Direct read of idle block RAM from FPGAs utilizing photon emission microscopy

• Published in: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) pp. 41 - 48
• Main Authors: Couch, Jacob, Whewell, Nicole, Monica, Andrew, Papadakis, Stergios
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.04.2018
• Subjects: Cameras; Data mining; Field programmable gate arrays; Photonics; Random access memory; Silicon; Transistors
• DOI: 10.1109/HST.2018.8383889

In many reverse engineering efforts, side channels have been utilized to extract both design information and data from integrated circuits. In this paper, a technique is demonstrated to recover data by directly reading idle SRAM cells within an FPGA, without engaging the read circuitry. This is accomplished using photon emission microscopy to capture the photons that are emitted as leakage currents flow from the source to the drain of NMOS transistors within the SRAM cell. Depending on whether a 0 or 1 state is stored in a particular cell, the location of the emitting transistor is different. The read circuity in many integrated circuits cannot be easily activated in a repeatable pattern, thus forming need to access the contents of idle SRAM cells. This was evaluated and refined on a 220 nm process node FPGA. We discuss the physics of photon emission in these devices and the consequences for successful imaging of SRAM contents. Through initial investigations and calculations, we predict that extraction of data from idle SRAM can be conducted on more modern parts. Through an extension of this technique, data such as encryption keys, state information, and restricted variables that would not be accessible through traditional bitstream and firmware reverse engineering efforts can be extracted from the integrated circuit. This information can then be utilized to ensure the integrity of a system, or as a threat to the integrity of the system.