Speakers

We are glad to host a wide variety of renowned speakers from academia and industry that are presenting on the diverse aspects of hardware reverse engineering. Please see below for an overview of the speakers (listed in alphabetical order) and the titles and abstracts of their talks.

List of Speakers

Talks

An Integrated Circuit Backside Approach for Large Area Deprocessing with Chemically Assisted Focused Ion Beam Sputtering and Optical Metrology Feedback

Michael DiBattista

A dedicated system has been developed to uniformly sputter the interconnect layers of a semiconductor integrated circuit (IC) while measuring the process status by tracking the ultraviolet (UV) photon generation. The best method to large scale full chip delayering of advanced node semiconductors (14nm and smaller) is to approach the task from the substrate side of the device. The delayering workflow begins with precision mechanical thinning of the silicon substrate in package or separated die to below 5 microns of remaining silicon thickness (RST). In addition to enabling the visualization of the transistor structure very early in the deprocessing workflow, this also allows examination of the highest resolution and most important metal interconnects and vias first. In this process, a focused low kV argon ion beam is scanned across the sample surface in combination with surface water dosing to address challenges associated with sputtering heterogeneous surfaces like copper and silicon oxide.

The circuit interconnect and via layers can be sequentially removed using chemically assisted focused ion beam (FIB) sputtering in combination with characteristic ultraviolet photon collection for process endpoint monitoring. Ion sputtered materials generate photons with characteristic energies, such as copper (325nm), silicon (250 nm), and aluminum (395 nm) that are easily measured. This technique was a well-established FIB technique and previously investigated for circuit editing applications. Water dosing hardware improvements over traditional FIB gas injection are employed to efficiently deliver the chemistry uniformly over large sample areas. The use of water during deprocessing enhances the UV photon generation allowing for improved signal to noise during processing. The use of large spot (200um) focused scanning argon beam also allows for the targeting of specific functional blocks in the device for intellectual property and forensic applications.

Data Extraction from Memory using Photon Emission Microscopy

Jean-Max Dutertre

Photonic Emission Microscopy (PEM) stands out among other side channel techniques as it can provide an attacker with a full view of the (otherwise hidden) internal operations of an integrated circuit. It has proven to be a useful failure analysis tool. However, it is a dual-use tool that can also be used for attack purposes. PEM can be carried out through the backside of an integrated circuit, the photons emitted by the target’s switching transistors travel well through the silicon substrate. The photons are then captured by an InGaAs (or CCD) camera to produce a photon emission map that reveals the location of the target’s active logic blocks. This makes PEM a powerful backside contactless observation tool with access to the entire target area. It can be used to locate points of interest to facilitate further hardware attacks (e.g., a laser fault injection attack), or even to extract confidential data (e.g., cryptographic keys). This talk will focus on describing how PEM can be used to extract data from a microcontroller’s embedded SRAM or Flash memories as they are written or read. The strong constraints and limitations of PEM are discussed and the mechanisms behind light emission in ICs are explained. The used optical setup and the operational characteristics of embedded MCU memories are described. It also aims to raise awareness of this threat by presenting realistic attack scenarios that overcome the limitations of PEM.

Decoding FPGA Routing Architectures with NetCracker

Mirjana Stojilovic

This talk introduces NetCracker, an open-source framework for analyzing and reverse-engineering FPGA routing architectures. NetCracker leverages readily available data from vendor CAD tools to facilitate combinatorial and statistical analyses of FPGA routing networks. Its modular design supports user-defined analysis passes, making it adaptable to diverse FPGA architectures and research applications.

Using NetCracker, we present a detailed analysis of the AMD/Xilinx 7-Series routing architecture, examining switch-box diversity, channel composition, and internal connectivity. We uncover key design patterns, such as the dominance of short-range connections and the absence of intermediate taps on many wire types—features that challenge traditional academic assumptions. We highlight unique routing configurations, including bidirectional long wires and unconventional diagonal connections, shedding light on architectural trade-offs that optimize routing efficiency and resource utilization.

This work bridges a critical gap between academic research and industrial practices by systematically exposing FPGA architectural details. It aims to inspire further research in hardware reverse engineering while supporting innovation in future FPGA architectures.

