Domain: flylogic.net
Stories and comments across the archive that link to flylogic.net.
Comments · 14
-
Re:As said this is not really new...
And even those measures (metal grid layers, e-fuses etc) can be defeated although as with any security it's about making it uneconomically difficult for most attackers to do so. Also the security shouldn't depend on any secrets like a hardcoded universal key or the fact that you fake the encryption - several "secure" flash drives have been found to do this, the unencrypted data can be read right off the flash when you bypass the controller.
-
Re:And patents, of course
Case 3 is no longer possible....
We can tear anything apart to the atomic level if needed nowadays...
see Flylogic blog for a good example. -
Re:Anonymous Coward Fail
using a high-quality lens system.
Quality alone will give you nothing. You will have to look into the actual type of the lens setup. And what you need here is a process lens (sorry, no Wikipedia entry on that). But even supposing you get the optical setup in shape, then you need a >10Mpixel screen and you need to align it. Supposing you get it and you align it, then you're left with a nice moiré pattern due to other non-linear distortions like shear and barrel. And you need to find an optical way to compensate for them.
Or, you reverse engineer the software. Or, the hardware.
And, guess what, the two latter options are the most likely to succeed.
Watch yourself from going iPhone DSLR all the way. Optics is though stuff, even if it doesn't look like so.
-
Re:How long do you want your ID to last?
Not only that, but the law of entropy demands that new errors will happen just when you need to use it online to pay your mortgage. Now try replacing it? If the premise is that you can't intentionally create an error to match a known pattern then how does one replace a "failed" identity? You simply do it like this http://www.flylogic.net/blog/?p=10 Actually, forcing an error is easy, its getting rid of an unwanted error that is hard, and you can't prevent new errors. In other words, John Doe is toast when a bit changes, but Nation States with deep pockets can become John Doe any time they please.
-
Re:the real story here...
any DRM scheme needs to be common to all publishers
While I sympathize with your idealistic dream, and wish myself that it could work, I can assure you that it is logically infeasible to create any methodology where you give a user an algorithm, a key to use that algorithm, and the content itself, and expect it not to be used/recombined in a way not envisioned by the writer of that algorithm. If the software runs on a general purpose CPU and I have your key, I can hand you your decoded content in a matter of hours. Any Geek with a copy of IDA Pro and some real patients can do this for any platform that the software supports http://www.hex-rays.com/idapro/idaproc.htm. And if it doesn't support it there are still other ways to attack the software system.
Even if you lock the decoding into a a special chip, on a board a closed and completely undocumented device, someone will eventually take the lid off of it, for fun, and reverse the logic on the chip http://www.flylogic.net/blog/. Unless you have the where-with-all of a Nation's State with vast resources able to be pored into advanced anti-tamper technology that self-destructs the core of the chip upon entry, then its just a matter of time. Piss off one capable Geek and your entire 'DRM dream of mass profits' will be history, with the work intentionally published on the Internet just to spite you. We have to face the facts that you can't rationalize/argue with a sick mind, and a pissed off Geek doesn't want to listen to the 'economics' or about what is good for someone's content delivery business. A pissed off Geek is a dangerous antagonist that won't be swayed by even the legal ramifications of what they do.
In my opinion, its a sad situation that so many people actually believe in the software equivalent of 'snake oil' (aka DRM).
-
Re:So basically
Since you're not getting the netlists, what electron microscope are you planning to put the chips in?
You don't need an electron microscope to reverse-engineer ICs. Have a look at the interesting photos over at Flylogic. Once you know the physical design, even in a worst-case scenario someone could manually inspect the photos to figure out exactly how it worked.
-
That aint nothing.
The guys at Flylogic really make some high quality micro chip reverse engineering (I was going to say porn).
-
Reverse engineering genious
For those interested, his companies blog is http://www.flylogic.net/blog/ Pretty interesting stuff...
-
Re:Actual paper does NOT cover this attack well.
Actually, you dont. Since the Per-chip ID (what they call the RCK) is implemented using electronically programmable fuses, all a good reverse engineer has to do is reset the fuses . This has been demonstrated possible via UV light combined with selective stripping of upper metal layers (eg : http://www.flylogic.net/blog/ ). Yes I do realize that the chips shown on the site are slightly older technology, but keep in mind that it is slightly easier to reset electrical fuses as the feature size goes down ( as the gate is thinner). Also, the chips on that site are crypto chips, so they have additional safeguards (meshes etc).
The fundamental problem is that the RKC is an easily known factor. If a pirate fab can steal one valid RKC they can simply use known techniques to ensure the RKC's for all pirate chips are the same. The current way to implement truly random keys especially for crypto chips is to use PUFs (physically unclonable functions). This consists of something like doping the top layers of the silicon with some metallic crystals that affect the capacitance, and having capacitance sensors on the bottom of the chip. The initial values of the capacitance are recorded on a small 1 time programmable ROM. Any physical attack on the chip (trying to remove packaging to use a laser, FIB, probe etc) will change the capacitance that will shut off / damage chip permanently. However something like this is probably too expensive to justify for simple ASICs, for which amortized design costs work out to a few pennies. -
flylogic would hack right past that
Anyone else immediately think of Flylogic when they saw this?
They etch away the plastic surrounding the die on an IC to expose the die itself, and can then read back the contents of the rom manually. "You can literally take these two pictures above and create a schematic from them if you understand NMOS circuits."
...How does whats described in the article affect those with the power to create a schematic from an inert chip?
-
flylogic would hack right past that
Anyone else immediately think of Flylogic when they saw this?
They etch away the plastic surrounding the die on an IC to expose the die itself, and can then read back the contents of the rom manually. "You can literally take these two pictures above and create a schematic from them if you understand NMOS circuits."
...How does whats described in the article affect those with the power to create a schematic from an inert chip?
-
Another analysis (similiar vein)
Another analysis of some of the ICs used in popular secure USB tokens (not usb storage devices) can be found here:
http://www.flylogic.net/blog/
They often de-cap the ICs and reverse engineer from a microscope. Really interesting stuff! -
Re:Uh. Hardware is not software...
Yeah, though I did follow up with a correction. Granted, the masks I remembered seeing © on were prior to the 1984 law that made explicit that masks are not covered under copyright, and established separate protection for them. (And here I thought it was just because newer masks had such small features that the copyright designation becomes harder to see.) Of course, in those early days of computing, nobody was sure what copyright actually covered. Modern masks, such as this one do have the circle-M on them.
The main thing, though, is that it's not covered solely by patent law, which was my main objection.
FWIW, mask work is defined under the Copyright Act and is administered by the Copyright Office (as opposed to the USPTO), so you can understand how one might get confused.
:-)As I said in my other followup, mea culpa. I learn something new every day!
--Joe -
Re:Purpose counts.
*sigh*
The implemented logic is patentable (as long as it meets the other criteria, such as novelty, non-obviousness, and lack of prior art). I can make a new chip using the same logic as the current one and, if it's a different layout, then I only have to worry about patents. If the logic is patented, I'd run afoul of the patents.
Layout, though, is not a patent issue unless the layout is integral to the invention. I had asserted that layout was covered by copyright, but I was wrong. Both of us were wrong, actually, but it appears I was closer. According to Wikipedia, layouts enjoy a copyright-like protection that is separate of regular copyright law or patents, but mainly because copyright law isn't fully appropriate/adequate. There is a separate "mask work" protection that is very similar to copyright, minus the fair use exception and with a shorter term (10 years). I'm guessing that the die photos I've seen with the © are pre-1984 then. I've seen more recent photos with the (M) they mention.
Mea culpa. Learn something new every day.
--Joe