## Data Remanence in Semiconductor Devices

Peter Gutmann

IBM T.J.Watson Research Center

#### Introduction

1996: Securely deleting data from magnetic media is hard

2001: Semiconductors aren't so easy either

Magnetic media

- Relatively simple solution
- Light technical background coverage

Semiconductors

- Many different, nontrivial solutions
- Lots of technical background coverage

Existing Work on Semiconductor Forensics











# Electromigration

Relocation of metal atoms due to collision with electrons

- Electron wind
- Material removed to create voids at negative electrode
- Material deposited to create hillocks/whiskers at positive electrode

Some (minimal) healing occurs due to backflow when stress is removed





# Electromigration (ctd)

Alloys are used to combat electromigration

- Cu in Al
- Sn in Cu

Cu or Sn solute atoms are displaced until the conductor behaves like the original pure metal

• Can be detected using electron microprobing techniques



MOSFETs have very small device dimensions → high electric fields (MV/cm)

• Electrons are accelerated to high speeds (hot carriers)



- Can tunnel into gate oxide
  Detrapping time = nanoseconds ... days
- Can tunnel into passivation layer
  - Permanent



Excess charge reduces on-state current (n-MOS), off-state current (p-MOS)

- Change of several hundred mV of memory cell voltage over a few minutes
- Writing 1 over 0 leads to a drop in cell threshold voltage
- Writing 0 over 1 leads to an increase in cell threshold voltage

Detectable by changing the setting of the reference cell

Affects logic circuits in general

• Changes currents, voltages, capacitance for the device

#### Ionic Contamination

Most common are sodium and to a lesser extent potassium

- Sodium ions have a high mobility in silicon
- Migrate towards Si/SiO<sub>2</sub> interface
- Reduce threshold voltage of n-MOS, increase it for p-MOS
- Detectable using the same techniques used for hot carriers
- Addressed using passivation layers

Reliability studies indicate this only occurs at random locations where impurities have penetrated the passivation layer(s)

• Improved manufacturing techniques have mostly eliminated this avenue for data recovery

## Other Effects

Radiation-induced charging can affect MOSFET turn-on voltage

- Can be used to affect voltage thresholds, timings, power supply and leakage currents
- Freeze a device to prevent a change on logic state
- Lock out tamper-responding circuitry (eg erase-on-tamper)
- High-end crypto devices include sensors to detect ionising radiation

#### Semiconductor Forensic Techniques

Wide variety of techniques in use for semiconductor testing

- No-one can agree on which parameters to measure
- Many results are obtained for specially-created test structures
- Large variety of devices in use

Some of the more common techniques

- +  $I_{DDQ}$  testing (measure device current consumption, fully on or off MOSFETs have low  $I_{DDO}$ )
- Vary operating voltage and temperature to test for hot carrier effects
- Measure substrate current, gate current, current in gated drainsubstrate diode, etc etc
- Many tools and journals cover this topic















# EEPROM Memory Cells (ctd)

To increase storage density, one select transistor controls many cells

• Erase is done on groups of cells

Some cells erase faster/slower than others

- Keep repeating erase process until all cells read back as erased
   Programming is also done speculatively
- Problems with overprogrammed/overerased cells



### Data Remanence in EEPROM/Flash

Floating gate slowly accumulates electrons

- Typical cell can handle 1M program/erase cycles
- Whole collection can handle 10k-100k cycles
- Cycle device until memory cells freeze in programmed state
  - Challenge/response mechanisms for smart cards
  - Card RNG ends up in all-ones state

Trapped charge can be determined by measuring gateinduced drain leakage (GIDL) current

Older devices tied read reference voltage to supply voltage

- Can determine cell threshold by varying supply voltage
- Can also alter programmed/erased status this way

## Data Remanence in EEPROM/Flash (ctd)

#### **Programming Disturbs**

- Shared circuitry can cause program/erase to leak over into adjacent cells
  - Drain/bitline disturbs
  - Gate/wordline disturbs
  - Read disturbs

Various other problems shared with RAM cells

Large threshold shift in virgin cells after first program-anderase cycle

• Can differentiate between erased and never-programmed cells





#### Recommendations

Don't store cryptovariables for long periods in the same location

Don't store cryptovariables in plaintext form in nonvolatile memory

Cycle EEPROM/flash cells 10-100 times before using them

Don't assume that a key held in RAM has been destroyed when the RAM is cleared

Design devices to avoid repeatedly running the same signals over dedicated data lines

Beware of too-intelligent nonvolatile memory devices