Deep Learning for Invasive Data Recovery from Flash Memories

Deruo Cheng

Flash memory is essential for storing vital data, including firmware, user information, and cryptographic secrets, in modern electronic devices. This makes data recovery from flash memories critical, particularly when existing non-invasive methods are inadequate. In this talk, we share an invasive Deep-Learning-based Data Recovery (DLDR) framework designed to recover binary bits at the memory cell level and reorganize them into word-level data. Our proposed DLDR framework employs deep learning models to recover bit values from microscopic images of the flash memory chip in the target device. By using a profiling device with similar circuitry, our framework obtains address and bit order information, enabling the reconstruction of recovered bits into word-level data with corresponding addresses. Experiments on an 8-bit microcontroller with 16KB flash memory demonstrate the effectiveness of our proposed DLDR framework.

Die-Polygon-Capturing: From Hobbyist Hack to Automated Reverse Engineering Tool

Quint van der Linden, Nevena Rankovic, Federico Zamberlan

Die-polygon-capturing (DPC) is a fascinating yet underexplored technique for microchip circuit extraction, rooted in the hobbyist hardware reverse engineering community. Despite its affordability, DPC has remained a manual, labor-intensive process. In this talk, we present a proof of concept for automating DPC using deep learning, bridging the gap between ingenuity and practicality in integrated circuit reverse engineering.

Our work draws on a unique dataset from the AMD 9085D microchip, an archival gem in hardware history. By applying deep learning and data augmentation, we achieved high segmentation scores, which could reduce the manual effort in DPC.

But it’s not without effort, expanding these methods to a broader range of chips requires creating a more diverse dataset. Join us as we explore the technical details, lessons learned, and broader implications of automating a technique born from the ingenuity of reverse engineering enthusiasts. If you’re curious about how deep learning can uniquely enhance microchip reverse engineering, this talk is for you.

Hardware Anti-Tampering and Data Integrity Protection

Carlos Lopez

An introduction to Hardware Anti-Tampering and Data Protection used in the 1980s and 1990s by the Satellite, Casino and Financial industry. The presentation will begin with some examples of early hardware requiring data integrity an protection in an high risk environment. Featuring one of my first hardware reverse-engineering projects where I reversed the logic of PLDs and then designed a product that interacted with that hardware bypassing memory integrity. Show how I secured my design with a security processor widely used in banking machines at the time.

The main presentation will be a reverse-engineering project where a custom ASIC used in a printer cartridge was fully reverse-engineered. This takes you through the steps of discovering unused bonding pads that are likely test pads. Performing a communications capture / sniffing and reply type attacks on the ASIC in attempt to understand the encrypted protocol. Imaging and de-layering multiple samples of the die to obtain a netlist. We overcame an issue where the DIE markings are the same and some of the metal layers are not, meaning we had to deal with different formatted layers during netlist generation. Turn netlist into simulation code to understand some code. Simulation needed some memory for function.

We needed to read out small flash memory to make simulation function. We were able to use Verilog simulation model to locate and disarm the active die protection allowing FIB editing and probing the data lines during power up. The test mode pin along with embedded device was used to stimulate and read out the NV memory containing the key material. We could then communicate with the completed simulation as if it were the ASIC.

Hardware Assurance and Security for IoT Microcontrollers

Liu Qing

Microcontrollers in Internet of Things (IoT) devices often employ execute-only memory to safeguard critical firmware, such as Intellectual Property (IP) and system configuration functions. This security mechanism restricts external access to memory content, permitting only code execution. Additionally, user data stored in embedded memory is typically protected from unauthorized access. However, vulnerabilities in these security measures have been identified through advanced hardware assessment techniques, particularly invasive selective chemical engraving. Selective chemical engraving facilitates the extraction of data from charge-based memory by visualizing binary data through electrochemical reactions. This process distinguishes programmed cells (“0”) from erased cells (“1”) by forming HF-insolvable oxide layers on charged floating gates. The technique achieves a low error rate of 0.34% and, when combined with single error correction-double error detection algorithms, ensures 100% data recovery without requiring access to the original programmed data. To evaluate the efficacy of this method, the security of smartwatches storing sensitive information, such as application software and user health data in embedded Flash memory, was assessed. A comparison with non-invasive method further provides a comprehensive understanding of memory organization and validates the accuracy of extracted data. These findings reveal the vulnerabilities in existing IoT microcontroller hardware assurance schemes and highlight the necessity of developing additional countermeasures to address security risks.

Hardware Trojan Attacks with PCBs: Theory and experimental evaluation

Dominik Klein

We revisit the question raised by the Bloomberg article “The Big Hack,” which alleged that printed circuit boards (PCBs) for server motherboards were manipulated by implanting additional chips. These modified PCBs were then supposedly used in cloud computing centers of major companies.

