Chip Detectives – IEEE Spectrum

Nowadays, although, reverse engineering is coming to be accepted, and in some circles even embraced, as part of doing enterprise. The primary motive for the shift stems from the rising recognition that mental property, when vigorously defended, can add to an organization’s backside line. IBM, Texas Devices, and Motorola now pull in one thing like US $1 billion a 12 months from patent royalties and licensing charges. Rambus Inc., primarily based in Mountain View, Calif., derives basically all of its revenues ($17.8 million within the newest reported quarter) from licensing its high-speed interface expertise for reminiscence chips.

Mental property negotiations depend on technical ammunition, and over the past decade or so, a handful of laboratories specializing in IC reverse engineering (together with Taeus) have sprung as much as present it. As their purchasers will attest, the flexibility of those labs to dissect even essentially the most sophisticated IC is important for pinpointing circumstances of patent infringement, and likewise figuring out whether or not a patented expertise is value licensing or shopping for. Past that, semiconductor producers flip to those reverse-engineering homes to get a way of how their merchandise stack up towards the competitors, to check the standard of their merchandise, and to hint the basis reason for gadget failures [see “Anatomy of a crash”].

The technical problem

“This was once the type of work that one engineer may do in his spare time, working in his basement or storage,” mentioned Terry Ludlow, president of Chipworks Inc., a reverse-engineering lab primarily based in Ottawa, Canada. However that’s subsequent to unimaginable now, given the rising sophistication of the strategies wanted to take aside and analyze at present’s ICs. [See “Deconstructing a chip”]

“Chip dimensions have shrunk unbelievably,” mentioned Tony Denboer, government vp of Built-in Circuit Engineering Corp. (ICE), Scottsdale, Ariz. “A single reminiscence bit-cell for a DRAM is 5 or 10 % [the size] it was 10 years in the past.” And, though the mainstay of reverse-engineering corporations was once reminiscence gadgets, they’re now branching out into microprocessors and mixed-signal gadgets, in addition to product teardowns of cell telephones, digital cameras, digital toys, and the like.

Given the complexity of IC devices–line widths approaching 0.18 µm, layer upon layer of metallic, insulator, and interconnect–just how does a lab go about taking such gadgets aside?

With excessive care. It begins with a set of similar chips, every of which shall be parsed and imaged another way. “First we do a fast X-ray, to determine how the pads hook up with the wires or if there’s one thing bizarre in there, like a battery,” defined Chipworks’ Ludlow. The following step is to drop the packaged chip right into a scorching sulfuric acid tub, to dissolve away the outer coating of black plastic. What emerges after 5 minutes is a sq. little bit of shiny glass threaded with metallic.

Purchasers are sometimes fascinated about one in every of two issues: how the chip is made (generally known as course of evaluation) or how it’s put collectively (circuit evaluation). One chip within the pattern set will get cross-sectioned. That exposes the varied layers of metallic, interconnect, and insulator layers. With surgical precision, the remainder of the chips are then selectively “delayered,” that means that every one will get etched (in a plasma etcher) or hand-polished (utilizing, say, a grinding wheel coated with 30-µm diamond movie) to a selected depth within the chip.

Getting ready a seven-chip pattern can take upwards of per week, and it’s painstaking work. As Jeff Campbell, a Chipworks technician, floor down a chip headed for transmission electron microscopy, he defined that the intention is for a pattern thickness of two µm. “Silicon transmits gentle at about 6 to 7 microns thickness,” he mentioned. “At that thickness, silicon turns into like a ribbon, and it’ll bend.” The samples are extraordinarily fragile, he added. “In case you contact one with tweezers, it’s going to crumble.”

From there, the chip fragments are imaged, utilizing no matter high-resolution, high-magnification method known as for. The chemical composition is verified by way of spectroscopy. For inspecting the microstructures, there are optical microscopes geared up with 35mm cameras, scanning electron microscopes, and transmission electron microscopes. The final is essentially the most delicate, yielding magnifications of greater than 200 000-fold.

The hundreds of uncooked photos should then be compiled, organized, and analyzed. Every reverse-engineering lab has its personal approach of going concerning the job. It was once that each one the pictures obtained printed out and taped collectively right into a photomosaic, onto which engineers would hint particular person alerts with Magic Marker.

