login

Bradley Morgan
.ical

Session

03-25
16:00
20min
CPU Microscopy and Reverse Engineering on a Budget
Nicholas Hassan, Bradley Morgan

Physical reverse engineering of modern integrated circuits (IC) is a critical technique in hardware security research. It enables analysis of undocumented functionality, firmware integrity, and trust assumptions at the hardware-software boundary. Aside from requiring access to a scanning electron microscopy (SEM) facility, the key step in this process is the physical preparation of the IC die prior to imaging. This preparation typically involves access to expensive and niche equipment such as a focused ion beam (FIB), CNC mill and/or chemical-mechanical polishing (CMP) tooling.

In this talk, we detail low-cost sample preparation workflows for IC reverse engineering in lieu of access to such specialised equipment. We provide a methodology for extraction of masked read-only memory (ROM) from modern CMOS processors with a minimal budget. We share cheap yet robust approaches for sample preparation, along with image post-processing techniques on SEM images.

We successfully demonstrate extraction of masked ROM bits from the microcode section of 14nm FinFET AMD Zen-based CPU dies using mechanical delayering and selective chemical etching as alternatives to traditional FIB-heavy workflows. Our evaluation of the workflows considers layer selectivity, surface planarity, and reproducibility, drawing attention to failure modes commonly encountered when operating outside an extensive laboratory environment, i.e. backyard science.

Imaging results with conventional SEM systems and techniques demonstrate that prepared samples can resolve features sufficiently for masked ROM bit interpretation. We demonstrate that post-processing of the SEM imagery effectively mitigates artefacts introduced by scratching. We also note that masked-ROM cells in AMD Ryzen 3 microcode can appear 150-200nm in SEM given low acceleration voltages, permitting a margin for error in sample preparation.

Together, these techniques form an affordable toolset for IC preparation techniques that lower the barrier to entry for reverse engineering with electron microscopy.

Session VI - Real-World Reverse Envineering
Lecture Hall