Table of Contents
Fetching ...

Extraction of Secrets from 40nm CMOS Gate Dielectric Breakdown Antifuses by FIB Passive Voltage Contrast

Andrew D. Zonenberg, Antony Moor, Daniel Slone, Lain Agan, Mario Cop

TL;DR

The paper challenges the prevailing belief that CMOS antifuse memories are highly secure by demonstrating a practical attack using focused ion beam passive voltage contrast to read antifuse states in a 40 nm RP2350 device. By extracting the bitwise OR of adjacent bitcells and reconstructing an address map, the authors show that significant secrets, including firmware keys, can be recovered in realistic lab timelines. The work provides detailed methodologies for sample prep, PVC imaging, data analysis, and address-map reversal, and discusses broader implications for antifuse security and mitigations such as cryptographic protections and per-device keys. This study highlights that antifuse-based security is not inherently robust and motivates risk assessments and defense strategies across semiconductor IP and devices employing gate-dielectric breakdown antifuses.

Abstract

CMOS one-time-programmable (OTP) memories based on antifuses are widely used for storing small amounts of data (such as serial numbers, keys, and factory trimming) in integrated circuits due to their low cost, requiring no additional mask steps to fabricate. Device manufacturers and IP vendors have claimed for years that antifuses are a ``high security" memory which is significantly more difficult for an attacker to extract data from than other types of memory, such as Flash or mask ROM - however, as our results show, this is untrue. In this paper, we demonstrate that data bits stored in a widely used antifuse block can be extracted by a semiconductor failure analysis technique known as passive voltage contrast (PVC) using a focused ion beam (FIB). The simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory rows sharing common metal 1 contacts, however we have identified several potential mechanisms by which it may be possible to read the even and odd rows separately. We demonstrate the attack on a commodity microcontroller made on the 40nm node and show how it can be used to extract significant quantities of sensitive data, such as keys for firmware encryption, in time scales which are very practical for real world exploitation (1 day of sample prep plus a few hours of FIB time) with only a single target device required after initial reconnaissance has been completed on blank devices.

Extraction of Secrets from 40nm CMOS Gate Dielectric Breakdown Antifuses by FIB Passive Voltage Contrast

TL;DR

The paper challenges the prevailing belief that CMOS antifuse memories are highly secure by demonstrating a practical attack using focused ion beam passive voltage contrast to read antifuse states in a 40 nm RP2350 device. By extracting the bitwise OR of adjacent bitcells and reconstructing an address map, the authors show that significant secrets, including firmware keys, can be recovered in realistic lab timelines. The work provides detailed methodologies for sample prep, PVC imaging, data analysis, and address-map reversal, and discusses broader implications for antifuse security and mitigations such as cryptographic protections and per-device keys. This study highlights that antifuse-based security is not inherently robust and motivates risk assessments and defense strategies across semiconductor IP and devices employing gate-dielectric breakdown antifuses.

Abstract

CMOS one-time-programmable (OTP) memories based on antifuses are widely used for storing small amounts of data (such as serial numbers, keys, and factory trimming) in integrated circuits due to their low cost, requiring no additional mask steps to fabricate. Device manufacturers and IP vendors have claimed for years that antifuses are a ``high security" memory which is significantly more difficult for an attacker to extract data from than other types of memory, such as Flash or mask ROM - however, as our results show, this is untrue. In this paper, we demonstrate that data bits stored in a widely used antifuse block can be extracted by a semiconductor failure analysis technique known as passive voltage contrast (PVC) using a focused ion beam (FIB). The simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory rows sharing common metal 1 contacts, however we have identified several potential mechanisms by which it may be possible to read the even and odd rows separately. We demonstrate the attack on a commodity microcontroller made on the 40nm node and show how it can be used to extract significant quantities of sensitive data, such as keys for firmware encryption, in time scales which are very practical for real world exploitation (1 day of sample prep plus a few hours of FIB time) with only a single target device required after initial reconnaissance has been completed on blank devices.
Paper Structure (23 sections, 23 figures)

This paper contains 23 sections, 23 figures.

Figures (23)

  • Figure 1: Example of electrically programmed metal fuse on a 1970s-era PROM. The roughly 700nm wide rupture in the nichrome fuse link is clearly visible under optical microscopy. Image from prom, used with permission.
  • Figure 2: Top metal of decapsulated RP2350 sample
  • Figure 3: Substrate view of decapsulated RP2350 sample with all metal and poly removed. The large greenish memory arrays along the west side and in the southeast corner of the die are the main SRAM. Smaller green and orange arrays in the south and north center are auxiliary SRAMs for peripherals, caches, and boot ROM. Fuses are the yellow memory in the northwest corner.
  • Figure 4: Simplified rendering of two rows of two bit cells (not to scale). Green = P substrate, dark green = N+ implant, red = poly, blue = contact/metal 1.
  • Figure 5: Reading an unprogrammed bit cell. The polysilicon word line (red) is energized but the fuse is not blown so no voltage is seen on the M1 bit line (blue).
  • ...and 18 more figures