# BackMon: IC Backside Tamper Detection using On-Chip Impedance Monitoring

Tahoura Mosavirik Worcester Polytechnic Institute Worcester, MA, USA tmosavirik@wpi.edu Shahin Tajik Worcester Polytechnic Institute Worcester, MA, USA stajik@wpi.edu

# ABSTRACT

The expansion of flip-chip technologies and a lack of backside protection make the integrated circuit (IC) vulnerable to certain classes of physical attacks mounted from the IC's backside. Laserassisted probing, electromagnetic, and body-biasing injection attacks are examples of such attacks. Unfortunately, there are few countermeasures proposed in the literature, and none are available commercially. Those that do exist are not only expensive but also incompatible with current IC manufacturing processes. They also cannot be integrated into legacy systems, such as field programmable gate arrays (FPGAs), which are integral parts of many industrial and defense systems. In this paper, we demonstrate how the impedance monitoring of the printed circuit board (PCB) and IC package's power distribution network (PDN) using on-chip circuitbased network analyzers can detect IC backside tampering. Our method is based on the fact that any attempt to expose the backside silicon substrate, such as the removal of the fan and heatsinks, leads to changes in the equivalent impedance of the package's PDN, and hence, scanning the package impedance will reveal if the package integrity has been violated. To validate our claims, we deploy an on-FPGA network analyzer on an AMD Zyng UltraScale+ MPSoC manufactured with 16 nm technology, which is part of a multi-PCB system. We conduct a series of experiments at different temperatures, leveraging the difference of means as the statistical metric, to demonstrate the effectiveness of our method in detecting tamper events required to expose the IC backside silicon.

## CCS CONCEPTS

• Security and privacy  $\rightarrow$  Tamper-proof and tamper-resistant designs; Embedded systems security.

#### **KEYWORDS**

Anti-Tamper, Flip-Chip Technology, IC Backside, Impedance Characterization, Physical Attacks, Physical Layer Security

#### **ACM Reference Format:**

Tahoura Mosavirik and Shahin Tajik. 2024. BackMon: IC Backside Tamper Detection using On-Chip Impedance Monitoring. In *Proceedings of the 2024 Workshop on Attacks and Solutions in Hardware Security (ASHES '24), October* 14–18, 2024, Salt Lake City, USA. ACM, New York, NY, USA, 10 pages.

#### **1 INTRODUCTION**

The threats to the physical security of computer chips and countermeasures have been widely researched. However, the system's security is still threatened by sophisticated physical attacks relying on failure analysis (FA) tools, which exploit the lack of protection on the chip's package backside to probe the data or interfere with the computation. The increase in the number of metal layers on the frontside of ICs, as well as the advent of new packaging concepts like ball grid arrays and flip-chip technologies, have triggered a paradigm shift in mounting these attacks from the IC backside. Photon emission analysis [39], laser fault attacks [37], laser-assisted probings [4, 15, 16, 38], Electromagnetic (EM) fault injection [7], and body biasing injection (BBI) [41] are examples of such backside attacks for recovering the secret.

In the early days of the backside attacks, silicon substrate polishing was the main requirement for both semi-invasive and fullyinvasive methods. While silicon removal is still required for fullyinvasive attacks (e.g., microprobing [8] or e-beam probing [3]), many semi-invasive attacks have become non-invasive due to the expansion of the flip-chip packages (FCPs) as well as the availability of better light sensors, moving to longer laser wavelengths, and higher power laser or EM sources. As a result, the adversary only needs to detach the existing heat sink on the silicon substrate to access the backside silicon to perform the attack. The fact that the heat sinks and other cooling components are usually not electrically connected to the chip has made their removal detection challenging.

A few on-chip self-monitoring schemes have been proposed in the literature to either prevent or detect tampering with the IC's backside. The prevention schemes are usually based on distorting the optical path between a laser/emission microscope and transistors on the chip using laser engraved marks or opaque layers. However, similar to the detachment of the heat sink, such passive layers can be removed without any consequences. The detection-based solutions, on the other hand, attempt to detect the attack by creating interactions between the protection structure and electrical signals on the chip or printed circuit board (PCB) to detect removal. Due to the lack of electrical signals on the silicon backside, one class of solutions utilizes the optical interaction between transistors and an opaque layer [2, 9]. Other solutions are based on tamper-sensitive secure enclosures to cover and prevent access to the IC package. Examples include optical waveguide physically unclonable functions (PUFs) [42], capacitive PUF enclosures [10], and anti-tamper radio enclosures[35]. While these detection-based methods have been shown to be very effective against any backside tamper event, they are very costly and need a highly customized design, making them inappropriate for legacy systems. Moreover, they might be unusable for edge devices with small size, weight, and power matters (SWaP)

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.

ASHES '24, October 14–18, 2024, Salt Lake City, USA

<sup>© 2024</sup> Copyright held by the owner/author(s). Publication rights licensed to ACM.

requirements. Therefore, we ask the following research question: Is it possible to have a legacy-compatible on-chip circuit-based sensor capable of monitoring the physical integrity of the IC backside without using any external sensors or enclosures?

Our Contribution. Inspired by recently introduced power distribution network's (PDN) impedance monitoring solutions [21-23, 30, 48], we answer the above question positively. We rely on the fact that the functionality of network analyzers (the tools used for PDN impedance characterizations) can be emulated on FP-GAs [12, 23, 47] by electrically stressing the PDN of the system with various frequencies and simultaneously measuring voltage drops for impedance estimation. As tampering activity on the backside of the IC's package cause changes in the equivalent impedance of the system's PDN, the continuous physical scanning of PDN at certain frequency bands will reveal whether the chip backside integrity has been violated. In this regard, first, we will explain why tampering with existing components (e.g., fan, fin, and heat spreader) on the backside of the IC's package, despite not being connected to the IC's PDN, can affect the PDN's impedance profile. Moreover, we discuss in which frequency band impedance variations, caused by tampering, are expected. To monitor the PDN's impedance, we will realize a network analyzer on the FPGA fabric of a flip-chip packaged AMD Zynq UltraScale+ MPSoC manufactured with 16 nm technology, which is part of a multi-PCB system. After performing extensive tampering experiments (i.e., step-by-step removal of the components from the IC's backside) at various temperatures using a thermal chamber and deploying difference of means as a metric, we will validate our claims that impedance monitoring at specific frequency bands can reveal tamper events to the IC's backside. Note that while on-chip impedance monitoring has already been deployed for the frontside package tamper detection [23], it has never been tested on the IC backside tamper events required to expose the IC backside silicon.

