GoKawiilLast month’s name that ware demonstrates that even though non-destructive IR imaging is not capable of resolving an individual bit cell, at least at 22nm it is still possible to constrain the number of bits in an SRAM macro.
An important step in establishing trust in a computer is measuring all of its state and confirming that nothing is amiss. A typical trusted boot would make a point of zeroing and/or patterning & hashing all the known bits of memory in a system. This process helps constrain the amount of malicious or foreign code that could be hiding in the system.
Physical measurements are important is because it’s possible for designers to “hide” memory from this check. For example, inserting a few kilobytes of RAM into a chip the size of the Baochip-1x would not affect the die size. Likewise, its impact on power consumption would be indistinguishable from offsets due to normal manufacturing tolerances. Furthermore, the presence of the RAM can be masked from a pure software inspection by gating it off using a “secret knock” register that only activates the memory when challenged with a correct sequence of words. This makes it practically impossible to discover hidden memories with a brute force address space scan. Such a memory would evade security measurements, and thus makes a useful primitive for staging malicious operations.
IR imaging can place an upper bound on how much SRAM is on a chip. This allows end users to check that all the RAM claimed to be in an open-RTL system (such as the Baochip-1x) matches what was actually fabricated. This in turn puts strong bounds on certain security operations, such as zeroing and/or measuring the state of all known RAM bits in a system.
The good news is that a simple physical measurement through IR inspection thoroughly eliminates the possibility of extra RAM macros in a system, as such a block would be observable even by the most entry-level home IRIS setup: the smallest blocks of RAM are gigantic compared to the resolution of an IR scan. The number of claimed blocks should strictly line up with the number shown in the source code, as it does in the case of the Baochip-1x.
That being said, it’s worth asking if an attacker could “just make a few bytes of RAM in a subtle way” or perhaps “just insert an extra row or column” in an existing macro. To understand the answer to this question better, let’s take a look at deeper look at the structure of an SRAM macro.
How to Read SRAM Macros
Above shows some details on the “rdram1kx32” RAM macro (“Macro D” from the competition) that makes up the data cache elements for the RV32 in the Baochip-1x. From the source code, we can see that this is a dual-port (1r/1w) RAM, organized as 1024 x 32 bits. I’ve rotated the RAM macro so that it’s in canonical “textbook” orientation, such that the columns go vertically and the rows go horizontally. When looking at a micrograph like this, generally speaking, lighter areas are metal-heavy, and darker areas are transistor-heavy. The transistor-heavy RAM arrays correspond to the eight dark rectangles on either side of a central spine.
Such a central spine is a common motif in circuit design. Splitting circuits in half reduces the maximum wire length by half, compared to sticking all the drive circuits on one side. Circuits work equally well when laid out in mirror-image, thus allowing techniques like this to achieve perfect symmetry around a central axis.
I’ve labeled some of the macroscopic features of the RAM. Along the center of the macro, you can see two banks of address decoders. You can use this structure as a “tell” for whether you’re looking at a single or dual port RAM macro. The bottom edge has the column sense amps & drivers. Each column shares circuitry across 4 bits, so their pitch is quite wide and thus visible even at IR wavelengths. Here you can readily count the number of bits in each half of the macro, 16 on each side, giving us a total of 32 bits.
... continue reading