Analysis tool reads through chips’ architectures

Analysis tool reads through chips’ architectures
Interviews |
Back in 2016, chip security analysis startup Texplained was making its first investments in laboratory equipment, analyzing various chips’ internals and commercializing its reports as a catalogue of heavily scrutinized reverse-engineering IPs, identifying security weaknesses.
By eeNews Europe


The idea was to raise the awareness of the semiconductor industry about the accessibility of invasive attacks for embedded data as well as IP theft through reverse-engineering. Next, the company experienced a 60 to 70% growth in revenue before breaking even in 2018. This happened with the launch in 2017 of light-footprint security counter-measures that Texplained would provide as IP for its customers to design in their chips.

Extraction of integrated circuits’ architecture using layered
SEM photographs (source: Texplained)

After proving technically the efficacy and reliability of its in-house reverse-engineering tools, Texplained has now packaged a commercial version which it plans to release in the third quarter of 2019, under a perpetual license (including updates and maintenance services). Prior to its official launch, ChipJuice as it is called (referring to its capacity to extract a chip’s complete internals), will first be tried out by a few select customers in what the company describes as an Insiders’ program starting in May, which will bring valuable feedback to wrap-up the first commercial release.

Of course, having the tool with the SEM-image stitching and circuit-analysis capabilities for reverse-engineering doesn’t remove the need for an exhaustive sample preparation in a lab, stripping out every single process layer and imaging every square nanometre under the microscope. But as Texplained’s CEO Clarisse Ginet reminded eeNews Europe, the stakes are high and government-backed labs already have the tooling to do that.

Automated layers alignment, via upon via (source: Texplained).

“What has been missing so far for governments wanting to check on the vulnerability of a chip or to investigate the presence of a backdoor is an efficient and reliable tool to read through the chips’ internals”, Ginet said, adding that Texplained has several patents pending on a novel method to precisely align all the layers and extract correct circuit information.

“Most labs use different scripts or try to integrate in-house tools with external solutions but the overall extraction reliability if fairly low. In contrast, our tool is highly reliable, allowing our customers to align different chip layers and correlate them perfectly using only high-resolution images, both at the via and trace level, which enables a consistent image stitching for the accurate mapping of a chip, both in 2D at a given layer and in 3D from one layer to the next”.

The tool will only be licensed to select organisations, as if it fell into the wrong hands, it could definitely be misused, including for IP theft.

“Governmental customers would want to check for possible backdoors, comparing a real chip architecture at the end of production line, to its golden standard, and making sure that no IP has been added or modified at foundry-level, eventually figuring out what functionality would those extra transistors bring” explained Ginet.

Now, referring to US allegations against Chinese chip vendor Huawei, that security backdoors could be implemented on its server chips, Ginet said that without a reference chip and its well mapped functionalities, it would be pretty impossible to identify a backdoor.

Another market highlighted by the CEO is police forensics, where the analysis of security chips in smartphones would allow better attacks. Armed with this knowledge, police enforcement could eventually get access to both the hardware and non-volatile firmware to extract user data from smartphones used for criminal activities.

But as well as performing counterfeit analysis or gathering technological intelligence, ChipJuice could be used for IC obsolescence management, figuring out how to re-design legacy chips running in critical equipment (of the military or medical type).

Different use cases for ChipJuice’s automated reverse engineering all along a chip’s lifecycle.

Regarding IP theft, or helping lawyers figure out if there’s been IP infringement in a competitor’s chip, Ginet said the tool is not mature enough to be able to match equivalent IP that would have been spread out and obfuscated across millions of transistors, often physically different.

“Finding equivalences at the functional level was not our initial target, but this will be part of future functionalities of our software” Ginet said, adding that currently the tool is using machine learning to automatically extract in parallel the netlist from the hundreds of millions of transistors it sees.

A shot showing the feature and via detection as well
as all the design instances detection (source: Texplained).

“We developed the scripts to analyse the netlist as a primary analysis, then we can trace the signals and filter the design blocks by field of interest, for example only looking for clock trees, voltage rails etc… Once the extraction is in place, we’ll need to push our machine learning algorithms further for other features or functionality detection”.

With this announcement, Texplained still wants to offer its consultancy services and offer new chip reports on its website, but for that it will need to expand its R&D capacity.

“We want to take on more projects and analyse more chips, but currently, we have a bottleneck at the lab and more customer demand than what we can address. We are about to acquire new equipment to double our capacity”, concluded the CEO.


Texplained –

Related articles:

Stepping up security in chip design: Texplained

French startup hacks secure chips for the common good

Linked Articles
eeNews Europe