In this talk, we provide a brief overview of the supply chain to understand whether and how an attack utilizing PCB manipulation – such as the one described by Bloomberg – could be carried out. PCB-based attacks occupy a sort of “sweet spot” from an attacker’s perspective, as they are often easier to execute than manipulating chip designs, yet more difficult to detect than crude device tampering attempts.

We present experiments using (non-functional) devices to explore how such manipulations can be detected. Our primary focus is on detection through optical inspection and X-ray imaging. These techniques do not require in-depth knowledge of the functional behavior of a device, and thus have the potential to scale.

In particular, we investigate the feasibility of hiding chip dies within a PCB and under coils. Our findings illustrate that the choice of bond wire material significantly impacts detection probability. Specifically, we demonstrate that aluminum bond wires are best suited for hiding a stealth chip. Finally, we show that the backside of Ball-Grid Array (BGA) packages is particularly well-suited for concealing malicious implants. We illustrate all our findings with optical and X-ray images.

While we cannot assess the truthfulness of Bloomberg’s report, our analysis shows that the alleged manipulations are technically feasible and represent a plausible attack vector.

Hardware Trojan Threats to Cache Coherence in Modern 2.5D Chiplet Systems

Johann Knechtel

Industry is moving towards large-scale hardware systems that bundle processor cores, memories, accelerators, and so on. via 2.5D integration. These components are fabricated separately as chiplets and then integrated using an interposer as an interconnect carrier. This new design style is beneficial in terms of yield and economies of scale, as chiplets may come from various vendors and are relatively easy to integrate into one larger sophisticated system. However, the benefits of this approach come at the cost of new security challenges, especially when integrating chiplets that come from untrusted or not fully trusted, third- party vendors.

In this work, we explore these challenges for modern interposer-based systems of cache-coherent, multi-core chiplets. First, we present basic coherence-oriented hardware Trojan attacks that pose a significant threat to chiplet-based designs and demonstrate how these basic attacks can be orchestrated to pose a significant threat to interposer-based systems. Second, we propose a novel scheme using an active interposer as a generic, secure-by-construction platform that forms a physical root of trust for modern 2.5D systems. The implementation of our scheme is confined to the interposer, resulting in little cost and leaving the chiplets and coherence system untouched. We show that our scheme prevents a range of coherence attacks with low overheads on system performance, ∼4%. Further, we demonstrate that our scheme scales efficiently as system size and memory capacities increase, resulting in reduced performance overheads.

Laser Frequency Mapping and Laser Voltage Tracing for analysis of embedded memory circuit

Samuel Chef

Embedded flash memory is a standard component of any modern microcontroller units (MCU) that may store critical data such as application firmware, configuration or user’s and application data. Content recovery may be required in some forensics analysis or physical assurance testing and evaluation. Previous work has demonstrated that it is possible to recover data through chemical engraving. If this approach enables the recovery of a large amount of data in short period of time, it necessitates an intensive learning process for each newly analyzed device. This includes a phase of understanding the physical layout of the data in the memory array. Objective of physical data mapping is to find the matching between logical addresses and the physical location of a bitcells in the memory array. As this may require the preparation of several samples programmed with different datasets, any additional information shortening the process is welcome. Various semi-invasive approaches to understand physical data mapping have been reported, including photon emission during write operations or a combination of laser fault injection and laser frequency mapping during read operations. However, as device scaling progresses, these are challenged by different factors that include voltage reduction, cells integration against optical resolution or limited control over the device test loop. In this talk, we will discuss how laser-probing techniques such as laser frequency mapping (LFM) and laser voltage tracing (LVT) applied to circuits connected to the memory array (e.g., sense amplifier and column decoder) can enable the understanding of physical data layout by recovering different data-related patterns. Examples of application will be discussed on Cortex M33 and M7 microcontrollers.

RESEC: Contributing to Trusted Chip Design using Reverse Engineering Methods

Bernhard Lippmann

The RESEC (REconstruction of highly integrated SECurity devices) project is a comprehensive initiative that tackles the pressing concerns of malicious modification and intellectual property (IP) piracy in globally distributed supply chains. The primary goal of this project is to develop, verify, and optimize a complete reverse engineering process for integrated circuits manufactured in technology nodes of 40 nanometers and below. This talk highlights the significant contributions of the RESEC project in the areas of sample preparation, computer vision, and netlist analysis, thereby extending the state-of-the-art in hardware reverse engineering. The project results are expected to have a profound impact on the development and physical verification of trusted chips.

