I'm looking for good references on micro code security. My reading leads me to various conclusions, including:
- Mask-ROM parts are easiest to read-out intrusively, EPROM and flash are intermediate-difficulty (with EPROM being perhaps slightly easier) and RAM-based technologies are the hardest.
- Any microcontroller that isn't specifically designed to resist invasive read-out techniques is going to have little or no resistance to such attacks.
Unfortunately I can find little _formal_ research. I've found what amounts to several hobbyist/student papers on the topic, and lots that I found instructive and interesting, but nothing that I could really cite when choosing parts.
I know that several vendors have come out with, or are planning to introduce, gas-gauge ICs for smart batteries that incorporate security technology so (say) cellphone manufacturers can lock-out fake batteries. Have there been any studies done on hacking these sorts of schemes yet, both from the POV of studying the data transfers and from messing with the chips themselves? (I'm not really interested in the raw mechanics of hacking any particular chip or scheme - I'm more interested in knowing who has the strongest scheme).
I'm also interested to know some real numbers on what it costs to reverse-engineer secured micros used in applications like the one I just described. For example, what would be the approximate cost of decapsulating and reading out a 4K mask-ROM microcontroller, assuming the chip mfr didn't use any cunning or protective measures on the die, and that the attacker had access to a different micro of the same model, with known contents, that he could use to establish a bit-to-metal mapping for the die?
Any pointers would be most appreciated.