## 2 TECHNICAL BACKGROUND

## 2.1 Silicon Backside Security

The IC backside is open for adversarial attempts on the silicon substrate, as conceptually depicted in Figure 1 in a typical FCP. This figure shows the cross-section view of a typical flip-chip IC and possible backside attacks, including side-channel analysis (SCA) and optical attacks. The active side of the chip, which contains the electrical connections and metal layers, is flipped downward and directly attached to the silicon substrate. As seen in the figure, bulk silicon is the only medium between the IC backside and the transistors on the die. FCP configuration provides several benefits, such as shorter electrical paths, better thermal management, and higher packaging density compared to traditional wire bonding methods. However, it allows attackers to directly access the target core from the outside of the chip and conduct non-invasive SCAs and semior fully-invasive optical attacks to extract the cryptographic key through the silicon substrate [19, 24]. Although physical attacks can be performed from both the frontside and backside of the IC, the existing multiple interconnected layers on the IC frontside obstruct the optical paths from transistors to the surface of the chip. This makes the analysis of the target IC from its frontside more difficult,



Figure 1: Illustration of how the silicon backside in FCP can be used as an attack medium.

and therefore, attackers are more inclined to the IC backside to launch successful SCA/optical attacks.

#### 2.2 **Power Distribution Network (PDN)**

The primary role of the PDN is to deliver a stable supply voltage to different components on the PCB, from the voltage regulator module (VRM) and passive networks to the power rails on each chip. The PDN comprises off-chip and on-chip components, including bulk capacitors, PCB routing, ceramic capacitors, PCB planes, vias, package bumps, on-chip power planes, and transistor capacitance. Power and ground planes (PGPs) act as low-impedance paths for the flow of current, effectively minimizing voltage fluctuations and ensuring stable power distribution to the components on the PCB. Overall, the PDN consists of interconnections in the PCB, package, and chip, which together provide the required target impedance over a specified frequency range. Each PDN component has a distinct contribution to the physical signature of the PDN at different frequency bands [33]. The voltage regulator's and off-chip components' impedance dominate the PDN's impedance at lower frequencies, while on-chip components contribute mostly to the impedance at higher frequencies, as shown in the upper left graph of Figure 2. The parasitic inductance on each capacitor is the primary cause of this impedance behavior. The parasitic inductance on the capacitor's metals results in resonance at a particular frequency, causing it to become an open circuit at very high frequencies. Smaller capacitors have less parasitic inductance and resonate at higher frequencies. As a result, as the frequency increases, all capacitors, from large to small, become open circuits and have less impact on the PDN impedance. The on-chip structures dominate the PDN impedance at higher frequencies due to their smaller dimensions.

The IC package dominates the impedance profile in the middlefrequency range [45]. In case of an IC backside tampering, an impedance change in that range would be expected, and thus, scanning the impedance of this region can reveal the backside tamper events with more confidence. The area shown in dashed red color in Figure 2 shows the equivalent circuit elements that will be impacted by possible tamper attempts when an adversary tampers with the IC backside silicon. As seen in this figure, there would also be an impact on PGPs equivalent series/parallel resistance, capacitance, and inductance, as well as package parasitics.

## 2.3 Power and Ground Planes (PGPs)

Systems that incorporate FCP can be composed of multiple PCBs where each PCB can host different subsystems, and they are interconnected to form a complete system as depicted in Figure 3a. BackMon: IC Backside Tamper Detection using On-Chip Impedance Monitoring



(Very low frequencies) (Low frequencies) (Middle frequencies) (High frequencies)

## Figure 2: Equivalent RLC circuit model of the system's PDN and the contribution of different parts over frequency. The area in dashed red color shows the circuit elements that IC backside tamper attempts affect.

Assuming a thermal management module exists on the flip-chip in Figure 3a, there would be multiple mediums (i.e., PCBs). Each medium has its own application-specific voltage domain, and consequently, its own PDN. Generally, each PDN is composed of multilayer parallel PGP layers. These layers are connected to the power/ground pins of IC chips and decoupling capacitors pads through vias in each medium as depicted in Figure 3a.

Signal routings/vias (signal, power, and ground) create discontinuity return paths throughout the PGPs. These return paths (an example of such return path is shown in purple color in Figure 3a) create a strong electric field that propagates along the edges of the PGPs [32]. A major effect of the PGPs is their behavior as EM resonant cavities, where the insulator's dielectric constant and the cavity's dimensions determine the resonance frequency [17]. When excited at the resonance frequency, the planes become a significant source of resonance peaks in the package and the board and also can act as a source of edge-radiated field emission [31], which would result in the coupling between the PGPs and their surrounding medium. To be more specific, the created standing waves in the cavity at resonance can produce significant coupling to neighboring circuits and transmission lines [25, 36]. Thus, any physical changes to the IC backside (e.g., heatsink removal) would impact this coupling and, consequently, affect the impedance profile at the resonance peaks.

The behavior of a multi-PCB system (Figure 3a) can be explained using the cavity model, particularly if the interaction between the PCBs and their environment in case of the IC's backside tampering attempts needs to be analyzed. This model can be employed to understand the behavior of enclosed structures with EM waves. For multi-PCB systems, each pair of PCB's PGP can be considered a separate cavity within the overall enclosure. The cavity model can be leveraged to trace back the root cause of the impedance profile behavior of each medium individually, as well as the interactions between them. The cavity geometry can be modeled as a planar circuit based on the cavity model with dimensions of  $L_x$  and  $L_y$  along the x and y directions [14, 29]. The spacing between the plane pair is d along the z direction and is filled with a dielectric layer with a relative permittivity and permeability of  $\varepsilon_r$  and  $\mu_r$ , respectively.  $(f_{res})_{mn}$  in the following equation,  $(f_{res})_{mn} = \frac{1}{2\pi\sqrt{\varepsilon_r\mu_r}} \sqrt{(\frac{m\pi}{L_x})^2 + (\frac{n\pi}{L_y})^2}$  refers to the frequency of the resonances/anti-resonances generated on the PGPs for an openended PCB of size  $L_x \times L_u$  [17], where c is the speed of light in free



Figure 3: (a) Illustration of a multi-PCB system; (b) Power and ground plane (PGP) pair isometric view.

space and m and n refer to integers representing the mode numbers along the x and y directions, respectively. Note that "modes" refer to different patterns of EM waves that can exist within the cavity and are determined by the geometry and dimensions of the cavity. Multilayer PGPs can be decomposed into blocks so that each block contains a pair of parallel planes. Figure 3b shows a pair of each medium PGPs where these two thin metal layers separated by an electrically small distance (d) form a cavity. Each mode corresponds to a specific resonance frequency at which the cavity can efficiently store and exchange energy with the EM field [28]. The system impedance peaks depend on the resonance mode, and the resonance frequency is determined by the mode number, dielectric constant of the insulator, and physical size of the planes [28]. At the plane resonance frequency, the power distribution impedance reaches its highest value, with the maximum value dictated by the losses in the structure.

When the adversary intends to access the IC backside, he/she should take some preliminary steps, such as removing the fan and/or heatsink module. These changes to the surrounding environment of the IC backside would impact the material's EM properties such as  $\varepsilon_r$  and  $\mu_r$  (typically due to the increase in the IC's temperature as a result of fan and/or heatsink removal) and geometrical features of the cavities formed inside each PGP pair, resulting in a change in the overall impedance especially at PDN resonance frequencies. External package-level tamper attempts can also change the propagating modes inside each pair of PCB's PGPs, as any tamper event can introduce disturbances in the EM environment surrounding the system, leading to alterations in the impedance profile and propagation characteristics of the PGPs.

