On a new way to read data from memory. Samyde, D.; Skorobogatov, S.; Anderson, R.; and Quisquater, J. In First International IEEE Security in Storage Workshop, 2002. Proceedings, pages 65–69, December, 2002.
doi  abstract   bibtex   
This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. What these techniques have in common is the use of semi-invasive probing methods to induce measurable changes in the analogue characteristics of the memory cells of interest. The basic idea is that when a memory cell, or read-out amplifier, is scanned appropriately with a laser, the resulting increase in leakage current depends on its state; the same happens when we induce an eddy current in a cell. These perturbations can be carried out at a level that does not modify the stored value, but still enables it to be read out. Our techniques build on it number of recent advances in semi-invasive attack techniques, low temperature data remanence, electromagnetic analysis and eddy current induction. They can be used against a wide range of memory structures, from registers through RAM to FLASH. We have demonstrated their practicality by reading out DES keys stored in RAM without using the normal read-out circuits. This suggests that vendors of products such as smartcards and secure microcontrollers should review their memory encryption, access control and other storage security issues with care.
@inproceedings{samyde_new_2002,
	title = {On a new way to read data from memory},
	doi = {10.1109/SISW.2002.1183512},
	abstract = {This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. What these techniques have in common is the use of semi-invasive probing methods to induce measurable changes in the analogue characteristics of the memory cells of interest. The basic idea is that when a memory cell, or read-out amplifier, is scanned appropriately with a laser, the resulting increase in leakage current depends on its state; the same happens when we induce an eddy current in a cell. These perturbations can be carried out at a level that does not modify the stored value, but still enables it to be read out. Our techniques build on it number of recent advances in semi-invasive attack techniques, low temperature data remanence, electromagnetic analysis and eddy current induction. They can be used against a wide range of memory structures, from registers through RAM to FLASH. We have demonstrated their practicality by reading out DES keys stored in RAM without using the normal read-out circuits. This suggests that vendors of products such as smartcards and secure microcontrollers should review their memory encryption, access control and other storage security issues with care.},
	booktitle = {First {International} {IEEE} {Security} in {Storage} {Workshop}, 2002. {Proceedings}},
	author = {Samyde, D. and Skorobogatov, S. and Anderson, R. and Quisquater, J.-J.},
	month = dec,
	year = {2002},
	pages = {65--69}
}
Downloads: 0