MENU

French startup hacks secure chips for the common good

Technology News |
By Julien Happich

For now, the library in stock is only nascent and mostly constituted from microchip images at diverse magnification levels and throughout multiple layers. But Texplained plans to retail detailed IC architectural and security analysis reports, examining and evaluating the security characteristics of all major competing ICs on the market while describing their strengths and weaknesses in terms of protection against hardware attacks.

The company was founded in 2013 by Texplained’s CTO Olivier Thomas, a microelectronics engineer who used to assess the security of PayTV subscriber cards from a private lab set up by French TV giant Canal+. Thomas now brings his expertise to all companies willing to assess and improve the security feature of their chips, and he hopes the reports offered by Texplained will bring some level of transparency, offering a neutral third-party expert opinion for OEMs and systems integrators to compare components and rank them against each other, with security benchmarking.

eeNews Europe caught up with Texplained’s CEO Clarisse Ginet to learn more about the company’s roadmap and mode of operations.

“We’ve been rather quiet over our first few years of existence, busy validating our analysis techniques and fine-tuning our proprietary reverse-engineering software tools” admits Ginet.

To get an overview of a chip’s architecture, the company removes the package or gets a bare die and scans the IC through an optical microscope, taking thousands of images that are then stitched back together into a detailed map which can be zoomed through (think Google Earth on a chip landscape).

Optical microscope image of a microcontroller after it was removed from its package and after wet chemical etching (to remove the interconnections while keeping the transistors active layer). This image is  composed of thousands of pictures stitched up together. (source: Texplained)
SEM image of the same microcontroller reconstituted from tens of thousands of stitched up pictures. The close-up in the digital core shows the transistors’ wells. (source: Texplained)

 An example of extracted traced signals and their
connected standard cells (source: Texplained)

For a more in-depth analysis, looking into the different material layers of a chip, the company goes through multiple de-processing steps, each revealing a layer of the IC (metal lines, vias) recorded under a scanning electron microscope (SEM). De-processing yields tens of thousands of SEM pictures per layer that need to be correlated, de-warped and stitched together into large scans. Layers must also be carefully aligned vertically so one can trace the signals throughout the chip. From there, thousands of gates must be reversed and linked together, all done through automated feature extraction. Once a standard cell library has been reconstructed and all features have been extracted, the software outputs a GDSII file and could even output the RTL architecture of the chip with a complete function mapping.

With this information, the engineers at Texplained can start breaking into the chip’s security features and extract its embedded code, revealing its flaws and possible routes of attack.

Of course, it can take several weeks to hack a modern secure chip, with a lot of semiconductor expertise, but Ginet wants to step up the security debate.

“Today’s Common Criteria Certification schemes regard such invasive attacks as only a residual threat for secure chips, considering that it takes too much time and resources to represent a tangible threat for most applications”, she says, “but we show that the technology becomes more and more accessible, including for well-funded industrial espionage leading to IP theft, or for well organized criminal organizations wanting to counterfeit goods”.

“After analysing a chip, we can provide the chip manufacturer with security counter-measures so that the chip becomes secure by design, even when its hardware has been fully revealed under an invasive attack” Ginet continued, adding that Texplained has several patents pending on such countermeasures.

In fact, in the long term, the CEO expects that most of the company’s revenues could come from royalties, licensing countermeasure hard IP across billions of secure chips including banking smartcards and SIM cards.


Apart from the sets of chip imagery and analysis reports and its consultancy operation (offering technical support at chip design with custom hacking counter-measures), the startup also promotes training sessions so security professionals can perform their own IC analysis and review their designs more with the mind of a hacker.

“Another service we’ll be able to provide thanks to our in-house feature extraction tools is to compare the layouts of different chips and figure out logic equivalences. If you find that 90% of the RTL from a competitor’s chip architecture is similar to yours, then there may be some unlicensed IP there”.  

Ginet also mentioned the use of machine learning as a future development for the in-house feature extraction tool, so it could automatically recognize and identify layout blocks already seen in previous chip analysis. “This would speed up the reverse-engineering, since many chip vendor re-use IP blocks from one generation to the next and we would not be starting completely from scratch”.

On its website, the company encourages visitors to submit ideas for popular chips to be analysed and their reports put for sale. But what if a large company decided it would assume all the costs for the full private analysis of its chips and keep the reports under NDA?

“There would always be a period of retention during which a company would get the results first hand, but then the idea is that every full chip report we produce would end up in our library, for sale.

Otherwise, we would not be truly independent and we would not be able to review just any chip we want and make its internals public” Ginet answered.

“Most of the time, companies that approach us want to audit the security of their chip, they may not call for a full chip architectural review since they already own the IP”.

The startup has been self-funded from the first year onward thanks to early customers. Each full chip analysis can take from 100,000 to 150,000 euros in lab resources and manpower depending on the technology node (which corresponds more or less to what the company invested in its lab equipment according to Ginet), and this is an investment that Texplained is willing to make to enrich its portfolio of reports. With its recent website launch, the startup is gearing up for more visibility and growth, projecting revenues in the millions of euros within the next three to five years

Texplained – www.texplained.com


Share:

Linked Articles
eeNews Europe
10s