Cavity resonance frequencies can lead to a change in the magnitude and frequency of the impedance resonance maxima and minima. In a typical multi-PCB system shown in Figure 3a, the impedance maxima has a significantly large impedance magnitude. These large PDN impedance peaks may not be present in a single-PCB PDN profile but arise due to the resonant behavior of the cavity formed by the multi-PCB system as there are multiple transitions between medium 1, 2, 3, and 4. The heatsink/heat spreader structure can couple with the PDN, affecting its impedance characteristics. This coupling results in a change in the impedance maxima and minima at frequencies corresponding to the resonant modes of the heatsink/heat spreader and their interaction with the PDN at different transitions between the media. Removing the heatsink can also lead to increased electromagnetic interference (EMI) radiations, which can induce currents in the PGPs, leading to changes in the resonance magnitude/frequency.

# **3 METHODOLOGY**

## 3.1 Threat Model

We assume that a security-critical IC (e.g., a root-of-trust, cryptographic chip, etc.) is being used in an untrusted field, and the attacker can physically tamper with its package. We aim to detect the IC's backside tamper attempt before the attacker can perform backside attacks. We further assume that the impedance profiles of genuine PDN samples at different temperatures have been acquired during an enrollment phase in a trusted field and stored on the same chip used for impedance monitoring. The attacker is interested in the secrets and assets stored on the IC. The IC is presumed to contain an embedded network analyzer circuit designed for impedance characterization of the PDN. If the security-critical IC is an FPGA, the network analyzer can be programmed as a soft IP into it along with other existing IP cores. Therefore, no additional modification is needed, and the golden impedance signature of the package remains intact. In a hostile environment, impedance characterization can be carried out before or during the runtime to validate the package's integrity and detect potential tamper events. Upon detection of a discrepancy between the measured and the golden impedance profiles, an anti-tamper response (e.g., key zeroization) will be executed.

## 3.2 Bandini Mountain

As discussed in section 2.2, PDN forms an RLC equivalent circuit shown in Figure 2. Although the PDN RLC model is complex, traditional series and parallel circuit models can still be utilized to analyze PDN characteristics. A series-resonant circuit is defined by a capacitor and inductor that are connected in series. When the capacitive and inductive reactances are equal in magnitude and opposite in phase, the current is at maximum, resulting in an impedance minimum illustrated in Figure 4a. On the other hand, a parallel anti-resonant circuit is created when a capacitor and inductor are connected in parallel. In this case, however, it results in generating the minimum current throughout the parallel circuit, and an impedance maxima is created at the corresponding parallel resonance frequency. The frequencies at which these conditions occur are called the series and parallel (anti-resonance) resonance frequencies, respectively [5].

One of the important anti-resonance frequencies of PDN occurs at the parallel resonance of the on-die capacitance ( $C_{ODC}$ ) and the package inductance ( $L_{PKG}$ ). If we look at the PDN impedance profile from the die's perspective, the parallel resonance peak impedance looks like a mountain, as shown in Figure 4b. This particular peak in the PDN impedance profile is called "Bandini Mountain" [33]. The frequency of the Bandini Mountain peak impedance is derived from the parallel resonant frequency as  $f_{Bandini} = \frac{1}{2\pi \sqrt{L_{PKG}C_{ODC}}}$ .

The impedance peak at the Bandini frequency is generally the most significant peak in the impedance profile, where the on-die capacitance resonates with package inductance [5, 18]. The Bandini frequency is common in the MHz regime up to 100 MHz range. In this work, we leverage this unique feature of the PDN as a signature for distinguishing between tampered and genuine samples.



Figure 4: Frequency-domain impedance profile showing (a) Series and parallel resonant components; (b) resonance, antiresonance, resistive, and capacitive/inductive changes.

**(a)** 

The value of the Bandini Mountain frequency depends on the value of on-die decoupling capacitance and package loop inductance. These values vary depending on the specific chip and package technology. Bandini Mountain's most important figures of merit (FOMs) are its characteristic impedance and peak frequency. The changes in these two FOMs can be used to explain the PDN impedance behavior when different layers on top of the IC's package get disconnected/removed to expose the silicon. The peak impedance value of the Bandini Mountain is mostly related to the quality factor of the  $C_{ODC}$  and  $L_{PKG}$  resonator, which is related to the equivalent series resistance (ESR) of the  $C_{ODC}$  and  $L_{PKG}$ . The package leads' ESR and the on-die capacitor's ESR often contribute to a high-quality factor (sharp and large impedance peak) for the resonant peak impedance with values approaching 1  $\Omega$  [33].

When the adversary disconnects/removes different layers of the cooling modules on top of the IC's package, there will be both resistive (along the impedance-axis) and capacitive/inductive (along the frequency-axis) changes at the resonance and anti-resonance frequency regions as shown in Figure 4b. While disconnecting/removing the active part of the IC's backside cooling module has a significant contribution to the value of the Bandini impedance (the resistive part), removing the passive part of it would affect the combination of resistive, capacitive, and inductive parts of the PDN impedance profile. In the next section, we elaborate on how temperature influences different factors that contribute to the proposed method's detection confidence.

## 3.3 Thermal Effects on PDN Impedance

Generally, there are two types of heatsinks: passive (Fin) and active (Fan). Passive heatsinks rely on thermal radiation to dissipate heat, typically featuring a large surface area and fins to increase heat transfer with no power consumption. These heatsinks help spread the heat away from the flip chip, reduce localized hotspots, and maintain a uniform temperature distribution across the package. In FCPs with particularly high power dissipation, passive heatsinks alone may not be sufficient to adequately cool the components. Thus, active heatsinks (they need additional power to generate air/fluid flow and absorb heat) are used in conjunction with passive ones to enhance heat dissipation by providing forced airflow over the fins, increasing heat transfer, and improving thermal performance/reliability.

Tahoura Mosavirik and Shahin Tajik

(b)



Figure 5: (a) Block diagram of an embedded VNA on FPGA and BackMon tamper detection methodology (the red fan cover figure is taken from the Kria K26 SOM thermal design guide document in [43]); (b) BackMon experimental setup.

The impact of temperature on PDN impedance and loss depends on the frequency. At higher frequencies, the "skin effect" becomes more significant, causing the current to concentrate near the surface of conductors. Elevated temperatures exacerbate this effect, leading to changes in effective resistance and impedance. As the temperature of the flip chip increases, localized hotspots develop due to variations in thermal conductivity, power dissipation, and thermal management within the chip. These hotspots create nonuniform temperature distributions across the chip surface and within the PDN. The non-uniform thermal distribution can also degrade the performance of the PDN by exacerbating losses in the system. Higher temperatures can increase resistive losses in the conductive elements of the PDN, leading to higher power dissipation. Additionally, elevated temperatures affect the dielectric properties of materials in the PDN, increasing dielectric losses.

