Speakers

Hardware reverse engineering for IC Circuitry Analysis is a multi-stage process that includes sample preparation, SEM imaging, image processing and vectorization, circuit extraction and analysis. As modern technology shrinks die feature sizes and increases the number of it metallization layers, it significantly complicates not only the sample preparation and imaging, but also greatly increases the volume of data to be processed at circuit extraction.

When processing large areas of ICs with advanced technology nodes, it is extremely difficult to locate and mitigate the errors caused by artefacts and other process inaccuracies which lead to the appearance of false contacts, phantom short circuits, or wire interruptions. The presentation addresses the method to reduce these errors while accelerating and improving reliability of their identification and handling.

During circuitry extraction the processing of large areas of the die generates a significant amount of geometric data obtained via vectorization; to simplify and accelerate subsequent analysis, respective vectorized data optimization techniques are applied. The presentation will also explore specific applications of AI, as well as opportunities to considerably reduce cycle time for extracting circuits from both digital and mixed-signal blocks.

As the semiconductor industry moves toward advanced nodes and complex 3D architectures, traditional Failure Analysis (FA) workflows often fall short due to time-consuming inter-instrument transfers, environmental contamination risks, and poor contextual continuity and spatial resolution. To address these limitations, we introduce a correlative, in-situ methodology that integrates Atomic Force Microscopy (AFM) directly into the vacuum chamber of a Scanning Electron Microscope (SEM) or Focused Ion Beam (FIB) platform.

This work particularly focuses on the combination of plasma FIB (PFIB) delayering with subsequent in-situ Conductive AFM (C-AFM) analysis performed under consistent vacuum conditions. The dual-beam configuration enables real-time switching between milling and probing modes, eliminating contamination risk. As a result, reproducible current and I/V spectroscopy measurements are acquired at identical regions of interest (ROI) across device layers.

The workflow is demonstrated on 3D NAND memory cells, where sub-50 nm features were probed without compromising the surface integrity. After deposition of a protective tungsten layer using a gas injection system, PFIB delayering was performed while the AFM probe was retracted to prevent material redeposition. Automated navigation based on SEM imaging and compatible navigation files enabled precise positioning of the AFM tip at the ROI, followed by sequential SEM and C-AFM imaging. This process was repeated to obtain depth-resolved electrical information from the same device. The introduced in-situ approach enables efficient and reliable correlation of structural and electrical properties and is particularly beneficial for FA of complex devices such as SRAM, logic structures, vias, and interconnects. Ongoing developments, including electron-beam induced C-AFM [1], further extend the analytical potential of this methodology for advanced semiconductor FA.

We would like to thank Libor Strakos from Thermo Fisher Scientific, Brno, and Umberto Celano from Arizona State University for their support.

In this talk, we present a case study of various defensive measures we encountered during an ongoing research project targeting a widely deployed, though older generation (180nm), secure element from a major vendor.

Well over a hundred unique library cells were reverse engineered, ranging from simple NAND/NOR gates with a range of drive strengths to clock gating cells, latches, scan chain flipflops, and more. Several distinct cell libraries were found in different parts of the device, which may point to these modules having been developed by different engineering teams, or that they are third party hard IP blocks.

Many different protection mechanisms were identified including front side active mesh, internal memory address and data bus scrambling, and deliberately convoluted routing passing through many buffer cells to obfuscate the ultimate destination of the signal. We discuss the effectiveness of these countermeasures and how difficult or time-consuming we found each to overcome.

This work presents a case study of a recent reverse-engineering analysis project. Our analysis targets IP characterization, cost modeling, and circuit extraction.

After introducing the sample’s provenance and use context, we outline a workflow that integrates sample preparation and multimodal imaging (optical microscopy and SEM). We highlight practical delayering constraints—area limits during delayering that left some regions inaccessible. We demonstrate the impact of particle contamination, film inhomogeneities, and over- and under-etching on fidelity, yield, and schedule. To manage scope and cost, we adopt a scalable hybrid pipeline combining computer-vision-assisted recognition with targeted manual digitization, producing a hierarchical circuit description suitable for architectural analysis rather than full netlist reconstruction.

Results include identification of key functional blocks, interconnect strategies, and process fingerprints, alongside an empirical cost curve for partial versus comprehensive imaging and extraction. We conclude with lessons learned on accuracy-effort trade-offs—where automation delivers value, where expert intervention is essential, and how physical realities at 40 nm shape feasibility, timelines, and budgets. The session closes with implications for chip designers on selecting techniques for future analyses, and reflections on responsible practice in reverse engineering.

