cross-sectional view of a dual chip security system constructed and operative in accordance with a preferred embodiment of the present invention;
FIG. 11 is an enlarged cross-sectional view of one chip of the dual-chip security system of FIG. 10;
FIG. 12 is a flowchart showing preferred steps for manufacturing the dual chip security system of FIG. 10;
FIG. 13 is a cross-sectional view of the dual chip security system of FIG. 10 with an internal shield inspection subsystem;
FIG. 14 is a cross-sectional view of a chip security system constructed and operative in accordance with an alternative preferred embodiment of the present invention;
fig. 15 is a plan view of an integrated circuit protection system constructed and operative in accordance with an alternative preferred embodiment of the present invention;
FIG. 16a is a cross-sectional view through line XVIA of FIG. 15;
FIG. 16b is a cross-sectional view through line XVIB of FIG. 15;
fig. 17 is a plan view of an integrated circuit protection system constructed and operative in accordance with an alternative preferred embodiment of the present invention;
FIG. 18a is a cross-sectional view through line XVIIIA of FIG. 17; and
fig. 18b is a cross-sectional view through line xviib of fig. 17.
Detailed Description
Reference is now made to fig. 2, which is a cross-sectional view of a chip security system 24, constructed and operative in accordance with a preferred embodiment of the present invention. The chip security system 24 is generally used to protect the chip 26 from backside attacks. The chip 26 is typically a silicon chip. However, one skilled in the art will appreciate that the system and method of the present invention can be implemented using any suitable chip material. The chip 26 typically has a surface 28 and a surface 30 opposite the surface 28. Surface 28 preferably includes integrated circuit 32 disposed thereon. The term "disposed thereon" is used for simplicity. However, those skilled in the art of integrated circuit fabrication will appreciate that integrated circuits are typically formed partially within the chip material (e.g., without limitation, by doping the chip material), and partially on top of the chip material, typically in metal and insulating layers. However, the term "disposed thereon" as used in the specification and claims is intended to include disposition on and/or in a surface.
The integrated circuit 32 is preferably protected by an active shield 34 (shown as a "front side active shield" in fig. 2). An active shield as used in the specification and claims is defined as a defense system having built-in constraints to limit or prevent access to underlying circuitry protected by the active shield.
The active shield 34 typically includes a physical shield (not shown) such that the breach of the physical shield results in an action being performed on the integrated circuit 32 that is protected by the active shield 34. The action performed typically includes resetting integrated circuit 32, but in any event acts to prevent the use of the gap from gaining some benefit from the gap.
The chip security system 24 also preferably includes a back shield 36 having front side circuitry 38 and back side circuitry 40. Front side circuitry 38 is typically disposed on surface 28. The reverse circuit 40 is typically disposed on the surface 30. The communication between the front side circuitry 38 and the back side circuitry 40 is preferably via a wireless link as described in more detail with reference to fig. 4-9. The physical shielding is preferably performed by the negative circuitry 40. Detection of a breach is typically performed by a combination of the front side circuitry 38 and the back side circuitry 40. The front side circuitry 38 typically performs an action on the integrated circuit 32 such as resetting the integrated circuit 32 when a notch is detected.
Reference is now made to fig. 3, which is an orthogonal view of the reverse side circuitry 40 of the system 24 of fig. 2 formed on a film 42 attached to the chip 26. According to the most preferred embodiment of the present invention, the reverse side circuit 40 is formed on the film 42. The membrane 42 is then preferably mechanically attached to the surface 30, typically using a suitable adhesive. Techniques for forming circuits on films are known to those skilled in the art.
The film 42 is typically a plastic film, such as, but not limited to, a polyester film such as Mylar, which is commercially available from DuPont Teijin Films U.S. Limited Partnership, Discovery Drive, P.O. Box411, Hopewell, VA23860 USA.
However, one of ordinary skill in the art will appreciate that the reverse circuitry 40 can be formed directly on the surface 30 of the chip 26, such as, but not limited to, using photolithography and other suitable integrated circuit formation techniques.
The inventors believe that the use of film 42 instead of forming reverse side circuitry 40 directly on chip 26 is more compatible with existing chip products.
Reference is now made to fig. 4, which is a simplified circuit diagram of the back shield 36 of the chip security system 24 of fig. 2.
Front side circuitry 38 disposed on surface 28 preferably includes an antenna 44, a signal generator 46, a signal analyzer 48, and a chip controller 50. The signal generator 46 and the signal analyzer 48 are preferably operatively connected to the antenna 44, typically via a direct wired connection. The signal analyzer 48 is preferably operatively connected to a chip controller 50, typically via a direct wired connection. The chip controller 50 is preferably operatively connected to the integrated circuit 32, typically via a direct wired connection.
Referring additionally to FIG. 5, a graph of echo voltage signal voltage versus frequency sweep signal frequency for the back shield of FIG. 4 is shown.
The signal generator 46 is generally operative to provide an output signal 52 for transmission by the antenna 44. Output letterNumber 52 is typically a radio frequency signal. The output signal 52 preferably comprises a signal having a frequency f0At f and a fixed frequency signal 660Frequency of nearby slave f1To a frequency f2The varying swept frequency signal 68. The fixed frequency signal 66 generally has the primary function of transmitting power to the opposing circuitry 40. The swept frequency signal 68 is generally used for analysis functions, described in detail below. F is described in more detail below with reference to the reverse side circuit 401、f2And f0The importance of (c).
The reverse circuit 40 is preferably disposed on the surface 30. The reverse circuit 40 typically includes passive circuit components including an antenna 54, a capacitor 56, and a resistor 58. The reverse side circuit 40 preferably does not include active circuit components. One of the advantages of using passive components rather than active components is that the manufacture of the reverse circuit 40 is much simpler.
The term "passive component" as used in the specification and claims is intended to mean: components that do not require a power source to process a signal passing through the component and components in which the basic characteristics of the component do not change when an electrical signal is applied.
The term "active component" as used in the specification and claims is intended to mean: a component in which the basic characteristics of the component can be changed in the circuit supplied with power, for example, for performing amplification or allowing multiple switching of signals.