A photomosaic of a easy gadget with massive design options may cowl a big desk. However a extra sophisticated gadget may span the size and breadth of a good-sized convention room. “I believe our file was 80 toes [25 meters] throughout,” Ludlow recalled. “And that was simply a part of a chip.” This methodology obtained to be particularly unwieldy when sign pathways needed to be traced down by 5, six, and 7 layers.

To save lots of put on and tear on the engineers, the method was automated. Chipworks not depends on photomosaics; as a substitute it has developed a proprietary desktop circuit-tracing system, generally known as the design evaluation workstation (DAW). With it, the engineer identifies sign paths on display screen, somewhat than throughout the ground, and might effortlessly flip forwards and backwards between gadget layers.

Within the case of Ottawa-based Semiconductor Insights Inc., the most important of the reverse-engineering labs, the innovation is named CircuitMiner, an automatic picture recognition instrument that takes scanning-electron-microscope photos after which generates a tough circuit structure. Each CircuitMiner and DAW are particularly time-efficient on auto-routed gadgets the place the logic is separated throughout the chip. “Tracing alerts that run in every single place may be irritating for a human to do,” famous Ed Keyes, chief expertise officer at Semiconductor Insights. “However the machine would not care. It would not get drained, and it would not ask for a elevate.”

The final stage is to provide a last report for the shopper, highlighting any novel options. A typical mission prices from $10 000 to $50 000, however a six-month-long full-circuit extraction can go as excessive as a quarter-million {dollars}.

Naked bare chips

Even those that make chips for a dwelling are bowled over by how a lot a reliable reverse-engineering lab can uncover. “I used to be visiting a shopper in Tokyo and exhibiting him a few of our reviews,” recalled Derek Nuhn, normal supervisor of Semiconductor Insights. “On the finish, he simply sat again and mentioned, ‘Ah, my circuits are bare now.’ “

To make certain, all or almost all that Semiconductor Insights and the opposite reverse-engineering companies do might be performed by the R&D divisions of enormous chip-makers, who will sometimes have available the identical varieties of apparatus and experience, to be used in refining their very own merchandise and retaining tabs on others’. So in a way, these in-house teams current the largest competitors to the unbiased labs, in keeping with Julia Elvidge, Chipworks’ vp of promoting and gross sales. Because it seems, although, these identical divisions are additionally amongst their greatest purchasers.

The primary distinction between the in-house teams and the surface labs is one in every of specialization. “Realistically, our purchasers must be utilizing their engineering expertise to design and develop new merchandise,” Semiconductor Insights’ Nuhn argued. “And we are able to provide the details about their competitors and assist their authorized departments.”

In line with Nutter, one in every of his firm’s purchasers not too long ago estimated that the chance value of pulling a senior engineer off a mission for a 12 months would run him about $1 million. Against this, Nutter mentioned, “we’re all the time out there. Once they say ‘leap,’ we are able to say ‘how excessive?’ “

Jan Bissey, who heads the competitor evaluation group at Micron Know-how Inc., Boise, Idaho, mentioned his six-person staff handles “focused circuit extractions” on choose items of an IC. However he makes use of Chipworks when he wants a full chip schematic report, which runs him about $70 000. Tackling that type of job in-house would value about two to 3 occasions as a lot, he estimates. “They’ve automated monitoring software program to hint alerts. I exploit sheets of acetate and coloured markers.”

Sure, however is it authorized?

“I like to inform those that what I do is spying,” Bissey added. “And it is all authorized.” The legitimacy of reverse engineering was established within the standard-setting Semiconductor Chip Safety Act, which the U.S. authorities adopted in 1984 and to which most industrialized nations now subscribe. Particularly, it permits reverse engineering of business semiconductor merchandise for “instructional functions.”

Learning the competitors truly accelerates the expansion of an trade as an entire, contended Chipworks’ Ludlow. “Folks aren’t making the identical errors their opponents make,” he mentioned. “They are not losing time reinventing issues.” He pointed to Superior Micro Units Inc.’s fabled reverse engineering of Intel’s 386 microprocessor within the late Nineteen Eighties, which allowed the Sunnyvale, Calif., firm to match the Intel chip’s features with out treading on protected expertise. “It put them within the microprocessor enterprise,” Ludlow mentioned.

