Formal references on micro security

Started by Lewin A.R.W. Edwards September 23, 2004
I'm looking for good references on micro code security. My reading leads
me to various conclusions, including:

1. Mask-ROM parts are easiest to read-out intrusively, EPROM and flash
are intermediate-difficulty (with EPROM being perhaps slightly easier)
and RAM-based technologies are the hardest.

2. Any microcontroller that isn't specifically designed to resist
invasive read-out techniques is going to have little or no resistance to
such attacks.

Unfortunately I can find little _formal_ research. I've found what
amounts to several hobbyist/student papers on the topic, and lots that I
found instructive and interesting, but nothing that I could really cite
when choosing parts.

I know that several vendors have come out with, or are planning to
introduce, gas-gauge ICs for smart batteries that incorporate security
technology so (say) cellphone manufacturers can lock-out fake batteries.
Have there been any studies done on hacking these sorts of schemes yet,
both from the POV of studying the data transfers and from messing with
the chips themselves? (I'm not really interested in the raw mechanics of
hacking any particular chip or scheme - I'm more interested in knowing
who has the strongest scheme).

I'm also interested to know some real numbers on what it costs to
reverse-engineer secured micros used in applications like the one I just
described. For example, what would be the approximate cost of
decapsulating and reading out a 4K mask-ROM microcontroller, assuming
the chip mfr didn't use any cunning or protective measures on the die,
and that the attacker had access to a different micro of the same model,
with known contents, that he could use to establish a bit-to-metal
mapping for the die?

Any pointers would be most appreciated.
"Lewin A.R.W. Edwards" wrote:
> I'm looking for good references on micro code > security.
A rough pointer... Ross Anderson's book Security Engineering. http://www.amazon.com/exec/obidos/ASIN/0471389226/860710993-20 A section of the book covers secure chips and various ways they can be read out / hacked (probes, scans, voltage manipulation, etc.). There's also a very interesting analysis of an IBM crypto processor card that has several layers of defenses. I recall it has a fair number of links to external reference material. If nothing else, this may get you directed into the right community for more specific research. Cheers, Richard
Lewin A.R.W. Edwards wrote:
> I'm looking for good references on micro code security.
You can find plenty of info and references on this site: http://www.cl.cam.ac.uk/Research/Security/tamper/ TonyF