In a backside attack scenario, the first step would be the removal of cooling components. Hence, there will be nonuniform thermal distribution in the horizontal and vertical directions in the PDN. Thermal coupling and low vertical heat transferability result in heat accumulation inside each block of the PGP pair on the die [34]. The increased temperature on the die will propagate through the entire system and, consequently, affect the electrical properties of the PDN, e.g., the resistance and capacitance of the PGPs and decoupling capacitors. Temperature changes alter the resonant frequencies of the PGP pair cavities, impacting PDN impedance at the Bandini Mountain frequency. Removing the fan allows mechanical vibrations to propagate more freely, potentially inducing resonant frequencies in the system. Resonance effects and increased local temperature increase crosstalk by producing coupling between adjacent traces or components, which can perturb the PDN's impedance profile [28]. Temperature variations can also affect parasitic elements within the PDN of the package, such as parasitic capacitance and inductance. However, temperature influences the resistive part of the impedance profile depicted in Figure 4b more significantly at "Bandini Mountain" frequency. After removing the active part of the heatsink, the attacker proceeds to get access to the IC backside silicon by removing the passive part of the heatsinks. This part of the heatsink is often attached to the component using thermal

interface materials (TIMs), which can influence the electrical properties of the PDN, such as the effective relative permittivity (i.e., dielectric constant). Removing the fin heatsink/heat spreader can further change the electrical connectivity between the chip and the PCB, affecting the distribution of power and return currents and altering the impedance characteristics of the PGPs.

#### 3.4 Embedded Impedance Measurements

The VNA functionality can be implemented on the chip to enable self-contained monitoring of the system-level physical integrity [23]. A VNA on an FPGA consists of active and passive modules, as shown in Figure 5a. The active module stimulates the PDN of the system by drawing electrical current with different frequencies using power waster circuits (e.g., an array of interconnected configurable logic blocks [12, 47], ring-oscillators (ROs) [6, 27], or Dual RAM collisions [1]). The passive module, on the other hand, measures the voltage drops using on-die voltage sensors and other analog-to-digital (ADC) circuits, such as ROs or Time-to-Digital converters, utilizing the FPGA's resources [20]. Having the amount of current consumption and voltage drop at hand, the impedance value of the PDN seen by the logic circuits of the FPGA fabric at a specific frequency can be obtained.

We use an RO-based ADC, and thus, focus on how the frequency changes in a RO, measured by on-chip binary counters, can be converted to impedance values. Activating the power-wasting circuit on the core voltage plane at frequency  $f_i$  generates a sinusoidal current ( $I = I_0 e^{j2\pi f_i t}$ ) through the PDN, which causes sinusoidal voltage variation ( $V = V_0 e^{j2\pi f_i t + \phi}$ ) on the PDN with lagging in the phase. In this case, the impedance of the PDN at frequency  $f_i$  in the Polar coordinate representation is given by Ohm's law as  $Z_{PDN} = V/I = (|V|/|I|)e^{\phi}$ . Using the Cartesian representation, the impedance can be written as a complex number as  $Z_{PDN} = R_{PDN} + jX_{PDN}$ , where the real part  $R_{PDN}$  of impedance is the resistance and the imaginary part  $X_{PDN}$  is the reactance caused by the capacitance and inductance of the system. While  $R_{PDN}$  is frequency-independent, XPDN is a function of frequency. The magnitude of the PDN impedance is  $|Z_{PDN}| = \sqrt{R_{PDN}^2 + X_{PDN}^2}$ . The magnitude of the PDN impedance can be approximated [12, 46] by



Figure 6: (a) Each step of tampering attempts to expose the IC backside; (b) The multi-PCB device under test after the heat spreader removal, where every highlighted medium corresponds to a transition area in the system.

considering only the difference in values of voltage and current when the power wasters are activated  $(V_{ON} \text{ and } I_{ON})$  or deactivated  $(V_{OFF} \text{ and } I_{OFF})$  by  $|Z_{PDN}| \approx \left|\frac{\Delta V}{\Delta I}\right| = \left|\frac{V_{OFF} - V_{ON}}{I_{OFF} - I_{ON}}\right|$ . On FPGAs,  $I_{ON}$  and  $I_{OFF}$  are constants and can be estimated either during the synthesis using the FPGA power estimators or using off-chip power monitoring modules. V<sub>OFF</sub> equals the supply voltage of the FPGA VSUPPLY. However, the VON is dynamic and approximated using the frequency of the RO-based sensor during the measurement. The frequency of an RO is proportional to the voltage drop on the FPGA, i.e.,  $f_{RO_{OFF}} \approx kV_{OFF} = kV_{SUPPLY}$  and  $f_{RO_{ON}} \approx$  $kV_{ON}$ , where k is a constant. In this case, based on equation 5, the impedance magnitude at a given frequency can be written [12] as  $|Z_{PDN}| \approx \left| ((f_{RO_{OFF}} - f_{RO_{ON}}/f_{RO_{OFF}})V_{SUPPLY})/I_{OFF} - I_{ON} \right|,$ where  $f_{RO_{OFF}}$  and  $f_{RO_{ON}}$  are the RO frequencies when the powerwaster circuits are deactivated and activated, respectively. To characterize the complete profile  $|Z_{PDN}|$  over a frequency range, the  $f_{RO_{ON}}$  should be measured under different activation frequencies of power-wasting circuits.

Ideally, the activation signal for the power-wasting circuits should be a sinusoidal wave, not a pulse wave, to prevent total harmonic distortion (THD). While sinusoidal waves at a specific frequency have a single harmonic, pulse waves at the same frequency contain the sinusoidal frequency and harmonics at the higher frequencies. To generate sinusoidal wave signals on FPGAs, one can use either Coordinate Rotation Digital Computer (CORDIC) algorithms or a lookup table that stores amplitude samples of a sinusoidal function over time. However, these methods cannot generate sinusoidal waves higher than a few tens of megahertz using the fastest clocks on FPGAs. At higher frequencies, the practical choice is to utilize pulse waves for activating power-wasting circuits. While these may not offer the same precision as sinusoidal waves, they are a reliable alternative that can be effectively used in such scenarios [23]. As we are only interested in detecting changes in impedance values (not absolute physical values), if the impedance characterization for a specific frequency is performed consistently using sinusoidal or pulse waves, we can rely on the measured  $|Z_{PDN}|$ .

## 3.5 Statistical Analysis

We define  $\Im_{PDN_i}^{Genuine}$  and  $\Im_{PDN_i}^{Tampered}$  as random variables corresponding to measured impedance values of the PDN at the frequency  $f_i$  for the genuine and tampered cases, respectively.

The number of measurement repetitions for frequency  $f_i$  is represented by *N*. We use Difference of Means (DOM) as a standard statistical metric that measures the absolute difference between the mean values of  $\Im_{PDN_i}^{Genuine}$  and  $\Im_{PDN_i}^{Tampered}$  for each  $f_i$ . DOM is utilized to quantitatively differentiate between genuine and tampered experiments and is calculated as  $DOM(f_i) = \left| \mu(|\Im_{PDN_i}^{Genuine}|) - \mu(|\Im_{PDN_i}^{Tampered}|) \right|$ , where  $\mu(.)$  refers to the mean function.

