Professional Documents
Culture Documents
DRAM-PUFs
Shaza Zeitouni David Gens Ahmad-Reza Sadeghi
Technische Universität Darmstadt Technische Universität Darmstadt Technische Universität Darmstadt
Darmstadt, Germany Darmstadt, Germany Darmstadt, Germany
shaza.zeitouni@trust.tu-darmstadt.de david.gens@trust.tu-darmstadt.de ahmad.sadeghi@trust.tu-darmstadt.de
ABSTRACT So far many different PUF implementations in hardware have
Physically Unclonable Functions (PUFs) are still considered promis- been proposed and evaluated over the recent years [1, 6, 18]. In
ing technology as building blocks in cryptographic protocols. While particular, PUFs based on physical properties of memory cells in
most PUFs require dedicated circuitry, recent research leverages SRAM (Static Random Access Memory) and DRAM (Dynamic
DRAM hardware for PUFs due to its intrinsic properties and wide Random Access Memory) are very popular since they are cost-
deployment. Recently, a new memory-based PUF was proposed that effective and widely deployed on many platforms. The declining
utilizes the infamous Rowhammer effect in DRAM. In this paper, we costs of DRAM hardware further motivates recent research efforts on
show two remote attacks on DRAM-based PUFs. First, a DoS attack utilizing DRAM for PUFs, e.g., by measuring the decay rate [22, 23]
that exploits the Rowhammer effect to manipulate PUF responses. or the inherent startup-value [20] of memory cells. In the following
Second, a modeling attack that predicts PUF responses by observing we focus on DRAM PUFs.
few challenge-response pairs. Our results indicate that DRAM may While DRAM hardware is highly standardized, cheap, widely
not be suitable for PUFs. used, and commercially available as off-the-shelf components, it
also exhibits a number of reliability problems: Adverse conditions
KEYWORDS such as higher temperature or electromagnetic radiation can lead to
bit errors in the information stored digitally on the hardware [10–
PUFs, Rowhammer, Remote attacks
12]. Moreover, researchers demonstrated that DRAM hardware is
ACM Reference Format: in fact subject to bit errors that are reproducable purely from soft-
Shaza Zeitouni, David Gens, and Ahmad-Reza Sadeghi. 2018. It’s Hammer ware under completely benign operating conditions. In particular,
Time: How to Attack (Rowhammer-based) DRAM-PUFs. In DAC ’18: DAC several independent studies found that frequently accessing phys-
’18: The 55th Annual Design Automation Conference 2018, June 24–29, ically co-located memory cells leads to bit flips in adjacent mem-
2018, San Francisco, CA, USA. ACM, New York, NY, USA, 6 pages. https: ory cells [7, 8]. This effect, called Rowhammer, was subsequently
//doi.org/10.1145/3195970.3196065
shown to be exploitable by remote adversaries to undermine de-
ployed security mechanisms on computing platforms using DRAM
1 INTRODUCTION hardware [13, 17, 21]. The focus of the literature so far has been on
Physically Unclonable Functions (PUFs) have been considered a Rowhammer-based attacks and defenses [2, 3, 7], however, recently,
promising technology to establish trust anchors in embedded sys- at HOST 2017 Schaller et al. considered a new paradigm to leverage
tems with minimal hardware requirements. PUFs allow for utilizing the Rowhammer effect in DRAM to construct memory-based intrin-
inherent manufacturing process variations to extract unique but repro- sic Rowhammer PUFs (RH-PUFs) [16]. They propose to extract a
ducible secrets/identifiers, which are generated through a challenge unique device fingerprint from DRAM locations that are subject to
and response process. The responses directly depend on the unique reproducible bit flips.
physical properties that is implicitly introduced during production.
However, the uniqueness property is not sufficient to ensure security: Goals and Contributions. We revisit the security of DRAM PUFs
the response to a particular challenge must also be unpredictable, and demonstrate two remote attacks on (Rowhammer) DRAM PUFs,
i.e., it is required that the responses for a series of PUF challenges proposed by Schaller et al. [16]. First, we show that an adversary
look like the output of a random function to an observer. PUFs have observing few challenge-response pairs can predict future responses
been proposed as tamper-evident building blocks for various use with high confidence, violating the unclonability property. Second,
cases such as for authentication, key-derivation, and device identifi- we present a Rowhammer-based Denial of Service (DoS) attack by
cation [4, 9, 18]. tampering with the responses of DRAM PUFs. Our attacks work
completely in software, i.e., without any physical access to the
Permission to make digital or hard copies of all or part of this work for personal or system. We implemented and evaluated our attacks in a real-world
classroom use is granted without fee provided that copies are not made or distributed setup and in different scenarios. Our experimental results suggest
for profit or commercial advantage and that copies bear this notice and the full citation that DRAM hardware might in fact not be a suitable candidate for
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, secure PUF implementations. To summarize our contributions are:
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from permissions@acm.org.
