Physical attacks form one of the most severe threats against secure computing platforms. Their criticality arises from their corresponding threat model: By, e.g., passively measuring an integrated circuit's (IC's) environment during a security-related operation, internal secrets may be disclosed. Furthermore, by actively disturbing the physical runtime environment of an IC, an adversary can cause a specific, exploitable misbehavior. The set of physical attacks consists of techniques that apply either globally or locally. When compared to global techniques, local techniques exhibit a much higher precision, hence having the potential to be used in advanced attack scenarios. However, using physical techniques with additional spatial dependency expands the parameter search space exponentially. In this work, we present and compare two techniques, namely laser logic state imaging (LLSI) and lock-in thermography (LIT), that can be used to discover sub-circuitry of an entirely unknown IC based on optical and thermal principles. We show that the time required to identify specific regions can be drastically reduced, thus lowering the complexity of physical attacks requiring positional information. Our case study on an Intel H610 Platform Controller Hub showcases that, depending on the targeted voltage rail, our technique reduces the search space by around 90 to 98 percent.

翻译：物理攻击是对安全计算平台最严重的威胁之一。其关键性源于相应的威胁模型：例如，通过被动测量集成电路在安全相关操作期间的周围环境，内部秘密可能被泄露。此外，通过主动干扰集成电路的物理运行环境，攻击者可导致特定、可利用的异常行为。物理攻击技术包括全局或局部应用的方法。与全局技术相比，局部技术具有更高的精度，因此有潜力用于高级攻击场景。然而，使用具有额外空间依赖性的物理技术会呈指数级扩大参数搜索空间。在本工作中，我们提出并比较了两种技术，即激光逻辑状态成像和锁定热成像，这两种技术基于光学和热学原理，可用于发现完全未知集成电路中的子电路。我们表明，识别特定区域所需的时间可以大幅减少，从而降低需要位置信息的物理攻击的复杂性。我们在Intel H610平台控制器集线器上的案例研究表明，根据目标电压轨，我们的技术可将搜索空间减少约90%至98%。