We present a new instrumentation for automated argon ion beam delayering of semiconductor devices that achieves nanometer-scale surface uniformity over millimeter-scale areas [Model 1064 ChipMill, Fischione Instruments]. Conventional delayering methods, including FIB and mechanical polishing, are limited by small processing areas, insufficient uniformity for thin layers (<200 nm), and potential sample damage. The presented system enables uniform delayering across areas up to 10 mm in diameter, providing high-quality surfaces for imaging and electrical characterization. The instrument integrates a high-vacuum argon ion source (up to 10 keV) with a scanning electron microscope (SEM), backscattered electron detector (BSE), secondary electron detector, energy-dispersive X-ray spectroscopy (EDS), and an optical camera for in situ monitoring. A closed-loop feedback algorithm collects BSE images and EDS maps across the delayered area, calculates surface uniformity, and then dynamically adjusts the ion milling parameters to maintain nanometer-level planarity – independent of layer composition or device geometry. Demonstration on an Apple A12 processor achieved surface uniformity within ±20 nm over a 5 mm diameter area and exposed multiple metal and dielectric layers in a single delayered plane. Critical subcomponents – including central processing unit, neural processing unit, caches, and interconnects – were clearly resolved, enabling detailed layer-specific analysis and vertical interconnect characterization. This instrumentation provides a reproducible, scalable platform for large-area delayering and supports layer-resolved electrical probing, failure analysis, and reverse engineering of complex, multi-level semiconductor hardware. It enables uniform material removal and nanoscale surface flatness for advanced device analysis.

Physical reverse engineering of modern integrated circuits (IC) is a critical technique in hardware security research. It enables analysis of undocumented functionality, firmware integrity, and trust assumptions at the hardware-software boundary. Aside from requiring access to a scanning electron microscopy (SEM) facility, the key step in this process is the physical preparation of the IC die prior to imaging. This preparation typically involves access to expensive and niche equipment such as a focused ion beam (FIB), CNC mill and/or chemical-mechanical polishing (CMP) tooling.

In this talk, we detail low-cost sample preparation workflows for IC reverse engineering in lieu of access to such specialised equipment. We provide a methodology for extraction of masked read-only memory (ROM) from modern CMOS processors with a minimal budget. We share cheap yet robust approaches for sample preparation, along with image post-processing techniques on SEM images.

We successfully demonstrate extraction of masked ROM bits from the microcode section of 14nm FinFET AMD Zen-based CPU dies using mechanical delayering and selective chemical etching as alternatives to traditional FIB-heavy workflows. Our evaluation of the workflows considers layer selectivity, surface planarity, and reproducibility, drawing attention to failure modes commonly encountered when operating outside an extensive laboratory environment, i.e. backyard science.

Imaging results with conventional SEM systems and techniques demonstrate that prepared samples can resolve features sufficiently for masked ROM bit interpretation. We demonstrate that post-processing of the SEM imagery effectively mitigates artefacts introduced by scratching. We also note that masked-ROM cells in AMD Ryzen 3 microcode can appear 150-200nm in SEM given low acceleration voltages, permitting a margin for error in sample preparation.

Together, these techniques form an affordable toolset for IC preparation techniques that lower the barrier to entry for reverse engineering with electron microscopy.

As hardware serves as the root of trust in modern computing systems, Hardware Reverse Engineering (HRE) is foundational for security assurance. In practice, HRE enables critical security applications, including design verification, supply-chain assurance, and vulnerability discovery. Over the past two decades, academic research on Integrated Circuit (IC), Field-Programmable Gate Array (FPGA), and netlist reverse engineering has steadily grown. However, knowledge remains fragmented across domains and communities, which complicates assessing the state of the art and hampers identifying shared research challenges. In this talk, we present a systematization of knowledge based on an in-depth analysis of 187 peer-reviewed publications. Using this corpus, we characterize technical methods across the HRE workflow and identify technical and organizational challenges that impede research progress. We analyze all 30 artifacts from our corpus using established artifact evaluation practices. Key results could be reproduced for only seven publications (4%). Based on our findings, we derive stakeholder-centric recommendations for academia, industry, and government to enable more coordinated and reproducible HRE research. These recommendations target three cross-cutting opportunities: (i) improving reproducibility and reuse via artifact-centric practices, (ii) enabling rigorous comparability through standardized benchmarks and evaluation metrics, and (iii) improving legal clarity for public HRE research.