Revisiting Graph Neural Networks for Netlist Reverse Engineering

Simon Klix

As hardware designs grow increasingly complex and skepticism in global supply chains rises, there is a growing need for advanced tools in hardware security and reverse engineering. Graph Neural Networks (GNNs) have recently emerged as powerful tools for addressing these challenges and have been used in this context for a few years now, with possible tasks ranging from identifying modules in a gate-level netlist to detecting Trojans in a design. However, current approaches are often custom-fit solutions for specific tasks, require a lot of manual effort to set up, or are trained on non-public datasets, making it hard to reproduce results or adapt the training to new tasks and targets. To overcome these difficulties, we are developing an open-source framework that simplifies the setup of training pipelines for GNNs, targeting a range of tasks in netlist reverse engineering. These tasks include, but are not limited to, register identification, bit order reconstruction, and control logic identification. Additionally, we aim to provide a method for synthetically generating training data, allowing for training without tedious manual labeling. We plan to evaluate our trained models on real-world targets and develop tools to support automated netlist reverse engineering on complex netlists containing tens of thousands of gates. Trained models should be able to interlock with existing tools for netlist analysis, which is why we provide a interface to the open source netlist analyzer HAL, allowing users to easily integrate our GNNs into existing workflows and visualize the results. In this presentation, we introduce the methods we are using and showcase the current state of the project, including preliminary results and future directions.

Study of Front-Side Approach to Retrieve Stored Data in Emerging Non-Volatile Memory Devices Using CP-AFM

Tay Jing Yun

Emerging non-volatile memories (NVM), such as phase change memory (PCM), spin-transfer torque magnetoresistive random-access memory (STT-MRAM), and resistive random-access memory (RRAM), offer alternatives to conventional charge-based memories like Flash, SRAM, and DRAM. These NVM technologies store data as binary bits (‘1’ or ‘0’) based on the high or low resistance states of their resistance-change layers. While the ability to read back stored data has potential applications in digital forensics, it also raises significant security concerns due to the risk of unauthorized data retrieval. Conductive Probe Atomic Force Microscopy (CP-AFM) has been widely used to characterize resistive switching effects in test samples. However, its application to commercial devices has not been thoroughly explored. This study aims to bridge this gap by investigating the feasibility of using CP-AFM for data retrieval from a commercial 4 Mbit RRAM device, employing front-side sample preparation techniques. Since the resistive change layers of this RRAM device are integrated during the backend process of CMOS fabrication, these layers are easily accessible using the front-side approach. With precise control of sample preparation and AFM setup, programmed data can be retrieved through CP-AFM scanning for potential applications in digital forensics. This study also highlights the potential vulnerabilities of this type of RRAM device. Furthermore, the challenges and limitations of using the CP-AFM technique for data retrieval are discussed.

Training Hardware Hackers: Insights from the Trenches

René Walendy

At a time when securing digital devices is paramount—from consumer electronics to critical infrastructure—the demand for skilled cybersecurity professionals specializing in Hardware Reverse Engineering (HRE) is skyrocketing. Recognizing this need, the U.S. and EU have committed significant funding to build a cybersecurity-ready semiconductor workforce. But how well are our educational programs meeting this demand? And what can we, as a community, do to support the next generation of HRE professionals?

To dive deep into the state of HRE training, we conducted a survey at two leading events in the field: Hardwear.io USA 2023 and the HARRIS 2024 workshop. The survey, capturing the insights of 68 dedicated hardware enthusiasts with diverse expertise, reveals a striking reliance on independent and on-the-job learning over traditional academic routes, underscoring the potential for further development of formal education. To investigate the root cause of these survey results, we analyzed 13 relevant academic courses in hardware security. We discovered that the typical course structure of lectures and hands-on projects is effective. However, when comparing the content of existing courses to the needs identified in our survey, several important areas and threat models for HRE are underrepresented.

To meet the growing societal and industry demand, we advocate for the integration of HRE training into academic curricula. By fostering more structured, accessible, and standardized training programs, we can better equip future professionals with the critical skills needed to solve real-world security problems early on. Doing so will require a joint effort between academic educators and the hardware design and security communities, for example, by exploring ways to expose students to real-world industry problems. Let’s work together to build stronger bridges between academia and industry, giving future professionals a head start on a successful career in hardware security.

