Stepping up security in chip design: Texplained

September 25, 2017 // By Julien Happich
Headquartered in Valbonne, South of France, start-up Texplained is on a mission to render chip-level reverse engineering a dead-end for IC counterfeiters. Although today's Common Criteria Certification schemes for secure chips consider laboratory-grade invasive attacks as a negligible threat, Texplained's CEO Clarisse Ginet is here to prove otherwise.

"It used to be the case, maybe 15 years ago, that invasive attacks (chemically and physically removing layers to read through a chip's architecture) were too technical and too costly to be a threat, but this is no longer the case today", argues Ginet, "Just imagine, we are a small startup and yet we were able to fund our own lab and break into most commercial chips available today."


An advanced probing setup.

There is a plethora of countermeasures aimed at non-invasive attacks such as Differential Power Analysis (DPA) side channel attacks for which Rambus provide noise-reduction and obfuscation IP. But the reality, argues Ginet, is that today's serious counterfeiters want it all, the chip's internals together with its embedded code, and they opt for invasive attacks most of the time since they get a 100% target hit.

"Nowadays, due to numerous countermeasures, non-invasive attacks or semi-invasive attacks have become quite difficult and bring little value to hackers", notes the CEO, "you don't really know what you are looking for and where to look, so you have to accidentally kill a lot of chips by inadvertently triggering security mechanisms."

"But once a chip has been opened up and analysed thoroughly, it is easier to guide non-invasive attacks to extract its code or to communicate with it through its standard or custom protocol. If you look at the multibillion dollar opportunities in counterfeiting payTV smart cards or producing off-branded printer cartridges and other computer peripherals, these are markets that have been broken through invasive attacks, because they offer a 100% yield."

And if most counterfeiters target consumer products shipping in the hundreds of millions, state-sponsored counterfeiters could target military-grade ICs, reverse-engineer them and replicate them with backdoors before infiltrating them into the supply chain. According to the Ginet, today's secure chips are so vulnerable that not including invasive attacks into Common Criteria Certification schemes is akin to a denial of reality.

Of course, there are chips that resist better than others, some are actively shielded with intricate metal layers, others feature PUFs (Physically Unclonable Functions), but in the end, none of these chips will resist a complete strip-out giving away all their secrets.

"It may take a few attempts, but once you've completely mapped a chip's internals, you can always find ways to bypass a shield before inducing a code leak" Ginet told eeNews Europe.

Yet, she says Texplained has patented a unique hardware IP solution that thwarts all attempts at leaking out the embedded code, even when the chip has been fully analysed and understood. That means you could still duplicate a physical chip, but without ever having access to its code, it would just be dead silicon.