At IEEE S&P 2023, Puschner et al. made a valuable dataset for hardware Trojan detection research publicly available. It contains a complete set of SEM images of four different digital IC fabricated at progressively smaller semiconductor technology nodes. Puschner et al. reported preliminary evidence that feature sizes affect Trojan detection performance, but they were unable to disentangle effects caused by insertion strategies or by degrading image quality from those intrinsic to the underlying standard cell libraries. Distinguishing those causes, however, is crucial to understand whether improved tooling (e.g., higher resolution imaging equipment) can remove the observed technology bias, or whether susceptibility to stealthy hardware Trojans is indeed an inherent property of a cell library.

In this talk, we dive deep into the S&P 2023 dataset to answer these questions. We first show that, using Puschner et al.’s metrics, such a separation is indeed difficult to establish. We then present alternative metrics to more meaningfully assess and compare the potential susceptibility of standard cell libraries. We find clear differences between the evaluated libraries. However, in all cases we identify cells that implement distinct logic functions yet are visually indistinguishable in SEM images. Our results demonstrate that cell libraries can - and should - be evaluated for their potential “Trojanizability”, and we recommend practical defenses.

Common IC large area delayering techniques, like broad ion milling, are prone to generate various types of irregularities. As a result, it is difficult to de-process an area of several mm² or even a full chip at a consistent, high quality especially when it comes to advanced nodes, like FinFET. A simple tool for local mechanical adjustments has been successfully evaluated and has become an essential processing option to ensure excellent delayering performance. We re-purpose a vibrating pen-sized tool originally designed for dental lab applications. By using a fine tip of a material of choice in combination with diamond paste, the chip surface can be locally corrected and planarized. We will discuss how to take advantage of the chip layers’ specific properties by employing this tool and present different use cases ranging from planarization of the chip surface during aluminium re-distribution layer removal to high quality delayering of 70nm thick BEOL metal layers in a 16nm node FinFET chip.

Laser Fault Injection is widely used in embedded security evaluations. Yet some attack classes - especially those requiring single-bit corruption in SRAM - depend on highly precise spatial faulting, while countermeasures often restrict the number of available attempts.

During the analysis of a cryptographic implementation, we needed insight into the physical layout of the target microcontroller’s SRAM to achieve this precision. Standard techniques such as photonic emission analysis did not reveal sufficient detail. We therefore repurposed Laser Fault Injection itself as a reverse-engineering method: by scanning the die and observing fault patterns, we reconstructed the spatial distribution of SRAM cells and mapped logical memory addresses to physical locations.

This reverse-engineered layout enabled reliable bit-level Laser Fault Injection attacks on the device. The work highlights how fault-injection techniques can support hardware reverse-engineering and provides practical knowledge for both security evaluators and researchers analyzing on-chip memory.

Side channel attacks (SCA) remain among the most practical threats to cryptographic implementations, yet most evaluations are still performed on simple in order cores such as AVR or Cortex M microcontrollers. These platforms offer clean traces and predictable timing and do not reflect the complexity of modern processors. As a result, risk assessments based solely on microcontroller level studies may misjudge both attacker capabilities and the true effort required for exploitation.

Our recent work at USENIX WOOT 2025 [1], systematically evaluated AES side channel resistance on the ARM Cortex A72, a 64 bit, multi core, out of order processor running a full Linux OS. Even basic cryptographic operations suffer from heavy jitter and trace misalignment caused by multi core execution and OS activity, while high clock speeds challenge low cost measurement setups. Making the analysis work required extensive reverse engineering and repeated re-instrumentation to identify usable trigger points and expose leakage that is otherwise buried under noise and scheduling effects.

To represent realistic attacker effort, we introduced a mult-tier threat model cover threat models from basic non-profiled attacks to state of the art profiled deep learning based SCA. Results show that out of order architectures significantly increase the work needed for successful attacks, yet determined and well resourced adversaries can still recover keys within a few thousand traces. We released our traces and launched the CHES Challenge 2025 [2], which drew 34 teams and 121 submissions. Participants achieved up to a tenfold reduction in attack effort, demonstrating the value of community driven experimentation when evaluating real world SCA risk.

[1] Boyapally et al. Reality check on Side-Channels. In 19th USENIX WOOT 2025 [2] Yap et al. CHES Challenge 2025: GE Wars. https://pace-tl.gitbook.io/ches-challenge-2025.

