Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!ames!ucbcad!ucbvax!ji.Berkeley.EDU!holmer
From: holmer@ji.Berkeley.EDU.UUCP
Newsgroups: comp.lsi,comp.arch
Subject: (inquiry) Reverse engineering and protection of chips
Message-ID: <18296@ucbvax.BERKELEY.EDU>
Date: Mon, 13-Apr-87 15:52:23 EST
Article-I.D.: ucbvax.18296
Posted: Mon Apr 13 15:52:23 1987
Date-Received: Wed, 15-Apr-87 01:15:16 EST
Sender: usenet@ucbvax.BERKELEY.EDU
Reply-To: holmer@ji.Berkeley.EDU (Bruce K. Holmer)
Distribution: world
Organization: University of California, Berkeley
Lines: 62
Xref: utgpu comp.lsi:82 comp.arch:856


********************************************************************************


	For a class presentation I will be talking about protection of 
semiconductor chip designs.  I would like people to tell about their
experiences with reverse engineering and/or trying to prevent reverse 
engineering.  It seems that much is known about this topic, but very 
little of it is written down.
	Specific topics that I'm interested in include:

		How is a chip reversed engineered?
			I know about taking microphotographs, but I need
			specific info.  For instance:  
				What colors do the different layers 
			show up as?
				Is it practical to etch (or mechanically
			polish) away layers to see the deeper layers?  
				During the testimony before Congress for
			the SCPA Tom Dunlap said:  "When there is a legitimate
			job of reverse engineering, there is a very big paper
			trail, ... there's computer simulations, there's
			all kinds of time records, people who have spent an
			enormous time understanding and figuring out how to
			make that design."  What kind of computer simulations
			is he talking about?  Spice runs?

		How do you design a chip so as to slow down or stump a reverse
		engineer?
			For instance:
				Use non-manhattan geometry (e.g. round 
			transistors, lots of zigzags).
				Put in lots of extra junk to hide the real 
			function of the circuit.
				Hide stuff in buried layers (e.g. buried 
			contacts or deposit extra oxide layers to hide things).
				Lots of jumping from layer to layer (for 
			interconnect lines).
				Extreme case--chip self-destructs when you 
			tamper with it.
				
		Legal aspects of reverse engineering.
			Richard Stern has written quite a bit about this--his
			column in IEEE Micro and his book "Semiconductor Chip
			Protection."

		How does one reverse engineer fuse programmable PALs 
			(especially the large MegaPals) or the new RAM
			based logic chips?

		I've read about the Dallas Semiconductor's new microcontroller
			(DS5000) that has a data encryptor to protect the
			control program in the on-chip RAM.  What encryption
			algorithm is used?


	I'm also interested in stories and anecdotes concerning this topic.
Anything that is sent to me that is not posted to the net I will summarize
in a future posting.
	Thank You,
			Bruce Holmer
			holmer@ji.Berkeley.EDU