The reverse circuit 40 is generally operative to respond to the output signal 52 to thereby wirelessly transmit an echo signal 62 from the antenna 54 to the antenna 44. The reverse circuit 40 is a resonant circuit that generally includes a capacitor 56 and a resistor 58 and an inductor in the form of an antenna 54. The reverse side circuit 40 has an associated resonant frequency f0。
The response of the echo signal 62 to the swept frequency signal 68 is shown by way of example in fig. 5. The amplitude 70 of the echo signal 62 generally varies according to the frequency of the swept frequency signal 68 of the output signal 52. When the swept frequency signal 68 is at the resonant frequency f0The amplitude 70 of the echo signal 62 is typically at a maximum.
According to an alternative preferred embodiment of the present invention, the output signal 52 comprises a range of frequencies (simultaneously), such that the frequency sweep signal 68 is not required to obtain the Q factor. The output signal 52 comprising the series of frequencies is typically formed by the signal generator 46 generating white noise (even power spread across the spectrum). The echo signal 62 is not a white noise signal, but the basic shape of the spectrum of the echo signal 62 is a bell-shaped curve.
The echo signal 52 generally has a quality factor (Q factor), which is a measure of the sharpness of the peak of the resonant frequency. The terms "resonant frequency" and "Q factor" are known to those of ordinary skill in the art of electronic engineering. The resonant frequency is typically dictated by the inductance and capacitance of the circuit. The Q factor is typically dictated by the inductance, capacitance, and resistance of the circuit.
The frequency f is typically chosen where the amplitude 70 is half of the maximum amplitude1And f2. In other words, f1And f2Is leaving f0Standard deviation of (2). The frequency range must be high enough to allow for effective coupling between antenna 44 and antenna 54, yet low enough so that conventional CMOS technology typically used in smart cards can be used.
Antenna 54, capacitor 56 and resistor 58 generally form a shield 60 to shield surface 30. In particular, the resistor 58 is preferably formed in a serpentine path over a substantial portion of the surface 30. The shielding means 60 is described in more detail with reference to fig. 6.
A notch in the shielding device 60 typically results in a change in the echo signal 62 or a cessation of the echo signal 62. For example, partially cutting the shielding 60 may cause a change in the resonant frequency and/or the Q factor, depending on which element of the shielding 60 is affected. For example, if antenna 54 or capacitor 56 is affected, both the resonant frequency and the Q factor may change. If the resistor 58 is affected, the Q factor may change.
The term "notch" as used in the specification and claims is defined as a portion that partially cuts or completely severs the shielding device 60.
Because the output signal 52 generally includes the swept frequency signal 68, which is a variable frequency signal, the echo signal 62 will be a variable (altered) signal even if no notch is present. Thus, a partial cut in the shielding device 60 may cause a change in the echo signal 62 compared to a previous frequency sweep of the swept frequency signal 68.
The echo signal 62 is typically received by the antenna 44 in the front side circuit 38. The echo signal 62 is preferably analyzed by the signal analyzer 48. The signal analyzer 48 typically converts the echo signals 62 to digital signals prior to analysis. The signal analyzer 48 is generally used to detect a breach in the shielding device 60 from a change in the echo signal 62 or a pause in the echo signal 62. In particular, the signal analyzer 48 typically analyzes changes in the resonant frequency and the Q factor of the echo signal 62 to detect gaps in the shielding device 60. Because the output signal 52 is a swept frequency signal, the signal analyzer 48 preferably compares the echo signal 62 of the current sweep with the echo signal 62 of the previous sweep.
The resonant frequency and the Q factor are examples of electromagnetic properties that may be used to detect a notch in the shielding device 60. One of ordinary skill in the art will appreciate that other suitable electromagnetic properties of the echo signal 62 may be analyzed to detect gaps in the shielding device 60, particularly parameters that change with temperature and are stable over time, such as the phase of the observed signal over time.
The chip controller 50 is generally operative to perform actions on the integrated circuit 32 responsive to detection of a breach by the signal analyzer 48, typically including resetting the integrated circuit 32.
It should be noted that it is important that an attacker is not able to mimic a reverse circuit. A conceivable attack might be to characterize the reverse side circuitry 40 and then place the mimic circuitry on top of the reverse side circuitry 40, making the reverse side of the chip 26 vulnerable. Proposed attacks can be thwarted by personalizing the negative circuitry 40, preferably randomly.
One of ordinary skill in the art will appreciate that the active shield 34 may not be needed in the following cases: the notch on the front side of the chip 26 can be detected by the front side circuitry 38, for example, but not limited to, ensuring that the antenna 44 of the front side circuitry 38 covers enough of the surface of the front side circuitry 38 so that the notch in the antenna 44 causes an action to be performed on the integrated circuit 32.
Reference is now made to fig. 6, which is a simplified circuit layout view of the back shield 36 of fig. 4.
The front side circuitry 38 is typically built in two or more layers including a top layer 72 and a bottom layer 76. The top layer 72 typically includes an antenna 44 formed near the perimeter of the top layer 72. The bottom layer 76 typically includes the signal generator 46, the signal analyzer 48, and the chip controller 50. The signal generator 46 and the signal analyzer 48 are typically connected to the antenna 44 via a plurality of pins 74 that extend from the top layer 72 to the bottom layer 76. The chip controller 50 is typically connected to the integrated circuit 32 via one or more pins 78.
One of ordinary skill in the art of integrated circuit fabrication will appreciate that the bottom layer 76 may be formed from sub-layers. Similarly, the top layer 72 may be formed from sub-layers. One of ordinary skill in the art will appreciate that some elements of top layer 72 may be disposed in bottom layer 76, and vice versa.
Similarly, all circuit layouts shown in the description may be formed from sub-layers, if practical, and the elements of each layer may suitably be arranged differently than shown in the figures.
Similarly, the reverse electrical circuit 40 is typically built up in two or more layers including a top layer 80 and a bottom layer 82.
Top layer 80 typically includes antenna 54, top half 84 of capacitor 56, and half of resistor 58. Antenna 54 is typically formed near the perimeter of top layer 80 and is preferably aligned with antenna 44 of top layer 72 of front side circuitry 38 to maximize coupling of antenna 44 and antenna 54.
The bottom layer 82 typically includes the bottom half 86 of the capacitor 56 and the other half of the resistor 58. The top half 84 and bottom half 86 of the capacitor 56 are preferably separated by a thin layer of dielectric material, preferably silicon dioxide.