There are authorized limits, although, to how far reverse-engineering companies might go. For one factor, the U.S. Financial Espionage Act of 1996 criminalizes the theft of commerce secrets and techniques. So reverse-engineering companies should rigorously display screen purchasers, analyze solely merchandise purchased on the open market–no prototypes or stolen samples, please–and in any other case strive to make sure that the request is legit. Taeus’ Web page spells it out: “We won’t assist, condone, help or help any group who might have the looks of taking part in industrial espionage.”

The assertion is extra than simply window dressing. Throughout its first few years of enterprise, Semiconductor Insights was employed to have a look at a wise card utilized by the UK satellite tv for pc tv service Sky TV, whose dad or mum is British Sky Broadcasting Group PLC, Isleworth. The playing cards plugged into set-top packing containers and recorded how a lot viewing time customers bought. The shopper claimed to be in the identical enterprise, however in truth was feeding the info, full with software program encryption keys, to an organization promoting unlawful clones of the Sky TV playing cards. Each time Sky TV modified its encryption code, the shopper had the cardboard reverse-engineered anew. After a number of such rounds, Semiconductor Insights turned suspicious and dropped the mission. However in a subsequent legal investigation, the shopper was discovered responsible and given a four-year jail time period, and Semiconductor Insights needed to pay a CAN $125 000 high-quality.

“It simply emphasised that there is a motive reverse engineering has a unfavourable connotation,” Nuhn mentioned. “You must watch out.”

To its credit score, Semiconductor Insights turned the expertise right into a worthwhile, and above-board, a part of its business–namely, serving to banks, bank card issuers, and good card distributors shore up the safety of their good card merchandise. The corporate does that by seeing how simple, or laborious, it’s to hack into the playing cards’ embedded microprocessor and reminiscence chips. (Nonetheless cautious of the potential for abuse, the corporate now stows its good card samples in a locked windowless room, identified to workers as “the vault.”)

SI’s work has been “very integral to our actions,” mentioned Ken Ayer, chip card safety director at Visa Worldwide, in Foster Metropolis, Calif. “In the event that they inform us, ‘There is a theoretical option to hack into the cardboard nevertheless it’s extraordinarily troublesome,’ then that is most likely fairly safe.” The purpose, he mentioned, is to make the gadgets tamper-resistant however nonetheless inexpensive. Safety precautions have gotten much more vital with the pattern towards so-called open platform playing cards, onto which functions could also be downloaded after the cardboard is issued. However that flexibility is offset by higher vulnerability to pc viruses.

Satan’s within the particulars

One factor that those that do reverse engineering will let you know again and again is that they love attending to work with state-of-the-art expertise. There’s the “aha!” of discovering simply how an organization pulled off an revolutionary scheme, or determining {that a} gadget’s marketed function falls wanting the mark. It is the identical type of tinkering that leads many kids to pursue science or engineering careers within the first place. (The identify Taeus initially stood for “take aside every little thing below the solar.”)

There’s additionally a sure voyeuristic thrill in attending to see stuff hidden from all however a number of. An instance is chip artwork, the whimsical drawings or messages that designers etch into their creations. [see ” For the fun of it…”.]

Reverse engineering also can present a peek at new applied sciences that an organization could also be making an attempt out. “One chip we’re studying now, an S-DRAM, has complete blocks of unused circuitry, the place the enter and outputs are all grounded,” defined Semiconductor Insights engineer Siva Manoharan. The designers “have been clearly utilizing [the circuitry] for one thing. We have now a tough concept what that was.” That in flip might provide a clue to an organization’s subsequent technology of gadgets, info that SI’s purchasers are solely too pleased to find out about.

“You’ll be able to nearly see the persona of the designers,” added Nuhn. “What they have been assured about, and the place they have been insecure and so constructed a workaround.”

To catch a thief

As a countermeasure towards unlawful copying, chip designers typically insert traps of their layouts, maybe a block of circuitry that appears actual sufficient however serves no operate, or a digital watermark in embedded code. A cloner would unwittingly copy the pretend stuff together with the actual.

It isn’t foolproof, to make certain. Again within the late ’70s, chipmaker Mostek (since taken over by SGS Thomson Microelectronics) designed its MK4116 DRAMs with two-step contacts. A few of the contacts, although, have been dummies and went solely midway down. A copier who put an actual contact there would cripple the chip. After a number of generations of DRAM, Mostek switched to utilizing one-step contacts–but forgot to delete the dummies. Solely after product yields dropped out of the blue to zero did it bear in mind.