The scarcity of samples in hardware reverse engineering demands a high-success-rate sample preparation process to prevent irreversible information loss or the introduction of analytical artifacts. As semiconductor packaging shifts toward System-in-Package (SiP), chiplet, 2.5D/3D, and high-density interconnect architectures, traditional acid decapsulation and vacuum-based plasma etching are reaching their limits. These methods often risk metallization damage or die over-etching, lacking the precision required to selectively remove Epoxy Mold Compound (EMC) for exposing localized failure sites or hidden security features in advanced modules. In this context, atmospheric Microwave-Induced Plasma (MIP) addresses these challenges by providing localized and highly selective removal of EMC, underfill, and overmold materials while preserving underlying dies, interconnect structures, and metallization. Because the MIP process relies on neutral radical species rather than ion bombardment, the electrical functionality of the device remains intact. These features enable access to physically protected and security-sensitive locations without compromising operational or structural integrity.

Several case studies and repackaging workflows are presented to illustrate how MIP unlocks new possibilities for hardware reverse engineering and security assessment. Demonstrated applications include: (1) uncovering critical interconnects in 2.5D heterogeneous integration SiP architectures for physical security assessment, (2) accessing embedded EEPROM dies within a SiP on a PCB for electrical probing, (3) extracting data from damaged devices via package-level repair, and (4) enabling Known Good Die (KGD) repackaging workflows for dynamic analysis.

Significant research efforts have been dedicated to designing cryptographic algorithms that are quantum-resistant. The motivation is clear: robust quantum computers, once available, may render current cryptographic standards vulnerable. Thus, we need new Post-Quantum Cryptography (PQC) algorithms, and, due to the nature and inherent complexity of such algorithms, there is also a demand to accelerate them in hardware. In this talk, we show that PQC hardware accelerators can be backdoored by two different adversaries located in the chip supply chain. We propose REPQC, a sophisticated reverse engineering algorithm that can be employed to confidently identify hashing operations (i.e., Keccak) within the PQC accelerator - the location of which serves as an anchor for finding secret information to be leaked. From there, adversaries can mount diverse attacks, including backdoors and hardware trojans. The talk concludes by affirming that we have to be mindful of existing threats, even for future deployment.

Recovered Integrated Circuit (IC) netlist analysis is vital for hardware assurance. While powerful open-source tools like MPI-SP’s HAL exist, their adoption is often hindered by the steep learning curve associated with Python programming and tool-specific APIs. Recent advancements in Generative AI offer a solution to bridge this gap. In this talk, we present an experimental, fully local Retrieval-Augmented Generation (RAG) system designed to automate netlist analysis within HAL. By leveraging Open WebUI and Ollama, we augmented Large Language Models (LLMs) with HAL’s wiki and API documentation. This allows users to instruct the LLM in natural language to generate Python scripts for complex analysis. We evaluated eight RAG-powered LLMs, comprising six state-of-the-art open models and two commercial models, on tasks ranging from general usage questions to dataflow and HAWKEYE analysis on cryptographic netlists. We verified the correctness of the generated scripts, as well as the response time and memory usage. Our results indicate that reasoning models generally outperform non-reasoning ones, and open local models can achieve parity with leading commercial models. These findings demonstrate that privacy-centric local LLM assistants for hardware security analysis is becoming a viable reality.

In light of globalized hardware supply chains, the assurance of hardware components has gained significant interest, particularly in cryptographic applications and high-stakes scenarios. Identifying metal lines on scanning electron microscope (SEM) images of integrated circuits (ICs) is one essential step in verifying the absence of malicious circuitry in chips manufactured in untrusted environments. Due to varying manufacturing processes and technologies, such verification usually requires tuning parameters and algorithms for each target IC. Often, a machine learning model trained on images of one IC fails to accurately detect metal lines on other ICs. To address this challenge, we create SAMSEM by adapting Meta’s Segment Anything Model 2 (SAM2) to the domain of IC metal line segmentation. Specifically, we develop a multi-scale segmentation approach that can handle SEM images of varying sizes, resolutions, and magnifications. Furthermore, we deploy a topology-based loss alongside pixel-based losses to focus our segmentation on electrical connectivity rather than pixel-level accuracy. Based on a hyperparameter optimization, we then fine-tune the SAM2 model to obtain a model that generalizes across different technology nodes, manufacturing materials, sample preparation methods, and SEM imaging technologies. To this end, we leverage an unprecedented dataset of SEM images obtained from 47 metal layers across 14 different ICs. When fine-tuned on seven ICs, SAMSEM achieves an error rate as low as 0.72% when evaluated on other images from the same ICs. For the remaining seven unseen ICs, it still achieves error rates as low as 5.53%. Finally, when fine-tuned on all 14 ICs, we observe an error rate of 0.62%. Hence, SAMSEM proves to be a reliable tool that significantly advances the frontier in metal line segmentation, a key challenge in post-manufacturing IC verification.