Trojan Insertion versus Layout Defenses for Modern ICs: Red-versus-Blue Teaming in a Competitive Community Effort

Johann Knechtel

Hardware Trojans (HTs) are a longstanding threat to secure computation. Here, we present a large-scale, first-of-its-kind community effort through red-versus-blue teaming that thoroughly explores the threat of fabrication-time HT insertion. Four independently competing blue teams of 23 IC designers in total had to analyze and fix vulnerabilities of representative IC layouts at the pre-silicon stage, whereas a red team of 3 experts in hardware security and IC design continuously pushed the boundaries of these defense efforts through different HTs and novel insertion techniques. Importantly, we find that, despite the blue teams’ commendable design efforts, even highly-optimized layouts retained at least some exploitable vulnerabilities.

Our effort follows a real-world setting for a modern 7nm technology node and industry-grade tooling for IC design, all embedded into a fully-automated and extensible benchmarking framework. To ensure the relevance of this work, strict rules that adhere to real-world requirements for IC design and manufacturing were postulated by the organizers. For example, not a single violation for timing and design-rule checks were allowed for defense techniques. Besides, in an advancement over prior art, neither red nor blue teams were allowed to use any so-called fillers and spares for trivial attack or defense approaches.

Finally, we release all methods and artifacts: the representative IC layouts and HTs, the devised attack and defense techniques, the evaluation metrics and setup, the technology setup and commercial-grade reference flow for IC design, the encompassing benchmarking framework, and all best results. This full release enables the community to continue exploring this important challenge for hardware security, in particular to focus on the urgent need for further advancements in defense strategies.

Unveiling Sensitive Data through Optical Scan Chain Probing

Tuba Kiyan

Design for Test (DfT) techniques, such as scan chains, enhance the observability and control of a circuit’s behavior during runtime. However, these techniques also introduce significant security vulnerabilities, creating an attractive attack surface that can compromise the entire security framework of the Device under Test (DuT). As technological advancements continue and complexity grows, the dependence on DfT techniques increases to meet the accelerated time-to-market requirements of modern ICs. This creates a crucial trade-off between the testability of Integrated Circuits (ICs) and their physical security. In this study, we demonstrate that sensitive data can be extracted from registers by identifying their locations on the chip and exploiting DfT structures through optical probing—specifically targeting scan chains—even when test mode access is restricted. Additionally, we show that an obfuscated scan chain architecture can be fully reconstructed using standard tools and techniques from the Failure Analysis (FA) domain.

What's inside your industrial black-box component? Let's analyze some micro-architectural signals!

Lucas Georget

With the growing complexity of systems, design phases increasingly rely on the interaction of several industrial actors. This makes it more difficult, especially at the hardware level, for an end-user to know what is being inserted at each stage, even for very specific needs, and can be a blocking point for revising the system later on.

In terms of security, using only a high level of abstraction alone does not protect against several attacks or malicious acts that exploit the target’s low-level characteristics. Since only third parties know the implementation details of the component for which they are responsible, there is an increasing need for direct monitoring of signals coming from the micro-architecture to cover attacks targeting this layer. Suppliers may intentionally or not produce a component that is vulnerable to attacks against the micro-architecture. To detect attacks at this level, we propose a mechanism to extract a large set of signals and select to most relevant ones to study the behavior of industrial-type systems. These systems often have small processors with lightweight operating systems, sometimes with real-time constraints.

To simulate various such systems, we have built an FPGA platform for continuous monitoring of the micro-architectural signals, based on LiteX, with different choices of parameters such as CPUs and peripherals. Our work extends the MATANA framework, which enables run-time detection of Cache Side-Channel and Return-Oriented Programming attacks. We are also extending the framework to support hardware trojans targeting industrial systems, with automated insertion tools. Experiments are designed for high bandwidth data transfer to a host computer.

libLISA: Instruction Discovery and Analysis on x86-64

Jos Craaijo

Even though heavily researched, a full formal model of the x86-64 instruction set is still not available. We present libLISA, a tool for automated discovery and analysis of the ISA of a CPU. This produces the most extensive formal x86-64 model to date, with over 118 000 different instruction groups. The process requires as little human specification as possible: specifically, we do not rely on a human-written (dis)assembler to dictate which instructions are executable on a given CPU, or what their in- and outputs are. The generated model is CPU-specific: behavior that is “undefined” is synthesized for the current machine. Producing models for five different x86-64 machines, we mutually compare them, discover undocumented instructions, and generate instruction sequences that are CPU-specific. Experimental evaluation shows that we enumerate virtually all instructions within scope, that the instructions’ semantics are correct w.r.t. existing work, and that we improve existing work by exposing bugs in their handwritten models.

Schedule version: 0.1