The resistor 58 is typically divided into two portions such that adjacent strips of the resistor 58 generally alternate between the bottom layer 82 and the top layer 80. Adjacent strips are preferably connected to pins (not shown) between top layer 80 and bottom layer 82. Dividing the resistor 58 between the top layer 80 and the bottom layer 82 generally allows the strips of the resistor 58 to be close together, thereby providing a tighter arrangement for the shielding device 60. The resistor 58 is preferably formed from an aluminum trace.
Those of ordinary skill in the art will appreciate that antenna 54 can similarly be divided between top layer 80 and bottom layer 82. The bottom half 86 of the capacitor 56 in the bottom layer 82 is typically connected to the antenna 54 in the top layer 80 via a pin 88.
The shielding device 60 preferably includes an antenna 54, a capacitor 56, and a resistor 58.
The individual metal layers 80, 82 are preferably thinner than conventional metal layers to increase the resistance of the traces of the resistor 58. The thickness of the metal layer is typically in the order of 100 nm.
It should be noted that the shielding means 60 need not cover the entire surface of the surface 30 of the chip 26. The shielding device 60 typically only needs to cover a sufficient portion of the surface 30 to prevent an attack. By way of non-limiting example, backside FIB editing (edit) requires milling of large holes for access. It is generally desirable to open at least a 50 micron by 50 micron portion of the chip 26. Thus, the strip of shielding 60, preferably comprising antenna 54, capacitor 56 and resistor 58, is generally designed with a view to potential attacks. However, it is prudent to advance the planning and bringing the strips of the shielding device 60 closer than the minimum design requirements for more advanced attack techniques.
The process of forming the front side circuitry 38 and the back side circuitry 40 is generally described below.
First, the wafer, typically a silicon wafer, is preferably made as thin as possible. The bottom surface of the wafer is typically polished flat. However, the bottom surface need not be as perfect as the top surface.
Second, front side circuitry 38 is typically formed on and/or in the top surface of the wafer. Front-side circuitry 38 is typically formed using conventional integrated circuit techniques as known to those of ordinary skill in the art of integrated circuit production.
Third, a thin layer of silicon dioxide is typically deposited on the reverse side. The silicon dioxide layer insulates the reverse side circuitry 40 from the silicon substrate.
Fourth, the reverse side circuitry 40 is aligned with the front side circuitry 38, preferably using infrared microscopy. The alignment marks are then typically cut into the substrate using a laser.
Fifth, the first metal layer, i.e., bottom layer 82, is defined, typically using conventional photolithographic techniques, and is typically aligned using laser scribe marks.
An interlayer dielectric material is then preferably deposited on top of the bottom layer 82.
Next, a second metal layer, top layer 80, is formed on top of the intermediate layer.
Finally, the top layer 80 is preferably covered with a layer of silicon dioxide and silicon nitride for passivation.
It should be noted that it is not necessary to precisely align the reverse side circuitry 40 and the front side circuitry 38, and generally not preferred, this process variation makes it more difficult for an attacker to emulate the action of the reverse side circuitry 40. In practice, the process preferably includes built-in random variations to prevent copying the parameters of the negative circuitry 40 for attacking another device.
The signal analyzer 48 of the front side circuit 38 preferably teaches parameters to be accepted during initial testing.
Reference is now made to fig. 7, which is a simplified circuit diagram of an optional preferred backside shield 90 for use with the chip security system 24 of fig. 2. The back shield 90 typically includes front side circuitry 92 and back side circuitry 94. Front side circuitry 92 is preferably disposed on surface 28. The reverse circuit 94 is preferably disposed on the surface 30.
Front side circuitry 92 typically includes an antenna 96, a signal generator 98, a signal analyzer 100, and a chip controller 102. The signal generator 98 and signal analyzer 100 are preferably operatively connected to the antenna 96, typically via a direct wired connection. Signal generator analyzer 100 is preferably operatively connected to chip controller 102, typically via a direct wired connection. The chip controller 102 is preferably operatively connected to the integrated circuit 32, typically via a direct wired connection.
The signal generator 98 is typically operative to provide an output signal 104 for transmission by the antenna 96. The output signal 104 is typically a radio frequency signal. The output signal 104 is preferably a fixed frequency signal that transfers power to the back side circuitry 94 via induction.
The reverse circuit 94 typically includes an antenna 106, a rectifier 108, a checker 110, a shield 112, and a reporter 114. The reverse circuit 94 preferably includes active circuit components typically included in a rectifier 108, a checker 110, and a reporter 114. The rectifier 108 and reporter 114 are generally operatively connected to the antenna 106. The checker 110 is preferably operatively connected to the rectifier 108, reporter 114 and shielding device 112.
The reverse side circuitry 94 is preferably formed on the film 42 (fig. 3), which is then attached to the chip 26, for example using an adhesive. However, one of ordinary skill in the art will appreciate that the back side circuitry 94 may be formed in and/or on the chip 26 during chip fabrication.
The antenna 106 preferably wirelessly receives the output signal 104 transmitted by the antenna 96, thereby providing power to the back side circuitry 94. For many applications, it should be noted that the frequency of the output signal 104 is preferably high enough to allow efficient coupling between the antennas 96, 106, and low enough so that conventional CMOS technology typically used in smart cards can be used.
The rectifier 108 preferably rectifies the output signal 104 received by the antenna 106 to provide a Direct Current (DC) power supply to the checker 110 and reporter 114.
The verifier 110 is generally used to verify the integrity of the shield 112 by verifying a breach in the shield 112. The shielding means 112 is described in more detail with reference to fig. 9.
The term "notch" as used in the specification and claims is defined as a portion that partially cuts or completely severs the shield 112.
The checker 110 and the shielding 112 are typically formed in a similar manner to front-side active shielding known to those skilled in the art.
The reporter 114 reports back the integrity of the signal analyzer 100 with respect to the shielding device 112, preferably via the antenna 106 and the antenna 96, using the echo signal 118.
According to the most preferred embodiment of the back shield 90, the reporter 114 typically only sends an echo signal 118 when the verifier 110 does not detect a breach in the shielding device 112. However, if the verifier 110 detects a breach in the shielding device 112, the reporter 114 typically does not send back an echo signal 118. Thus, detection of a breach in the shielding device 112 by the verifier 110 typically results in a cessation of the echo signal 118.