In this talk, we present preliminary results from a survey of more than 30 devices that incorporate tamper-sensing meshes. We begin with a short background on tamper-sensing meshes from the 1800s to now. We will provide a brief explanation of the industry standards as well as the technical trade-offs that drive mesh design. With this background, using real-world examples, we provide a comprehensive overview over mesh construction techniques and their limitations. We will show results of an examination of substrate materials, trace materials, patterning techniques, and three-dimensional assembly styles. Based on our findings, we propose a list of criteria for the design of secure tamper-sensing meshes. We observe that for academic research on meshes, off-the-shelf PCB manufacturing processes provide a reasonable stand-in for actual meshes seen in the wild. We find that real-world meshes are commonly created using PCB or FPC processes, and using structure sizes of 0.5 mm or larger. We find that using simple construction approaches based on off-the-shelf processes such as the silkscreen process used for printed keyboard membranes, meshes can be created that match or exceed the security offered by a large majority of real-world meshes.

Cloneless is a recently started series of open-source silicon designs to provide transparent and verifiable evaluation targets for physical attack and hardware reverse engineering research. The first ASIC of the series, Cloneless1, is currently being manufactured by GlobalFoundries and was developed via an end-to-end open-source flow using the GF180MCU PDK and the LibreLane EDA tool. All its design details from RTL code to final GDS-II layout are public. It features a side-channel and fault resistant block cipher implementation based on inner-product masking and duplication with redundant error detection. It also includes edge sampling based TRNG implementations for randomness generation and ring-oscillator based weak PUF designs for technology characterization as well as key generation. From a hardware reverse engineering point of view, invasive key extraction is probably the most interesting aspect. One cryptographic key is simply hardcoded and identical for each sample. It can be extracted from the netlist alone. Another key derives some entropy from error-corrected RO-PUF responses and should be different between any two chip samples. The 180nm technology node is about 25 years old by now, so imaging-based extraction of memory values should be feasible with high success rates. However, the Cloneless1 design uses leakage-resilient secret sharing techniques to make full key recovery challenging when even a small error remains in the extraction procedure. Furthermore, due to the tamper evidence property of the PUF elements, many forms of pre-processing the physical sample will affect the device key, meaning that it may be irreversibly lost in the process before it can be recovered. Evaluating the difficulty of such attacks should be an exciting challenge and playground for practical hardware reverse engineers willing to get their hands dirty.

Recent years have produced a patchwork of promising methods for netlist reverse engineering, especially in partitioning and module identification. However, only a small fraction of this research translates into tools that are reliable, scalable, interoperable, and usable in practice. This talk argues that the dominant challenge today is no longer the invention of isolated algorithmic techniques, but the systematic integration of existing methods into an automated, end-to-end workflow that can be deployed, maintained, and trusted as an industry-grade tool. Only such an integrated approach enables reverse engineers to move beyond low-level structural recovery toward higher-level objectives, including the identification of implemented algorithms and the development of actionable, system-level understanding. We therefore need to examine how current state-of-the-art methods perform when applied to realistic netlists, and which techniques are sufficiently robust to be incorporated into a practical reverse engineering pipeline. Beyond purely algorithmic aspects, we also examine the organizational constraints and usability requirements that such a pipeline must address. This includes, for example, the need for on-premise deployment, support for multi-user collaboration, secure sharing of reverse engineering results, and a productive interplay between automated analysis and human expertise, acknowledging that reverse engineering outcomes are inherently imperfect. Finally, we ask how the field can move beyond fragmented and short-lived research prototypes toward a more unified and maintainable platform, and what would be required to make this transition viable for all stakeholders. We outline a roadmap of the technical, operational, and usability challenges ahead, with the goal of fostering discussion around the features and capabilities needed to make automated netlist reverse engineering feasible in practice.