#### 4 EXPERIMENTAL SETUP

**Device under Test:** To experimentally validate the proposed method, we used Kria KV260 vision AI starter kit [44], containing AMD Zynq UltraScale+ MPSoCs manufactured with 16 nm technology. Our setup is shown in Figure 5(b) and includes the device under test (DUT), thermal chamber, and two laptops for configuring the PI Scanner IP and measuring the impedance. We performed our measurements on  $V_{CCINT}$  PDN for the chip's backside tamper detection experiments. Jumper "J13" was used for powering on the fansink module (the combination of the fan, finned heatsink, and heat spreader).

On-FPGA Network Analyzer: We have used PI Scanner IP [12, 26] for realizing a VNA on the FPGA. Jumper "J2" on the development kit was utilized to configure the PI Scanner IP on the FPGA, and jumper "J4" was used to communicate between the chip and PI Scanner software). The IP generates sinusoidal activation waves using the Lookup Table method for lower frequencies and pulse activation waves for higher frequencies using the Mixed-Mode Clock Manager (MMCM) of AMD FPGAs [11, 13]. The design can measure the impedance with a resolution of 1 m $\Omega$  over 0 - 1 GHz. As the package components are closer to the IC and dominate the impedance in the middle-frequency range [45], we performed the impedance measurements within 100 Hz - 1 GHz. The time needed to scan the entire frequency band is in the order of seconds. There is a trade-off between detection accuracy and scan time that can be controlled by tuning the number of frequency points measured. We communicated with the FPGA from the laptop using a UART communication link. After loading the VNA bitstream to FPGA, we could send commands to the FPGA and receive measurement data from it using the same serial link.

**Thermal Chamber:** We used a TestEquity Chambers TE-107 [40] for testing our approach at various temperatures. It supports temperatures in the range of -42 to +130°C, and includes 7.62 cm access

BackMon: IC Backside Tamper Detection using On-Chip Impedance Monitoring



Figure 7: (a) The mean (left y-axis) and mean difference (right y-axis) of 110 impedance profiles of two trials of the genuine sample measurements (intra-genuine) over the 100 Hz - 1 GHz frequency band at 25°C; (b) The mean of the impedance profile within the frequency band of 100 Hz - 1 GHz at 25°C. The right-side figure shows the zoomed-in view of the bandwidth with the most deviation from the impedance mean of the genuine sample.

ports, enabling users to attach cables to test samples. We used foam plugs to isolate the chamber from the outside environment.

#### **5 RESULTS**

In this section, we show how BackMon can detect various levels of IC backside tampering attempts at different temperatures. To this end, we systematically performed the experiments at different stages, ranging from the attacker's first attempt, powering off the fan, to the attacker's last steps, which would be removing the fin heatsink and heat spreader and exposing the chip to the external environment. When the attacker reaches the last stage (i.e., the heat spreader is removed), the chip is prepared to conduct the backside attack. Therefore, one of the important experiments to which we should pay attention is the impedance profile distribution between this experiment and the genuine sample experimental results at various temperatures.

We start with the experiment in which the chip's fan is powered on and connected to the J13 jumper (we used this case as the reference measurement for all experiments). We continue the experiments to observe the impact of tampering by powering off the fan, removing it, removing the finned heatsink, and the heat spreader at different temperatures (see Figure 6(b) for illustration of the different steps taken to expose the IC backside). To have enough data for statistical analysis, the PDN impedance signatures have been measured 110 times in each experiment. The measurements were carried out within the 100 Hz - 1 GHz frequency band with logarithmic steps using the PI Scanner default setting with 157 frequency points. We performed the experiments in a controlledtemperature environment, i.e., at  $-5^{\circ}$ C,  $5^{\circ}$ C,  $25^{\circ}$ C, and  $45^{\circ}$ C, to analyze the robustness of the proposed tamper detection method at different temperature conditions.

Our first experiment is dedicated to studying the consistency of PDN impedance profiles for the untouched sample over time to investigate to what extent we can rely on a golden impedance signature. For this reference experiment, we performed two sets of 110 measurements in two different trials for the same genuine sample (the untouched sample with the fan powered on) on different days. Figure 7a illustrates the mean (left y-axis - blue curves) and mean difference (right y-axis - black curve) of the collected impedance traces for two trials of measurements on the same board over the frequency band of 100 Hz - 1 GHz at 25°C. As seen per results, the impedance profiles (left y-axis curves) are well-matched to each other, and no significant difference of more than 2.12  $m\Omega$ (at 1.09 MHz) is observed in the results. Therefore, we can detect tamper events if the detection threshold is set to a value of slightly more than 2.12  $m\Omega$ . The mean difference of two trials of genuine measurements (black curve in Figure 7a) shows the noise floor for this experiment, and it can be used as the threshold in the next experiments to see if a tamper attempt has occurred or not. This intra-genuine impedance signature is calculated for all experiments at different temperatures, and the verifier can used it to differentiate between tampered and untouched samples (see Figure 8).

Then, we start tampering with the IC's backside by powering off the active part of the heatsink (fan). We disconnected the fan power (jumper "J13"), which is highlighted by the dashed white line in the first step of tampering attempts shown in Figure 6(a). In the next experiment, the fan is removed, and lastly, we removed the passive heatsink (fin heatsink) and heat spreader to expose the IC backside to the external environment. At each stage, the impedance profiles over the frequency band of 100 Hz - 1 GHz are measured 110 times before going to the next step. The mean of the impedance profiles measured at 25°C is shown in Figure 7b where the right-side figure shows the zoomed-in view of the bandwidth with the most deviation from the impedance mean of the genuine sample. As expected, higher differences are seen in the frequency and impedance values at the resonance and anti-resonance frequency regions, indicating higher capacitive/inductive and resistive changes at these frequencies. The mean of the impedance profiles at other temperatures is not shown for brevity, as the main goal is to compare the mean difference profiles of the impedance traces. The mean difference of the impedance traces for intra-genuine and tampered cases are shown in Figure 8 at different temperatures. The results confirm the method's ability to detect different stages of backside tamper events at tested temperatures from  $-5^{\circ}$ C to  $45^{\circ}$ C.

In all four tested temperatures, the difference between intragenuine signatures is significantly lower than between the genuine and tampered sample signatures within distinct regions in 100 kHz - 10 MHz bandwidth. In other words, every step of the IC's backside

Tahoura Mosavirik and Shahin Tajik



Figure 8: The mean difference between the intra-genuine and the tampered sample's impedance profiles within the 100 Hz - 1 GHz frequency band at different temperatures.

tampering activities can be detected at PDN's resonance and antiresonance frequencies. Higher levels of overlap between tampered and genuine cases are observed in lower frequency regimes (where we expect to see the effect of VRM and PCB components) and very high frequencies (where we expect to see the effect of ondie impedance). This confirms the agreement between the theory and experimental results for detecting the impact of package-level tamper events in the middle-range frequencies. We also can observe three main regions of maximum difference between genuine and tampered cases corresponding to the three transitions we have in our multi-PCB DUT.