According to an alternative preferred embodiment of the back shield 90, the reporter 114 alters the echo signal 118 depending on the integrity status of the shielding device 112. Thus, detection of a breach in the shielding device 112 typically results in a change in the echo signal 118.
The echo signals 118 are typically received by the antenna 96 in the front side circuitry 92. The echo signal 118 is preferably analyzed by the signal analyzer 100. The signal analyzer 100 typically converts the echo signal 118 to a digital signal prior to analysis. The signal analyzer 100 is generally used to detect a breach in the shielding device 112 from a change in the echo signal 118 or a cessation of the echo signal 118.
The echo signal 118 is typically a pulsed signal, whereby the reporter 114 sends periodic pulses to the signal analyzer 100. Optionally, echo signal 118 is a continuous signal formed by amplitude or frequency modulating output signal 104.
Chip controller 102 is preferably used to perform actions on integrated circuit 32, typically resetting integrated circuit 32, in response to detection of a breach by signal analyzer 100.
Reference is now made to fig. 8, which is a simplified circuit layout view of the front side circuitry 92 of the back shield 90 of fig. 7. The front side circuitry 92 is typically formed in the multilayer 120 in substantially the same manner as the front side circuitry 38 is formed, as described with reference to fig. 6.
Reference is now made to fig. 9, which is a simplified circuit layout view of the reverse side circuitry 94 of the back shield 90 of fig. 7. The reverse side circuit 94 is typically formed of three or more layers 122.
The shield 112 is typically formed by the antenna 106 and a meandering path shield 116. The top layer 124 of the layer 122 generally includes the antenna 106 and one half of the shield 116. An intermediate layer 126 of layers 122 generally includes the other half of shield 116. The shield 116 is preferably formed from substantially the same adjacent strips as the resistor 58 of fig. 6. The bottom layer 128 of the layers 122 typically includes the rectifier 108, the checker 110, and the reporter 114. The rectifier 108, checker 110, and reporter 114130 are preferably connected to one another using a plurality of metal strips. The checker is typically connected to the shield 116 in the top layer 124 and the shield 116 in the middle layer 126 via two metal strips 134 and two pins 132. The rectifier 108 and reporter 114 are typically connected to the antenna 106 via a plurality of metal strips 136 and two pins 138.
It should be noted that the back side circuitry 94 and the front side circuitry 92 (fig. 8) generally need not be precisely aligned with each other. The margin of error is typically on the order of several 10 microns. A larger variation is acceptable if the practically acceptable range can be programmed after the negative circuits 94 have been aligned. The transistors of the reverse side circuitry 94 are preferably fabricated in polysilicon in substantially the same manner as forming transistors for use in Thin Film Transistor (TFT) displays, thereby reducing cost and complexity.
Reference is now made to fig. 10-12. Fig. 10 is a cross-sectional view of a dual chip security system 140 constructed and operative in accordance with a preferred embodiment of the present invention. Dual chip security system 140 preferably includes two chips, chip 142 and chip 144. Fig. 11 is an enlarged cross-sectional view of chip 142 of dual-chip security system 140 of fig. 10. Fig. 12 is a flow chart showing preferred steps for manufacturing the dual chip security system 140 of fig. 10.
Each of the chips 142, 144 typically has a surface 146 and a surface 148 opposite the surface 146 (block 156). Each of the chips 142, 144 is typically formed from a thinned silicon wafer. The thickness of the chips 142, 144 together is preferably between 200 and 400 microns. The surface 146 of each chip 142, 144 is typically disposed on an integrated circuit 150, a shield 152, and a shield manager 154 (block 158). The shield manager 154 is typically implemented as part of the integrated circuit 150. The shield manager 15 is preferably used to verify the integrity of the shield 152 and to perform actions on the integrated circuit 150 in response to detecting a breach in the shield 152. The shield 152 and shield manager 154 are preferably implemented as active shields. Those of ordinary skill in the art of chip protection know how to produce active shields for integrated circuits. The shield 152 is typically formed in the top layer of the metal interconnect of each die 142, 144.
The chips 142 and 144 are typically mechanically coupled together via a surface 148 of each chip 142, 144, preferably by direct bonding. In other words, the chips 142, 144 are preferably connected back-to-back with the outward facing integrated circuit 150, the shield 152, and the shield manager 154 (block 160). Thus, chips 142, 144 form a single chip device 176, wherein surfaces 146 of each chip 142, 144 are substantially parallel to each other on opposite sides of chip device 176.
The surface 148 of each die typically includes a silicon dioxide layer that is thickened and then bonded by applying a voltage between the dies 142, 144. The applied voltage generally bonds oxygen into the monolayer. Once the chips 142, 144 have been bonded, the chips 142, 144 cannot be separated unless the integrated circuits 150 of the chips 142, 144 are typically destroyed.
Bonding is preferably performed by argon beam surface activated bonding. An article entitled "Aligned rock-temperature bonding of silicon wafers by argon arc beam surface activation" by Hideki Takagi and RyutaroMaeda in journal of micromechanics and Microengineering published by Institute of Physics Publishing, UK on page 290-295 of volume 15 describes a particularly useful process for bonding wafers. The described techniques have several advantages. First, the technology is at room temperature, making the technology compatible with integrated circuit wafers. Second, this technique provides good alignment between wafers of about 2 microns. In addition, no special surface preparation and no high voltage are necessary, whereby the risk of static discharge damage is minimized.
Chip 144 is flip-chip mounted on substrate 162, preferably using a plurality of contact pads 166, thereby allowing the entire area of surface 146 to be used for connection to substrate 162. The chip 142 is typically electrically connected to the substrate 162 via a plurality of ball bond connections 164. Thus, the integrated circuits 150 of each of the chips 142, 144 are electrically connected via the substrate 162.
Communication between the integrated circuit 150 of chip 142 and the integrated circuit 150 of chip 144 is preferably encrypted, typically using a packet 170 encrypted with a session key 172. The integrated circuit 150 of each of the chips 142, 144 preferably includes a secret station 168 shared by the chips 142, 144 for use in encrypted communications. Secret 168 on chip 142 is preferably different from secret 168 on chip 144. In addition, the secrets 168 of each of the chips 142, 144 are typically shared between the two chips 142, 144, such that both chips 142, 144 need to be reverse engineered to usefully attack the chips.