Neither is deliberate entrapment the one technique of recognizing counterfeits. Two years in the past, a Japanese firm was determined to search out out who was cloning its online game cartridges. Every cartridge was constructed round a proprietary IC, on which the sport software program was saved. In some way, maybe by reverse engineering, maybe by direct theft, the cloners had gotten maintain of the chip design.

Working with a set of the sport cartridge clones, engineers at Semiconductor Insights cross-sectioned and delayered them, after which in contrast the outcomes to comparable gadgets of their intensive library. No two wafer fabrication vegetation will execute the identical design in precisely the identical approach. One fab might devise a option to skip a masks step, to chop prices. The transistors might have an uncommon form or configuration. A particular font could also be used to label the die. All these variations add as much as a type of silicon fingerprint.

From its evaluation, Semiconductor Insights was capable of pinpoint the foundry the place the chips had been made. Confronted with the findings, the foundry contended that it had no concept the chips have been clones, however agreed to cease making them.

For authorized causes, Semiconductor Insights will not reveal the names of the sport maker, foundry, or counterfeiter. Certainly, the overwhelming majority of purchasers who rent Semiconductor Insights, Chipworks, and the remainder favor to stay nameless. Previous and current SI clients embrace 27 of the highest 30 semiconductor producers on the planet, mentioned Nuhn, in addition to mental property regulation companies, and the U.S. and Canadian governments. “It is all people’s little secret,” is how he places it. “I can stroll into [an industry] assembly and acknowledge almost all people within the room. However I do know higher than to go up and say ‘Hello.’ “

Due to his purchasers’ insistence on confidentiality, “I am unable to let you know squat concerning the bulk of our enterprise,” mentioned Nutter of Taeus, with typical bluntness. The truth is, few individuals who work for the corporate are aware about that info. Taeus is structured with a “digital headquarters,” which oversees a handful of full-time technical individuals primarily based in Colorado and a a lot greater and geographically dispersed community of consultants. On any given mission, specialists shall be introduced in as needed–a little bit of high-resolution images right here, some electron microscopy there. However solely the mission chief is aware of the complete scope of the work and the shopper’s identify.

In protection of patents

Normal attitudes towards reverse engineering could also be loosening up, although, as extra corporations acknowledge its worth in defending patents. The truth is, the majority of the work that reverse-engineering homes tackle is expounded to mental property: uncovering situations of infringement, in addition to assessing an organization’s portfolio of patents, to identify these more likely to web the very best charges or that declare expertise more than likely for use by others.

Right here, the standard shopper is a producer making an attempt to hammer out a licensing settlement. In these discussions, mentioned Nutter, “you do not essentially get what you deserve–you get what you may negotiate.”

Ron E. Pyle, who heads up semiconductor-related mental property actions at Motorola Inc.’s Austin, Texas, facility, agrees. “Our licensing program is based on reverse engineering,” he mentioned. “If we have been to stroll into an intense negotiation with a competitor claiming infringement however with no proof, it actually is not going to go very far.” That was not all the time the case. Within the trade’s early days, basic patents have been distinctive sufficient that it was pretty simple to detect infringement, he mentioned. Right now’s patents cowl shades of distinction, like using a sure materials as a protecting layer in an IC. Solely the closest inspection will reveal infringement.

Most circumstances of infringement are inadvertent, he added. “For all its growth, the semiconductor trade remains to be pretty slender. We’re all shopping for the identical processing instruments from the identical distributors and utilizing comparable recipes…. The proprietor of mental property is principally the one that obtained there first.”

Finally, whether or not they’re serving to purchasers defend patents or measurement up the competitors, those that do reverse engineering consider their efforts are transferring the semiconductor enterprise ahead. As product lifecycles proceed to contract, “individuals are below super stress to innovate faster–they’re actually getting the screws put to them,” mentioned Nuhn. “In order that they depend on us to be an ear to the bottom, to establish what’s new and fascinating. We intention to present them some peace of thoughts.”

Index of gamers

Chipworks Inc.
Ottawa, Ont., Canada

Cochran Consulting Inc.
Richardson, Texas

Built-in Circuit Engineering Corp.
Scottsdale, Ariz.

Semiconductor Insights Inc.
Ottawa, Ont., Canada

Colorado Springs, Colo.

Supply hyperlink