The cost for renting such a machine (FIB) is 100-350 USD/h (depending on which university lab you choose). Some universities also offer to have one of their staff do the work for you (e.g., 165 USD/h at the University of Washington).
The duration for a single modification is less than 1 hour. Additionally, there is some non-FIB preparation time, which seems to be ~1 day if you do it for one chip; see here: https://arxiv.org/pdf/2501.13276).
I am currently mentoring a SPAR project that calculates more accurate numbers and maps them to specific attack scenarios. We plan to release our results in 2-3 months.
I asked Claude how relevant this is to protecting something like a H100, here are the parts that seem most relevant from my limited understanding:
What the paper actually demonstrates:
1. Reading (not modifying) data from antifuse memory in a Raspberry Pi RP2350 microcontroller 2. Using Focused Ion Beam (FIB) and passive voltage contrast to extract information
Key differences between this and modifying an H100 GPU:
3D Transistor Structures: Modern 5nm chips use FinFET or GAAFET 3D structures rather than planar transistors. The critical parts are buried within the structure, making them fundamentally more difficult to access without destroying them.
Atomic-Scale Limitations: At 5nm, we’re approaching atomic limits (silicon atoms are ~0.2nm). The physics of matter at this scale creates fundamental boundaries that better equipment cannot overcome.
Ion Beam Physics: Even with perfect equipment, ion beams create interaction volumes and damage zones that become proportionally larger compared to the target features at smaller nodes.
1. Reading (not modifying) data from antifuse memory in a Raspberry Pi RP2350 microcontroller
That’s correct.
That said, chip modifications are done on the same FIB machine. The cost estimate still seems accurate to me.
Atomic-Scale Limitations: At 5nm, we’re approaching atomic limits (silicon atoms are ~0.2nm). The physics of matter at this scale creates fundamental boundaries that better equipment cannot overcome.
Gallium-based FIB circuit edits can go down to ~7nm.
Helium-based FIB circuit edits (~3...5x more expensive than Gallium FIB) can go down even further, 1-2nm.
3D Transistor Structures: Modern 5nm chips use FinFET or GAAFET 3D structures rather than planar transistors. The critical parts are buried within the structure, making them fundamentally more difficult to access without destroying them.
I’d attack the silicon from the backside of the waver. Currently, nearly no chip has conductive traces or protection mechanisms on the backside. And you can directly get to the transistors & gates without needing to penetrate the interconnect structure on the front side of the waver.
(Though I want to flag that I heard that there is a push to have power distribution on the backside of the waver. So this might become harder in 2-6 years.)
I also want to flag that the attack we are discussing here (modifying the logic within the H100 die) is the most advanced invasive attack I can currently think of. Another simpler attack is to read out the secret key used for authentications. Or even simpler, you could replace the CEC1736 Root-of-Trust chip on the H100-PCB (which authenticates the H100 onboard flash) with a counterfeit one.
A paper that further elaborates on the attack vectors is coming out in 2-3 months.
TL;DR: Less than you think, likely < 1000 USD.
The cost for renting such a machine (FIB) is 100-350 USD/h (depending on which university lab you choose). Some universities also offer to have one of their staff do the work for you (e.g., 165 USD/h at the University of Washington).
The duration for a single modification is less than 1 hour.
Additionally, there is some non-FIB preparation time, which seems to be ~1 day if you do it for one chip; see here: https://arxiv.org/pdf/2501.13276).
I am currently mentoring a SPAR project that calculates more accurate numbers and maps them to specific attack scenarios. We plan to release our results in 2-3 months.
Thanks! Is this true for a somewhat-modern chip that has at least some slight attempt at defense, or more like the chip on a raspberry pi?
I asked Claude how relevant this is to protecting something like a H100, here are the parts that seem most relevant from my limited understanding:
What the paper actually demonstrates:
1. Reading (not modifying) data from antifuse memory in a Raspberry Pi RP2350 microcontroller
2. Using Focused Ion Beam (FIB) and passive voltage contrast to extract information
Key differences between this and modifying an H100 GPU:
3D Transistor Structures: Modern 5nm chips use FinFET or GAAFET 3D structures rather than planar transistors. The critical parts are buried within the structure, making them fundamentally more difficult to access without destroying them.
Atomic-Scale Limitations: At 5nm, we’re approaching atomic limits (silicon atoms are ~0.2nm). The physics of matter at this scale creates fundamental boundaries that better equipment cannot overcome.
Ion Beam Physics: Even with perfect equipment, ion beams create interaction volumes and damage zones that become proportionally larger compared to the target features at smaller nodes.
That’s correct.
That said, chip modifications are done on the same FIB machine. The cost estimate still seems accurate to me.
H100s are manufactured on TSMC’s “3nm” node (a brand name), which has a Gate Pitch of 48 nm and a Metal Pitch of 24 nm. The minimum feature size is 9-12nm, according to Claude.
You are not at the physical limitations:
Gallium-based FIB circuit edits can go down to ~7nm.
Helium-based FIB circuit edits (~3...5x more expensive than Gallium FIB) can go down even further, 1-2nm.
I’d attack the silicon from the backside of the waver. Currently, nearly no chip has conductive traces or protection mechanisms on the backside. And you can directly get to the transistors & gates without needing to penetrate the interconnect structure on the front side of the waver.
(Though I want to flag that I heard that there is a push to have power distribution on the backside of the waver. So this might become harder in 2-6 years.)
I also want to flag that the attack we are discussing here (modifying the logic within the H100 die) is the most advanced invasive attack I can currently think of. Another simpler attack is to read out the secret key used for authentications. Or even simpler, you could replace the CEC1736 Root-of-Trust chip on the H100-PCB (which authenticates the H100 onboard flash) with a counterfeit one.
A paper that further elaborates on the attack vectors is coming out in 2-3 months.