Security considerations may be effectively enforced using inductive coupling for wireless communication between chips.
The dual chip security system 140 has an additional advantage over the security advantage of backside protection. First, manufacturers make a series of devices with common features (such as the same core and operating system), and by changing only one side of the chip, manufacturers can have different storage configurations or different consumer ROM code, thereby saving development time and cost. Second, the amount of circuit area can be doubled without increasing the length and width of the chip. For example, smart card chips are typically limited to 5mm by 5 mm.
Reference is now made to fig. 13, which is a cross-sectional view of the dual chip security system 140 of fig. 10 with an internal shield inspection subsystem 174. The internal shield inspection subsystem 174 is preferably used such that, if any of the shields 152 are formed with gaps as determined by the shield manager, an action is performed on both integrated circuits 150, such as a reset of both integrated circuits 150, typically in response to the detection of a predicated gap. The operation of the internal shield inspection subsystem 174 is preferably performed by the shield 152, the shield manager 154, and the integrated circuit 150, which will be described below.
For simplicity of description, the surfaces 146 of the chips 142, 144 will now be described as top and bottom surfaces 178, 180 of the chip arrangement 176. Top surface 178 is surface 146 of chip 142. Bottom surface 180 is surface 146 of chip 144.
Each shield manager 154 is typically operatively connected to each of the shields 152 and the integrated circuits 150 adjacent to the shield manager 154. Each shield manager 154 is operatively connected to the shield 152 on the other side of the chip arrangement 176, typically via ball bond connections 164, a base 162, and contact pads 166 (fig. 10). One of ordinary skill in the art will appreciate that the shield manager 154 and/or the shield 152 may be directly connected to each other via any suitable wired and/or wireless connection or the shield manager 154 and/or the shield 152 may be indirectly connected via additional elements such as one or two integrated circuits 150.
Each mask manager 154 typically includes a number generator for generating numbers, or preferably a random number generator for generating random numbers, or more preferably a pseudo random number generator or a true random number generator for generating pseudo random numbers or true random numbers, respectively. In addition, each shield manager 154 generally includes a verification module 184. The operation of the verification module 184 and other aspects of the internal shield verification subsystem 174 are now described below. For simplicity of description, the internal shield inspection subsystem 174 is described with reference to the shield manager 154 disposed on the top surface 178.
A number generator 182 of the shield manager 154 disposed on the top surface 178 is typically used to generate the number P. The shield manager 154 disposed on the top surface 178 is generally used to send the number P to the shield 152 disposed on the bottom surface 180. The shield 152 disposed on the bottom surface 180 is preferably used to perform a function f1 on the logarithm P, yielding a value Q if the shield 152 disposed on the bottom surface 180 is intact. The function f1 is preferably performed by the shield 152 disposed on the bottom surface 180 as a result of the physical routing of the shield 152 disposed on the bottom surface 180. If the wiring is notched, the function f1 is preferably not performed automatically, and thus the value Q is not generally generated from the value P. The value Q is generally routed (typically by direct wiring) to the shield 152 disposed on the top surface 178 such that the shield 152 disposed on the top surface 178 is preferably used to receive the value Q. The shield 152 disposed on the top surface 178 is preferably used to perform a function f2 on the value Q, which typically results in a value R if the shield 152 disposed on the top surface 178 is intact. Similarly, the function f2 is preferably performed by the shield 152 disposed on the top surface 178 as a result of the physical routing of the shield 152 disposed on the top surface 178. The value R is typically routed to a shield manager 154 disposed on the top surface 178.
The verification module 184 of the shield manager 154 disposed on the top surface 178 generally functions to perform the following functions.
First, a value R is received from the shield 152 disposed on the top surface 178.
Next, the validity of the value R is checked based on the number P by performing calculations using the function f1 and the function f2 with the number P as an input of the calculation. The calculation is preferably f1(f2 (P)). However, in accordance with an alternative preferred embodiment of the present invention, the verification module 184 includes a lookup table that includes a plurality of input-output pairs that impress the possible values P and R.
Third, the result of the calculation (or a value found in a lookup table) is compared to the value R to determine the integrity of the shield 152. If the result of the calculation (or the value found in the lookup table) is equal to R, then the shield 152 is typically judged to be intact.
The above steps from the generation of P by the number generator 182 to the comparison by the verification module 184 are preferably repeated periodically to determine the progress integrity of the shield 152. If the shield manager 154 disposed on the top surface 178 does not receive a timely value from the shield 152 or the step of comparing the result to the value R fails, then an action is typically performed on the integrated circuit 150 disposed on the top surface 178 by the shield manager 154 disposed on the top surface 178, such as a chip reset or changing the contents of a non-volatile memory to affect the function of the integrated circuit 150 (e.g., without limitation, to have the integrated circuit 150 "remember" the event, or to set a flag in a register that causes the integrated circuit 150 to delete certain information, such as a key).
It should be noted that each shield manager 154 is typically implemented as part of the same integrated circuit as the associated integrated circuit 150.
One of ordinary skill in the art will appreciate that the number P can be sent first to the shield 152 disposed on the top surface 178 by the shield manager 154 disposed on the top surface 178 and then the resulting value sent to the shield 152 disposed on the bottom surface 180.
In a similar manner to the inspection of the shields 152 by the shield manager 154 disposed on the top surface 178, the shield manager 154 of the bottom surface 180 preferably inspects the shields 152 disposed on the top surface 178 and the shields 152 disposed on the bottom surface 180. A number generator 182 of the shield manager 154 disposed on the bottom surface 180 is preferably used to generate the number Z. If the shield 152 is intact, the shield 152 disposed on the top surface 178 and the shield 152 disposed on the bottom surface 180 preferably perform the functions f3 and f4, respectively.
Preferably, a new number (P or Z) is generated each time a verification operation is performed by one of the shield managers 154.
In accordance with an alternative preferred embodiment of the present invention, the shield manager 154 examines each shield 152 independently. By way of example only, the shield manager 154 disposed on the top surface 178 sends the value P to the shield 152 disposed on the bottom surface 180. The value Q produced by the shield 152 disposed on the bottom surface 180 is routed to the shield manager 154 disposed on the top surface 178 for verification using the function f1 (or a lookup table). In addition, the value P or a different value is sent by the shield manager 154 disposed on the top surface 178 to the shield 152 disposed on the top surface 178. The shield 152 disposed on the top surface 178 generates a value that is routed back to the shield manager 154 disposed on the top surface 178 for verification using the function f2 (or a lookup table). In a similar manner to the inspection performed by the shield manager 154 disposed on the top surface 178, the shield manager 154 disposed on the bottom surface 180 independently inspects the shield 152.