Four different media and the three transitions between them are shown in different colors in Figure 6b. It can be observed that although the IC's backside cooling components (e.g., fan, fin, and heat spreader) are connected to the IC's power domain (even the fan power domain is different from the IC's PDN), tampering with them can affect the PDN's impedance profile within these three transition regions. This is due to the fact that tampering with IC's backside cooling module makes the chip and its surrounding environment hotter, and this higher temperature causes a change in the PDN impedance in the resonance and anti-resonance frequency regions of the spectrum (100 kHz - 10 MHz). Figure 6b demonstrates the DUT after the heat spreader removal, where every highlighted medium corresponds to a PCB medium in the system. When transitioning from one medium to another, the impedance profile changes due to discontinuities seen in the signal path and the changes in the dimensions of the PGPs. The discontinuities include vias or connectors between PCBs that can introduce reflections and impedance mismatches and alter the impedance profile at these transition points. The dimensions of the PGPs change at transition points due to variations in layer stackup, signal routing, and component placement. Each of these media (PCBs) has different numbers of layers, thicknesses, and materials, all affecting the dimensions and impedance of the PGPs. The heat spreader removal is the last stage of the tampering attempts, and it is expected that it will have a more significant impact on the impedance profile. However, the mean difference between the heat spreader removal and intra-genuine experiments is higher at  $-5^{\circ}$ C compared to the same value at  $45^{\circ}$ C at the three transition regions. An increase in temperature leads to decreased mean difference values in PDN impedance peaks due to changes in the electrical properties of the materials involved. The electrical properties of materials, i.e., dielectric constant and loss tangent are temperature-dependent and as the temperature increases, these properties change, affecting the overall impedance of the PDN.

## 6 **DISCUSSION**

Comparison with Related Work: Table. 1 qualitatively compares existing IC backside tamper detection techniques with the proposed method in terms of measured parameters, requirement of extra fabrication steps, and abstraction level at which the method is implemented. The backside defense methods in [2, 9] are implemented at package level, and the one in [42] is implemented at PCB-level. All three methods in [2, 9, 42] leverage the optical interaction between transistors and an opaque layer (light intensity). On the other hand, the methods in [10, 35] use secure enclosures to prevent access to the IC package and are implemented at the PCB level. While the methods presented in [2, 9, 10, 35, 42] necessitate additional manufacturing steps, "BackMon" is implemented at the circuit level and provides compatibility with legacy systems as it does not require extra fabrication steps. Therefore, the proposed method in this work is considered a cost-effective solution that removes the need for external sensors or components.

BackMon: IC Backside Tamper Detection using On-Chip Impedance Monitoring

**Success Rate for Reversing Backside Tampering:** The attacker might remove components from a powered-off device for backside imaging purposes. In such cases, a question arises about the feasibility of undoing the tampering effect on the impedance before powering up the device. The adversary is theoretically required to equalize the two-dimensional impedance curve by re-gluing the removed components, which is a hard, if not impossible, task due to the following reasons. Reattaching the same removed component to the package or PCB will not deliver the same parasitic signature as the glue distribution on the surfaces, and the placement of the component will be changed. Components' parasitics cause the most local maxima and minima of the impedance curve over the frequency, and hence, reattaching components even in identical locations demonstrates different parasitics.

Second, in our threat model, the golden impedance signature is stored on the chip, and hence, the attacker does not have access to it for analysis and equalization. We assume that the golden signatures can only be recovered using semi- or fully-invasive techniques, which will already change the package's PDN characteristics. Even if the attacker extracts golden signatures from another training sample, it will differ from the target's signature due to the variations in the manufacturing process and parasitics. Consequently, the adversary cannot observe the exact same impedance signature that has been used during the enrollment phase.

**Robustness to Voltage Variations:** Voltage variations could have an adverse influence on the RO sensor behavior. The behavior of the RO sensor inside the FPGA could be distorted if other ICs sharing the same PDN cause voltage drops due to their activities. In such a scenario, the PDN's impedance should be measured when other active ICs are idle. Another option would be to take the maximum voltage variations as additive noise into account during the enrollment phase and later tune a detection threshold accordingly. In other words, if impedance characterization should be performed when other ICs are causing voltage ripple, we should consider the worst-case scenario, i.e., the maximum possible voltage ripple of different components and, therefore, their impact on the RO sensor frequency. Increased voltage ripple would require a higher detection threshold and, therefore, could decrease the system's detection confidence.

The changes in the voltage could also be induced by the attacker to deceive the sensor with the intention of masking the effect of backside tampering. First, the attacker does not have access to the device's golden impedance signature. Thus, the attacker does not know the exact amount of equalization needed to recreate the golden impedance profile. Second, an attacker should bypass the voltage regulator to connect her voltage supply or function generator to the main PDN to change the voltage. As shown in [23], impedance sensing at lower frequency bands can detect such tamper events at the same sensor. Furthermore, the dedicated on-die voltage sensors on ASICs and FPGAs can detect such voltage variations.

**Temperature vs. Impedance:** While removing the heatsink causes rises in the die's temperature; a question could be raised about the feasibility of tamper detection by monitoring the chip's temperature. Note that temperature variations highly depend on the computation load (i.e., current consumption) of the circuit. In contrast, impedance, as an inherent characteristic of the system,

| IC Backside<br>Defense Mechanism | Meas. Params    | Requirement<br>of Extra<br>Fabrication Steps | Method's<br>Abstraction<br>Level |              |              |
|----------------------------------|-----------------|----------------------------------------------|----------------------------------|--------------|--------------|
|                                  |                 |                                              | Circuit                          | PKG          | РСВ          |
| Backside Coating [2]             | Light Intensity | Yes                                          | -                                | $\checkmark$ | -            |
| Protection Wafer [9]             | Light Intensity | Yes                                          | -                                | $\checkmark$ | -            |
| Optical Waveguide PUF [42]       | Light Intensity | Yes                                          | -                                | -            | $\checkmark$ |
| Capacitive PUF Enclusure [10]    | Capacitance     | Yes                                          | -                                | -            | $\checkmark$ |
| Anti-Tamper Radio [35]           | Radio Signal    | Yes                                          | -                                | -            | $\checkmark$ |
| BackMon                          | Impedance       | No                                           | $\checkmark$                     | -            | -            |

 Table 1: Qualitative Comparison Between IC Backside Tamper Detection Methods.

remains almost constant under various computation loads. This stability instills confidence in the sensing performance.

