Compatible toner chip development--Semi-invasive Attacks

Compatible toner chip development--Semi-invasive Attacks

As the size of OEM toner chips (ICs) shrinks and their complexity increases, the requirements for conducting invasive attacks become more stringent, and the associated costs grow increasingly higher. Semi-invasive attacks are well-suited for ICs with small sizes. They do not require expensive tools, can yield results in a relatively short time, and thus are more appealing to attackers. Semi-invasive attacks typically utilize ultraviolet (UV) light, X-rays, lasers, electromagnetic fields, and heat—these can be used individually or in a combination of several.

UV Attacks

UV attacks are effective against many One-Time Programmable (OTP) and UV Erasable Programmable Read-Only Memory (UV EPROM) controllers. The process only requires opening the IC package, locating the security fuses, and using UV light to reset the security fuses to an unprotected state.

Backside Imaging Techniques

The primary step in IC analysis is observation under a microscope. For ICs with small feature sizes, little can be discerned under natural light. However, by using infrared (IR) light, near-infrared microscopes, and IR-sensitive lenses, observation can be conducted from the backside of the chip, whether in direct or reflected mode. Backside imaging techniques can be used to retrieve content from Read-Only Memory (ROM) or to inspect the internal interconnections of a chip after the application of a Focused Ion Beam (FIB).

Active Photo Probing

A scanning laser beam is applied to the IC. When the energy of the photons exceeds the bandgap energy of silicon, specific regions of the IC can be ionized. There are two main laser scanning techniques used in IC analysis:

• Optical Beam Induced Current (OBIC): Applied to chips without a bias voltage.

• Light Induced Voltage Alteration (LIVA): Applied to chips in operation.

OBIC can be directly used to generate images of the IC. For LIVA, images of the IC are generated by monitoring voltage changes. When photons reach the vicinity of a p-n junction, a photocurrent is produced due to the photoelectric effect. When photons enter the p-type or n-type regions, they inject free carriers, which reduces the resistance of the channel. This allows the state of memory cells to be read from the scanned images.

Fault Injection Attacks

Semi-invasive fault injection attacks typically use laser irradiation on target transistors to alter their states, thereby generating a transient fault. By exploiting the output or impact caused by this fault, attackers can obtain sensitive information such as encryption keys stored in the security controller.