According to another preferred embodiment of the present invention, the functions f1, f2, f3 and f4 are performed using a block cipher, such as, but not limited to, AES with fixed keys, wherein each function f1, f2, f3 and f4 is preferably associated with a different fixed key. According to another preferred embodiment of the present invention, the functions f1, f2, f3 and f4 are hash functions.
The chip arrangement 176 of the internal shield inspection subsystem 174 has two chips 142, 144, the two chips 142, 144 being mechanically connected back-to-back by direct bonding. However, those of ordinary skill in the art will appreciate that internal shield inspection subsystem 174 may be implemented using other chip arrangements, such as, but not limited to, non-back-to-back multi-chip arrangements such as piggyback-back chip arrangements or chip arrangements that include a unique chip to form the chip arrangement from a single piece of material prior to forming circuitry on the chip.
It should be understood that if integrated circuit 150 disposed on bottom surface 180 is not included, then shield manager 154 disposed on bottom surface 180 is typically not required. The shield manager 154 disposed on the top surface 178 preferably verifies the integrity of the two shields 152 using the methods described above.
Reference is now made to fig. 14, which is a cross-sectional view of a chip security system 186, constructed and operative in accordance with an alternative preferred embodiment of the present invention. The chip security system 186 preferably includes a chip device 188 having a top surface 190 and a bottom surface 192. Top surface 190 and bottom surface 192 are typically substantially parallel to each other and are preferably disposed on opposite sides of chip arrangement 188.
Chip arrangement 188 preferably includes a unique chip such that the chip arrangement is formed from a single piece of material prior to forming circuitry on the chip.
However, those of ordinary skill in the art will appreciate that the chip security system 186 may be implemented using a plurality of chips mechanically connected to one another, preferably by direct bonding or using other chip devices, such as, but not limited to, non-back-to-back multi-chip devices such as piggyback chip devices.
The chip security system 186 typically includes a plurality of shields 196 and a shield manager 198. The shield manager 198 is typically disposed on the top surface 190. The shield manager 198 is generally used to verify the integrity of the shield 196. A shield 196 is disposed on the top surface 190. Another shield 196 is disposed on the bottom surface 192.
The chip security system 186 also typically includes an additional integrated circuit 200 that is generally disposed on the top surface 190.
The shield manager 198 is preferably operatively connected to the shield 196 and the integrated circuit 200.
According to a preferred embodiment of the chip security system 186, the chip security system 186 does not include an integrated circuit disposed on the bottom surface 192. However, one of ordinary skill in the art will appreciate that the chip security system 186 can include an integrated circuit disposed on the bottom surface 192. The integrated circuit 200 is preferably operatively connected to the shield manager 198. The shield manager 198 is preferably operatively connected to the shield 196, typically via any suitable wired and/or wireless connection. The shield 198 typically comprises a number generator 202 to generate the number P, or preferably a random number generator for generating random numbers, or most preferably a pseudo random number generator or a true random number generator for generating pseudo random numbers or true random numbers, respectively.
The shield manager 198 is generally used to send test data to the shields 196 disposed on the bottom surface 192. The test data is preferably a number P. The shield 196 disposed on the bottom surface is typically used to perform a function f5 on the test data (typically as a function of the wiring of the shield 196), yielding a value Q if the shield 196 disposed on the bottom surface 192 is intact. The value Q is preferably routed back to the shield manager 198. The shield manager 198 typically includes a verification module 204, the verification module 204 preferably being operable to: receiving a value Q; and performing an operation on the value Q to determine the integrity of the shield 196 disposed on the bottom surface 192. The operations performed by the verification module 204 typically include: performing a calculation using the function f5 (or using a suitable lookup table) with the number P as input to the calculation; and comparing the result of the calculation (or the result found in the lookup table) to the value Q to determine the integrity of the assertion of the shield 196 disposed on the bottom surface 192.
According to an alternative preferred embodiment of the present invention, the test data sent by the mask manager 198 is not equal to the number P, and the test data is generated by the mask manager 198 based on the number P. For example, test data is typically determined by the shield manager 198 using the number P as an input to the function f 7. The shield 196 disposed on the bottom surface 192 then typically performs a function f8 on the test data to produce P, the function f8 being the inverse of f 7. The value P is then typically sent back to the mask manager 198 for comparison with the originally generated ratio.
The shield manager 198 preferably determines the integrity of the assertion of the shield 196 disposed on the top surface 190 by sending a number P to the shield 196 disposed on the top surface 190. The shield 196 disposed on the top surface 190 typically performs a function f6 on P, yielding a value R if the shield 196 disposed on the top surface 190 is intact. The value R is then preferably routed to a mask manager 198 for receiving the value R. The mask manager 198 verifies the value R by re-executing the function f6 with the number P (or by using an appropriate lookup table).
According to another preferred embodiment of the present invention, the functions f6 and f7 are performed using a block cipher, such as, but not limited to, AES with fixed keys, where each function f6 and f7 is preferably associated with a different fixed key. According to another preferred embodiment of the invention, the functions f6 and f7 are hash functions.
Reference is now made to fig. 15, 16a and 16 b. Fig. 15 is a plan view of an integrated circuit protection system 106 constructed and operative in accordance with an alternative preferred embodiment of the present invention. Fig. 16a is a cross-sectional view through line XVIA of fig. 15. Fig. 16b is a cross-sectional view through line XVIB of fig. 15.
As mentioned above, shield protection for security chips may be passive or active. Passive shields typically attempt to make an attack more difficult, but do not actively detect the breach and react in a manner that deters the attack. Active shielding generally detects and blocks attacks. System 206 is preferably used to provide a passive shield that uses a polycrystalline silicon (polysilicon) layer in layer 208.