## 7 CONCLUSION

This work presented a self-contained IC backside tamper detection method based on characterizing the device's PDN impedance profile. We first provided the technical details about why various components used on flip-chip packages, including heatsinks, fins, and fans, contribute to the PDN's impedance at resonance and anti-resonance points. Based on this foundation, we argued that tampering activity on an IC package's backside should lead to changes in the PDN's impedance at these frequency bands. Inspired by [12, 23, 46], we deployed an on-FPGA network analyzer for integrity monitoring. We further validated our claims by emulating a backside tampering attack in which we detached cooling components from the IC's package. We demonstrated that each preparation step, an attacker takes to access the IC's backside silicon, influences the system's EM environment and impedance profile at middle-frequency ranges. We performed experiments at various temperatures to demonstrate the effectiveness of our approach. The methodology presented in this work not only offers a reliable approach to verify the IC's backside integrity and detect various forms of tamper events but also proves to be a cost-effective solution, eliminating the need for external sensors or components.

## ACKNOWLEDGMENT

This work was sponsored by NSF under the grant number CNS-2338069. We thank William L. Appleyard and Saleh Khalaj Monfared at Worcester Polytechnic Institute for helping prepare the samples for experiments and taking the photon emission image, respectively.

#### REFERENCES

- Md Mahbub Alam, Shahin Tajik, Fatemeh Ganji, Mark Tehranipoor, and Domenic Forte. 2019. RAM-Jam: Remote Temperature and Voltage Fault Attack on FPGAs using Memory Collisions. In 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 48–55.
- [2] Elham Amini, Anne Beyreuther, Norbert Herfurth, Alexander Steigert, R Muydinov, Bernd Szyszka, and Christian Boit. 2018. IC security and quality improvement by protection of chip backside against hardware attacks. *Microelectronics Reliability* 88 (2018), 22–25.
- [3] Elham Amini, Tuba Kiyan, Lars Renkes, Thilo Krachenfels, Christian Boit, Jean-Pierre Seifert, Jörg Jatzkowski, Frank Altmann, Sebastian Brand, and Shahin Tajik. 2023. Electrons vs. photons: Assessment of circuit's activity requirements for e-beam and optical probing attacks. In *ISTFA 2023*. ASM International, 339–345.

ASHES '24, October 14-18, 2024, Salt Lake City, USA

- [4] Samuel Chef, Chung Tah Chua, Jing Yun Tay, Yu Wen Siah, Shivam Bhasin, J Breier, and Chee Lip Gan. 2018. Descrambling of embedded SRAM using a laser probe. In 2018 IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA). IEEE, 1–6.
- [5] Hany Fahmy, Jack Carrel, Ray Anderson, and Harry Fu. 2012. Simulating FPGA Power Integrity Using S-Parameter Models. (2012).
- [6] Dennis RE Gnad, Fabian Oboril, Saman Kiamehr, and Mehdi B Tahoori. 2018. An Experimental Evaluation and Analysis of Transient Voltage Fluctuations in FPGAs. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 26, 10 (2018).
- [7] Rikuu Hasegawa, Kazuki Monta, Takuya Wadatsumi, Takuji Miki, and Makoto Nagata. 2024. On-Chip Evaluation of Voltage Drops and Fault Occurrence Induced by Si Backside EM Injection. In *International Workshop on Constructive Side-Channel Analysis and Secure Design*. Springer, 22–37.
- [8] Clemens Helfmeier, Dmitry Nedospasov, Christopher Tarnovsky, Jan Starbug Krissler, Christian Boit, and Jean-Pierre Seifert. 2013. Breaking and entering through the silicon. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 733-744.
- [9] Norbert Herfurth, Elham Amini, Marco Lisker, Jean-Pierre Seifert, and Christian Boit. 2022. A scalable & comprehensive resilience concept against optical & physical IC backside attacks. In 2022 IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA). IEEE, 1–6.
- [10] Vincent Immler, Johannes Obermaier, Martin König, Matthias Hiller, and Georg Sig. 2018. B-TREPID: batteryless tamper-resistant envelope with a PUF and integrity detection. In 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 49–56.
- [11] Cosmin Iorga. 2016. Method and system for measuring the impedance of the power distribution network in programmable logic device applications. US Patent 9,310,432.
- [12] Cosmin Iorga. 2018. Solve Power Integrity Problems in FPGA Systems Using an Embedded Vector Network Analyzer. Signal Integrity Journal (2018).
- [13] Cosmin Iorga. 2020. FPGA configured vector network analyzer for measuring the Z parameter and S parameter models of the power distribution network in FPGA systems. US Patent 10,560,075.
- [14] Jingook Kim, Ketan Shringarpure, Jun Fan, Joungho Kim, and James L Drewniak. 2011. Equivalent circuit model for power bus design in multi-layer PCBs with via arrays. *IEEE Microwave and Wireless Components Letters* 21, 2 (2011), 62–64.
- [15] Thilo Krachenfels, Fatemeh Ganji, Amir Moradi, Shahin Tajik, and Jean-Pierre Seifert. 2021. Real-world snapshots vs. theory: Questioning the t-probing security model. In 2021 IEEE symposium on security and privacy (SP). IEEE, 1955–1971.
- [16] Thilo Krachenfels, Tuba Kiyan, Shahin Tajik, and Jean-Pierre Seifert. 2021. Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks. In 30th USENIX security symposium (USENIX security 21). 627–644.
- [17] Guang-Tsai Lei, Robert W Techentin, Paul R Hayes, Daniel J Schwab, and Barry K Gilbert. 1995. Wave model solution to the ground/power plane noise problem. *IEEE Transactions on Instrumentation and Measurement* 44, 2 (1995), 300–303.
- [18] Zhe Li, Hong Shi, John Xie, and Arif Rahman. 2012. Development of an optimized power delivery system for 3D IC integration with TSV silicon interposer. In 2012 IEEE 62nd Electronic Components and Technology Conference. IEEE, 678–682.
- [19] Takuji Miki, Makoto Nagata, Hiroki Sonoda, Noriyuki Miura, Takaaki Okidono, Yuuki Araga, Naoya Watanabe, Haruo Shimamoto, and Katsuya Kikuchi. 2020. Sibackside protection circuits against physical security attacks on flip-chip devices. *IEEE Journal of Solid-State Circuits* 55, 10 (2020), 2747–2755.
- [20] Shayan Moini, Xiang Li, Peter Stanwicks, George Provelengios, Wayne Burleson, Russell Tessier, and Daniel Holcomb. 2020. Understanding and Comparing the Capabilities of On-Chip Voltage Sensors against Remote Power Attacks on FPGAs. In 2020 IEEE 63rd International Midwest Symposium on Circuits and Systems (MWSCAS). IEEE, 941–944.
- [21] Tahoura Mosavirik, Fatemeh Ganji, Patrick Schaumont, and Shahin Tajik. 2022. ScatterVerif: Verification of Electronic Boards Using Reflection Response of Power Distribution Network. ACM Journal on Emerging Technologies in Computing Systems 18, 4 (October 2022), 1–24.
- [22] Tahoura Mosavirik, Saleh Khalaj Monfared, Maryam Saadat Safa, and Shahin Tajik. 2023. Silicon Echoes: Non-Invasive Trojan and Tamper Detection using Frequency-Selective Impedance Analysis. IACR Transactions on Cryptographic Hardware and Embedded Systems (2023), 238–261.
- [23] Tahoura Mosavirik, Patrick Schaumont, and Shahin Tajik. 2023. ImpedanceVerif: On-Chip Impedance Sensing for System-Level Tampering Detection. IACR Transactions on Cryptographic Hardware and Embedded Systems 1 (2023), 301–325.
- [24] Makoto Nagata, Takuji Miki, and Noriyuki Miura. 2021. Physical attack protection techniques for IC chip level hardware security. *IEEE Transactions on Very Large Scale Integration (VLSI) Systems* 30, 1 (2021), 5–14.
- [25] Jun So Pak, Junwoo Lee, Hyungsoo Kim, and Joungho Kim. 2003. Prediction and verification of power/ground plane edge radiation excited by through-hole signal via based on balanced TLM and via coupling model. In *Electrical Performance of Electrical Packaging (IEEE Cat. No. 03TH8710)*. IEEE, 181–184.

