
X-ray technique can reverse-engineer an entire chip without damaging it - headalgorithm
https://spectrum.ieee.org/nanoclast/semiconductors/design/xray-tech-lays-chip-secrets-bare
======
kardos
> Some of that information can be regained by making some assumptions about
> what you’re looking at, explains Aeppli. For example, we know that real
> interconnects can’t have certain shapes.

This sounds like the beginnings of the silicon obfuscation strategy: hiding
things in silicon that lie below these assumptions

~~~
heyitsguay
Maybe! I've got some experience with tomographic algorithms, and what they're
referring to is correcting for the "missing wedge" in the Radon and/or Fourier
transforms - the measurements that tomography produces - of the chip
([https://images.app.goo.gl/HWPX2LKBsDd7eeBe6](https://images.app.goo.gl/HWPX2LKBsDd7eeBe6)).
There has been lots of interest in statistical or data-driven algorithms to
reconstruct missing measurement areas from the existing ones. It sounds like a
key technology here was better algorithms to accommodate a larger missing
wedge, so they didn't have to tilt the chip to extreme angles when getting
projections.

It's possible you could fool the algorithm in some way, but you'd have pretty
weird and severe constraints on the shapes of your hidden parts to hide their
presence from low-angle projections. They're probably not actually hand-
crafting geometric assumptions about chip structures or anything like that.

~~~
kardos
Yep that's exactly the idea. Basically the silicon version of the underhanded
C contest [1]

[1] [http://www.underhanded-c.org/](http://www.underhanded-c.org/)

~~~
heyitsguay
Cool! Know of any websites or writeups about the silicon version?

~~~
abbeyj
Some anti-reverse-engineering work was put into the Z80 chip 45 years ago.
[https://retrocomputing.stackexchange.com/questions/11143/in-...](https://retrocomputing.stackexchange.com/questions/11143/in-
the-original-z80-layout-where-are-the-traps-located-and-what-are-their-ef)

~~~
Taniwha
Before 1984 there was no copyright on the contents of chips, it was completely
legal to create masks from a competitor's chips and sell them - people used to
create on-chip structures designed to fool the optical processes that were
used to do this

------
traverseda
That should make it a lot easier to identify hardware back-doors.

~~~
dheera
Agreed. Also I hope it brings the end of the Apple security-by-obscurity
methods that allowed that one iPhone to be cracked by a third party hacker. If
you know what's in the hardware a 4-6 digit PIN is fine for deterring casual
onlookers but is _never_ enough entropy to secure data.

People should learn to use real passwords if they want their data secure.

------
Rannath
I just want this to be cheap enough so that we can archive and re-create no-
longer manufactured chips.

~~~
pkaye
How do you recreate them? On FPGA? Fabricating a chip is not cheap.

~~~
Rannath
Personally I was thinking of being able to recreate some discrete chips with
breadboards.

Then again MOSIS has prices down to a few thousand/square millimeter. Since
current gen stuff is so much smaller, that's probably <$100 for the more
complex chips from the 70s, & 80s.

The best I think we'll get is some Amiga/Commodore build it yourself kits That
weren't possible before because of out-of-production chips.

------
teddyh
Previously, in 2017:
[https://news.ycombinator.com/item?id=13952016](https://news.ycombinator.com/item?id=13952016)

------
ur-whale
> not just reverse engineering but assurance that chips are manufactured
> according to design

This, combined with stuff like RISC-V is very good news and big progress
towards making a secure (read backdoor-free) hardware platform.

Gotta love the Swiss !

------
tombert
I wonder what the implications of this could be for the emulation
community...maybe someone more knowledgable about this stuff can enlighten me:
would something like this be useful in creating more-accurate emulators?

------
Timothycquinn
I wonder if this technique can be used to scan a PCB as they can be in attack
vector for supply chain attacks.

~~~
dillondoyle
Dare I bring up the Bloomberg article without causing a shitstorm? I remember
reading around that time a (I think) presentation on how to trick / hide
against x-ray tomography etc but I can't find the link to the source if anyone
has it?

~~~
Timothycquinn
I recently had an IPMI on on of my Supermicro servers and it was super funny
to hear the conspiracy theory from the SuperMicro support that it was not
working because maybe the Chinese were worming through a backdoor that was
hidden on the machine.

I'm quite sure that the issue was just a faulty IPMI as I've seen it happen
before with older units but I had a good laugh.

I'm a believer in Murphy's law where whatever can happen will happen. Supply
chain attacks are quite possible, would be very fruitful and therefore must be
happening. But will we ever get the truth from the big vendors? I don't think
it will happen any time soon but with this x-ray technology, it will be way
easier to detect them.

------
samstave
How do you pronounce that word?

I worked at intel in the 90s, and they put malformed cpus in key chains.

But what will be interesting to see will be is when they build a library of
Devices where they can quickly ID Trojans

~~~
jimbob45
Ty-ko-graphic

~~~
samstave
Can you also explain the “ty-co” part of it

~~~
8bitsrule
As a suffix 'tych' (pronounced 'tic') refers to multiple related/connected
things ... tables, leaves, panels, works ... (diptych, triptych, polyptych).
EG 'triptych' "derives from the Greek adjective τρίπτυχον 'triptukhon'
('three-fold')".

'Ptychography' was coined by crystallographers in 1972. Wikipedia has more on
the origin.
[https://en.wikipedia.org/wiki/Ptychography](https://en.wikipedia.org/wiki/Ptychography)

~~~
samstave
Thank you

------
jalk
Does this have any implications for Secure Enclave like chips?

~~~
sowbug
I have no expertise on this subject, but here goes. First, I don't think the
technique can see electrical charges, which is how any chip stores volatile
state. Second, if such chips rely on security by obscurity -- and judging from
the NDAs typically required to get any official information about them, I'd
say it's part of their defense in depth -- then that security would now be
weaker. Finally, this technique would arguably enhance security if independent
labs were now able to verify that a chip is devoid of back doors and
implementation errors.

------
digikata
I wonder if the 40+ layer NAND chips would give a problem for this technique.

------
mooneater
Time for a silicon easter egg hunt!

------
tabtab
Can it be used on cryogenically frozen brains? The flick "Sleeper" could
become a reality, although you'd probably have an android or R2D2 like body.

------
mepian
Can someone please share the actual paper? Sci-Hub fails to retrieve it either
by DOI or by the Nature link.

------
jl6
Next step: chips include critical components that _can_ be damaged by x-rays.

------
askz
Nice, china is glad to hear that

~~~
jiveturkey
china has no problem destructively reverse engineering chips. they aren't
validating them, they are copying them. and the destructive method may be time
consuming, but surely for China it's cheaper?

this technique would be more like CMM validation of a part after
manufacturing. very, very useful but with a different goal in mind.

~~~
penagwin
Plus aren't many chips made in China? My impression after watching BigClive
tear apart stuff was that a lot of Chinese clones use their own chips, and
many chips are custom and seem to only exist between Chinese manufacturers
(like custom USB charging chips, led chips for flashlights, etc.)

~~~
grenoire
In order to manufacture these chips you need the schematics. It's the same
thing as having the source code and the deployment/compilation instructions:
You don't _need_ anything else.

~~~
_ph_
Strictly speaking, for manufacturing you need the layout for the chip, but
extracting a schematic from a given layout is an automated process and used
for verification. You create a layout from a given schematic and later check,
whether the layout implements that schematic.