Polysilicon layers are typically present in many integrated circuit chips. Most integrated circuits use poly-crystalline silicon for gate and other connections. Many integrated circuits, especially those using non-volatile memory, typically use two layers of polycrystalline silicon. And typically at least one of the layers of polycrystalline silicon comprises a bilayer structure, being the lower part of the doped polycrystalline silicon layer and the upper part of the metal silicide layer, such as tungsten silicide. Metal silicide is applied as a method of reducing the sheet resistance of the bi-layer stack.
Attacks on the backside of a chip typically use techniques to find the features to be attacked. The technique is generally a navigation scheme. One important and necessary navigation technique uses infrared illumination and imaging to observe and thus find the structure to attack. Attacks are typically performed using a backside-editing FIB machine with a focused ion beam system that includes an infrared camera as a navigation method. A back-editing FIB machine known as Vectravision is commercially available from FEI Company of5350NE Dawson Creek Drive, Hillsboro, Oregon97124, USA. Another back-editing FIB machine, known as the OptiFIB, is commercially available from Credence Systems Corp, of1421California CircleMilpitas, CA95035, USA.
It should be noted that tungsten silicide is opaque to light including near infrared, while silicon, including polycrystalline silicon, is not. Any open areas between the polycrystalline silicon bilayer structures and/or other circuit structures in the polysilicon layer allow for IR navigation in the open areas and thus attack.
The system 206 typically obscures and preferably blocks the navigation device from viewing circuit features other than the polysilicon layer, such as metal interconnects, by filling all open areas or selected areas with a polycrystalline silicon bilayer material that includes a sublayer of a metal silicide, such as tungsten silicide.
The system 206 is now described in more detail.
The system 206 preferably includes a silicon substrate 210 having a surface 212. The system 206 also preferably includes an integrated circuit 214 disposed on the surface 212 of the silicon substrate 210. Integrated circuit 214 typically includes layer 208, layer 208 preferably including a plurality of structures 216, structures 216 typically including: one or more bilayer structures 218 (only one shown); and other structures such as a plurality of metal contacts 220. The bilayer structure 218 preferably includes a polycrystalline silicon sublayer 222 and a metal silicide sublayer 224. The metal silicide sub-layer 224 is typically formed of tungsten silicide. One of ordinary skill in the art will appreciate that other suitable metal silicides may be used for the metal silicide sub-layer 224, such as, but not limited to, tantalum silicide.
Integrated circuit 214 also includes a layer 226, layer 226 including a plurality of metal elements 228. Layer 208 is closer to surface 212 than layer 226.
System 206 also includes a shield arrangement 230 that includes a polycrystalline silicon sublayer 232 and a metal silicide sublayer 234. Metal silicide sub-layer 234 is typically formed of tungsten silicide. One of ordinary skill in the art will appreciate that other suitable metal silicides may be used for metal silicide sublayer 234, such as, but not limited to, tantalum silicide.
The shield arrangement 230 typically comprises a plurality of shield elements 236, each shield element 236 preferably comprising a polycrystalline silicon sublayer 232 and a metal silicide sublayer 234.
The shield arrangement 230 is preferably disposed in the layer 208 such that: the shield arrangement 230 does not perform an electronic function in the integrated circuit 214; and when the infrared micromirror 238 images the integrated circuit 214 through the silicon substrate 210, the view of the integrated circuit features, such as the one or more metal elements 228, outside the layer 208 seen through the infrared microscope 238 is at least partially obscured and preferably blocked.
For the shield arrangement 230 to be effective, the shield arrangement 230 must preferably cover enough area so as to obscure and preferably block the view of the integrated circuit 214 outside the layer 208. Shield arrangement 230 is typically deployed such that all elements of integrated circuit 214 are outside of shield layer 208. According to an alternative preferred embodiment of the present invention, it is preferred that only certain features outside the shield layer 208 that are determined to be vulnerable by the designer of the integrated circuit 214, such as, but not limited to: a bus for transmitting data to be encrypted; and/or signal traces of a defense mechanism of the integrated circuit 214.
The shield arrangement 230 is preferably disposed in the layer 208 such that the shield arrangement 230 and the one or more structures 216 form a region 242. Region 242 preferably includes a plurality of gaps 240. It is important that gap 240 be small enough to prevent infrared microscope 238 from imaging integrated circuit 214 outside of layer 208. Thus, by way of example, if the infrared wavelength used is about 1100 nanometers (the band edge of silicon), the gap 240 typically needs to be less than half the IR wavelength, i.e., about 550 nanometers. More precisely, the gap 240 has a smallest dimension, measured parallel to the plane defined by the layer 208, that is less than about 550 nanometers.
The integrated circuit 214 and the shield arrangement 230 are preferably disposed on the silicon substrate 210 in layers using techniques known to those skilled in the art, such as, but not limited to, photolithographic fabrication methods.
Reference is now made to fig. 17, 18a and 18 b. Fig. 17 is a plan view of an integrated circuit protection system 244, constructed and operative in accordance with an alternative preferred embodiment of the present invention. Fig. 18a is a cross-sectional view through line XVIIIA of fig. 17. Fig. 18b is a cross-sectional view through line xviib of fig. 17. The system 244 preferably includes: a silicon substrate 246 having a surface 248; and an integrated circuit 250 disposed on surface 248 of silicon substrate 246. Integrated circuit 250 preferably includes a layer 252, another layer 254, a shield arrangement 256, and a notch detection circuit 258.
Layer 252 preferably includes a plurality of structures 260, structures 260 including one or more bilayer structures 262 (only one shown). Each structure 262 preferably has a polycrystalline silicon sublayer 264 and a metal silicide sublayer 266.
Layer 254 preferably includes a plurality of metal elements 268. Layer 252 is closer to surface 248 than layer 254.
The shield arrangement 256 preferably includes a polycrystalline silicon sublayer 270 and a metal silicide sublayer 272. The shield arrangement 256 is preferably disposed in the layer 252. The metal silicide sub-layer 272 forms circuit traces. The shield arrangement 256 typically follows a winding path above the surface 248 of the silicon substrate 246, not covered by other features in the layer 252.
The metal silicide sub-layer 272 is typically formed of tungsten silicide. One of ordinary skill in the art will appreciate that other suitable metal silicides may be used, such as, but not limited to, tantalum silicide.