- [26] PIScanner. [n.d.]. PIScanner FPGA Configured Vector Network Analyze. https://storage.googleapis.com/wzukusers/user-29188536/documents/ 5c12c1352367bAich15I/datasheet\_piscanner.pdf.
- [27] George Provelengios, Daniel Holcomb, and Russell Tessier. 2020. Power distribution attacks in multitenant FPGAs. *IEEE Transactions on Very Large Scale Integration (VLSI) Systems* 28, 12 (2020), 2685–2698.
- [28] Simon Ramo, John R Whinnery, and Theodore Van Duzer. 1994. Fields and waves in communication electronics. John Wiley & Sons.
- [29] Liehui Ren, Jingook Kim, Gang Feng, Bruce Archambeault, James L Knighten, James Drewniak, and Jun Fan. 2009. Frequency-dependent via inductances for accurate power distribution network modeling. In 2009 IEEE International Symposium on Electromagnetic Compatibility. IEEE, 63–68.
- [30] Maryam Saadat Safa, Tahoura Mosavirik, and Shahin Tajik. 2023. Counterfeit Chip Detection using Scattering Parameter Analysis. In 2023 26th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS). IEEE, 99–104.
- [31] K Shringarpure, S Pan, J Kim, B Achkir, B Archambeault, J Drewniak, and J Fan. 2014. Formulation and Network Reduction to a Physics Based Model for Analysis of the Power Distribution Network in a Production Level Multi-layered Printed Circuit Board. *IEEE Transactions on Electromagnetic Compatibility* (2014).
- [32] Ketan Shringarpure, Biyao Zhao, Leihao Wei, Bruce Archambeault, Albert Ruehli, Michael Cracraft, Matteo Cocchini, Edward Wheeler, Jun Fan, and James Drewniak. 2014. On finding the optimal number of decoupling capacitors by minimizing the equivalent inductance of the PCB PDN. In 2014 IEEE International Symposium on Electromagnetic Compatibility (EMC). IEEE, 218–223.
- [33] Larry D Smith and Eric Bogatin. 2017. Principles of power integrity for PDN design-simplified: robust and cost effective design for high speed digital products. Prentice Hall.
- [34] Keeyoung Son, Seongguk Kim, Hyunwook Park, Taein Shin, Keunwoo Kim, Minsu Kim, Boogyo Sim, Subin Kim, Gapyeol Park, Shinyoung Park, et al. 2022. Thermal and signal integrity co-design and verification of embedded cooling structure with thermal transmission line for high bandwidth memory module. *IEEE Transactions on Components, Packaging and Manufacturing Technology* 12, 9 (2022), 1542–1556.
- [35] Paul Staat, Johannes Tobisch, Christian Zenger, and Christof Paar. 2022. Antitamper radio: System-level tamper detection for computing systems. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1722–1736.
- [36] Madhavan Swaminathan, Joungho Kim, Istvan Novak, and James P Libous. 2004. Power distribution networks for system-on-package: Status and challenges. *IEEE Transactions on Advanced Packaging* 27, 2 (2004), 286–300.
- [37] Shahin Tajik, Heiko Lohrke, Fatemeh Ganji, Jean-Pierre Seifert, and Christian Boit. 2015. Laser Fault Attack on Physically Unclonable Functions. In 2015 workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, 85–96.
- [38] Shahin Tajik, Heiko Lohrke, Jean-Pierre Seifert, and Christian Boit. 2017. On the power of optical contactless probing: Attacking bitstream encryption of FPGAs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1661–1674.
- [39] Shahin Tajik, Dmitry Nedospasov, Clemens Helfmeier, Jean-Pierre Seifert, and Christian Boit. 2014. Emission analysis of hardware implementations. In 2014 17th Euromicro Conference on Digital System Design. 528–534.
- [40] TestEquity. 2019. TestEquity Model 106 and 107 Temperature Chamber Operation and Service Manual. https://www.testequity.com/UserFiles/documents/pdfs/106-107.pdf.
- [41] K TOBICH, P MAURINE, T Ordas, and PY Liardet. 2012. Yet another fault injection technique: by forward body biasing injection. In YACC: Yet Another Conference on Cryptography. Citeseer.
- [42] Michael Vai, David J Whelihan, Benjamin R Nahill, Daniil M Utin, Sean R O'Melia, and Roger I Khazan. 2016. Secure embedded systems. *Lincoln Laboratory Journal* 22, 1 (2016), 110–122.
- [43] Xilinx. 2021. Kria K26 SOM Thermal Design Guide. https://docs.xilinx.com/r/en-US/ug1090-k26-thermal-design/Thermal-Solution-Installation-Examples.
- [44] Xilinx. 2022. Kria KV260 Vision AI Starter Kit Data Sheet. https://docs.xilinx. com/r/en-US/ds986-kv260-starter-kit/Summary.
- [45] Biyao Zhao, Siqi Bai, Samuel Connor, Wiren Dale Becker, Matteo Cocchini, Jonghyun Cho, Albert Ruehli, Bruce Archambeault, and James L Drewniak. 2019. Physics-based circuit modeling methodology for system power integrity analysis and design. *IEEE Transactions on Electromagnetic Compatibility* 62, 4 (2019), 1266–1277.
- [46] Mark Zhao and G Edward Suh. 2018. FPGA-based Remote Power Side-channel Attacks. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 229–244.
- [47] Shuze Zhao, Ibrahim Ahmed, Vaughn Betz, Ashraf Lotfi, and Olivier Trescases. 2018. Frequency-domain Power Delivery Network Self-characterization in FPGAs for Improved System Reliability. *IEEE Transactions on Industrial Electronics* 65, 11 (2018).
- [48] Huifeng Zhu, Haoqi Shan, Dean Sullivan, Xiaolong Guo, Yier Jin, and Xuan Zhang. 2023. PDNPulse: Sensing PCB anomaly with the intrinsic power delivery network. *IEEE Transactions on Information Forensics and Security* (2023).