The gap detection circuit 258 is operatively connected to the shield arrangement 256 such that a gap in the shield arrangement 256 is detected by the gap detection circuit 258. Gap detection circuitry 258 is preferably used to perform an action on another portion of the integrated circuit in response to the detection of a gap, such as a chip resetting or changing the contents of non-volatile memory to affect the functionality of integrated circuit 250 (e.g., without limitation, to have integrated circuit 250 "remember" the event, or to set a flag in a register that causes integrated circuit 250 to delete certain information, such as a key).
Thus, the shield arrangement 256 preferably provides active protection against attacks.
The system 244 is preferably deployed on a silicon substrate 246 in layers using techniques known to those skilled in the art, such as, but not limited to, photolithographic fabrication methods.
It is appreciated that various features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination. It will also be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the invention is defined only by the following claims.
Claims (19)
1. A chip security system for protecting a chip from backside attacks, the chip having a first surface and a second surface opposite the first surface, the first surface including an integrated circuit disposed thereon, the system comprising:
a first antenna disposed on the first surface;
a signal generator disposed on the first surface, the signal generator operatively connected to the first antenna, the signal generator for providing an output signal transmitted by the first antenna;
a circuit device disposed on the second surface, the circuit device comprising:
a second antenna to wirelessly receive the output signal transmitted by the first antenna, thereby providing power to the circuit device; and
shielding means to at least partially shield the second surface; wherein the circuit arrangement is for wirelessly transmitting an echo signal from the second antenna to the first antenna such that a gap in the shielding arrangement causes a change in or cessation of the echo signal;
a signal analyzer disposed on the first surface, the signal analyzer operatively connected to the first antenna, the signal analyzer to detect a breach in the shielding device from the change in the echo signal or the cessation of the echo signal; and
a chip controller disposed on the first surface, the chip controller operatively connected to the signal analyzer, the chip controller for performing an action on the integrated circuit in response to detection of a breach by the signal analyzer.
2. The system of claim 1, wherein the second antenna is contained in the shielding device.
3. The system of claim 1, wherein the action of the chip controller comprises resetting at least a portion of the integrated circuit.
4. The system of claim 1, wherein the output signal comprises a radio frequency signal.
5. The system of any of claims 1-4, wherein the circuit arrangement comprises an active circuit component, the circuit arrangement comprising:
a rectifier to rectify the output signal received by the second antenna;
a checker operatively connected to the rectifier, the checker for checking the integrity of the shielding device; and
a reporter operatively connected to the verifier and the second antenna, the reporter for reporting the integrity of the shielding device back to the signal analyzer via the second antenna and the first antenna using the echo signal.
6. The system of claim 5, wherein the echo signal is a pulsed signal.
7. The system of claim 5, wherein the echo signal is a continuous signal.
8. The system of claim 7, wherein the reporter is to form the echo signal by amplitude modulating the output signal.
9. The system of claim 1, wherein the circuit arrangement includes passive circuit components and does not include active circuit components.
10. The system of any of claims 1-4 or 9, wherein the circuit arrangement comprises a resonant circuit having an associated resonant frequency.
11. The system of claim 10, wherein the echo signal has a Q factor.
12. The system of claim 10, wherein the output signal comprises a swept frequency signal such that the echo signal is at a maximum when the swept frequency signal is at the resonant frequency.
13. The system of claim 10, wherein the output signal simultaneously comprises a range of frequencies.
14. The system of claim 13, wherein the signal generator forms the series of frequencies by generating white noise.
15. The system of claim 11, wherein the signal analyzer is to analyze changes in at least one of the resonant frequency and the Q factor of the echo signal to detect a notch in the shielding device.
16. The system of claim 10, wherein the resonant circuit comprises an inductor, a capacitor, and a resistor, the second antenna being included in the inductor.
17. The system of claim 16, wherein the capacitor is contained in a shielding device.
18. The system of claim 1, wherein the circuit device is formed on a film mechanically coupled to the second surface.
19. The system of claim 18, wherein the film is a plastic film.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IL173341 | 2006-01-24 | ||
| IL173341A IL173341A0 (en) | 2006-01-24 | 2006-01-24 | Chip attack protection |
| IL175902 | 2006-05-24 | ||
| IL175902A IL175902A0 (en) | 2006-05-24 | 2006-05-24 | Chip attack protection |
| PCT/IL2006/001421 WO2007086046A2 (en) | 2006-01-24 | 2006-12-11 | Chip attack protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1129772A1 HK1129772A1 (en) | 2009-12-04 |
| HK1129772B true HK1129772B (en) | 2011-05-06 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7966666B2 (en) | Chip attack protection | |
| US20240096823A1 (en) | Protective elements for bonded structures | |
| US9741670B2 (en) | Electronic chip comprising multiple layers for protecting a rear face | |
| EP2399290B1 (en) | Semiconductor device with a physical structure for use in a physical unclonable function | |
| US6531756B1 (en) | Laser fuse and antifuse structures formed over the active circuitry of an integrated circuit | |
| US20190293692A1 (en) | Spark gap structures for detection and protection against electrical overstress events | |
| JP2007535022A (en) | Protection of integrated circuit chips containing sensitive data | |
| Borel et al. | A novel structure for backside protection against physical attacks on secure chips or sip | |
| KR101504025B1 (en) | Apparatus and method for generating identification key | |
| EP3017473B1 (en) | Electronic hardware assembly | |
| TW201005905A (en) | Hermetic wafer-to-wafer stacking | |
| HK1129772B (en) | Chip attack protection | |
| CN101501840B (en) | Chip attack protection | |
| HK1157508B (en) | Chip attack protection | |
| IL179178A (en) | Method for shielding integrated circuits | |
| JP2009004565A (en) | Semiconductor device and manufacturing method therefor | |
| JP3375447B2 (en) | Semiconductor device | |
| US8835923B2 (en) | Protection method for an electronic device and corresponding device | |
| US20240163092A1 (en) | Integrated circuit protection using stacked dies | |
| KR100790976B1 (en) | Fuse box and its formation method to reduce damage and crosstalk caused by laser blowing | |
| KR20070002738A (en) | Semiconductor device manufacturing method | |
| US20090302418A1 (en) | Fuse structure of a semiconductor device | |
| KR20140134130A (en) | Semiconductor deivce | |
| KR20070019245A (en) | Fuse box of semiconductor device and method of forming the same | |
| JP2004165452A (en) | Method for manufacturing semiconductor device |