DAC ’18, June 24–29, 2018, San Francisco, CA, USA
© 2018 Association for Computing Machinery.
∙ We present a remote, Rowhammer-based Denial-of-Service
ACM ISBN 978-1-4503-5700-5/18/06. . . $15.00 (DoS) attack against DRAM PUF constructions.
https://doi.org/10.1145/3195970.3196065
Bank DRAM chips, several studies found Rowhammer to be a wide-spread
Column reliability issue, and conclude that Rowhammer seems to be an in-
herent design problem of DRAM chips as all vendors and even ECC
A DRAM modules are affected [7, 8].
0,2
0,15
0,1
0,05
0
0 0,51 0,52 0,53 0,54 0,56 0,58 … 0,75 0,76 0,77 0,8 0,81 0,83 0,84 0,85 0,87 … 0,93 0,95 0,96 0,97 0,98 0,99 1
Similarity Index (J) JThresh = 0.9454
Figure 3: Histogram of 𝐽𝑖𝑛𝑡𝑟𝑎 values for three PUF instances before and after double-sided DoS attack using 20 measurements with
𝑃 𝑈 𝐹𝑠𝑖𝑧𝑒 = 4KB, 8KB and 16KB, 𝑅𝐻𝑡𝑦𝑝𝑒 = SSRH and 𝑅𝐻𝑡𝑖𝑚𝑒 = 120s
5.2 DoS Attack on the RH-PUF Table 1: SSRH DoS attack on several RH-PUF variants
Our Denial of Service (DoS) attack can be launched remotely at
run time by a malicious process that has simultaneous access to 𝑅𝐻𝑡𝑦𝑝𝑒 𝑃 𝑈 𝐹𝑠𝑖𝑧𝑒 𝑅𝐻𝑡𝑖𝑚𝑒
physically adjacent memory locations to RH-PUF memory. For our 60s 120s 180
prototype implemention of the DoS attack we used the RH-PUF SSRH 1-row PUF 0.5 0.78 0.853
source code, which modifies the popular boot loader U-Boot [16]. SSRH 2-row PUF 0.79 0.85 0.76
We evaluated our attack on top of the RH-PUF, such that additional SSRH 4-row PUF 0.46 0.68 0.88
rows above and/or below the PUF region are hammered simultane- DSRH 1-row PUF 0.67 0.53 0.69
ously while querying PUF responses. We present two variants of DSRH 2-row PUF 0.89 0.9 0.88
our DoS attack assuming that the malicious process has access to: DSRH 4-row PUF 0.89 0.97 0.97
i) one neighboring row above the PUF region, which we refer to as
the SSRH DoS attack and ii) two neighboring rows above and below Table 2: DSRH DoS attack on several RH-PUF variants
the PUF region, referred to as the DSRH DoS attack as shown in
Figure 2. The goal of our attack is to increase the noise in the PUF 𝑅𝐻𝑡𝑦𝑝𝑒 𝑃 𝑈 𝐹𝑠𝑖𝑧𝑒 𝑅𝐻𝑡𝑖𝑚𝑒
measurements and reduce its robustness, such that the PUF can no 60s 120s 180
longer be identified or used for key derivation. SSRH 1-row PUF 0.6 0.84 0.88
To measure RH-PUF robustness, the Jaccard index 𝐽𝑖𝑛𝑡𝑟𝑎 is SSRH 2-row PUF 0.33 0.79 0.85
used to reflect similarity between two PUF responses for the same SSRH 4-row PUF 0.37 0.54 0.73
challenge (see Equation I). When 𝐽𝑖𝑛𝑡𝑟𝑎 = 1, it reflects that the DSRH 1-row PUF 0.33 0.2 0.56
responses are identical. As indicated in [16], RH-PUF achieves high DSRH 2-row PUF 0.85 0.85 0.92
robustness with a minimum of 𝐽𝑡ℎ𝑟𝑒𝑠ℎ = 0.9454 and exhibits a DSRH 4-row PUF 0.94 0.96 0.88
maximum noise of around 5% that can be corrected using standard
fuzzy extractors in key derivation schemes [5]. We first measured re-
sponses of several RH-PUF instances, i.e., with different 𝑃 𝑈 𝐹𝑠𝑖𝑧𝑒 , row of Table 2, using DSRH DoS attack, the adversary is capable
𝑅𝐻𝑡𝑦𝑝𝑒 and 𝑅𝐻𝑡𝑖𝑚𝑒 values. Then, we performed the DoS attacks of reducing the 𝐽𝑖𝑛𝑡𝑟𝑎 of a DSRH RH-PUF of 4KB to 0.33, 0.20,
on these RH-PUF instances and collected their responses. In both and 0.56 (i.e., ≪ 0.9454 = 𝐽𝑡ℎ𝑟𝑒𝑠ℎ [16]) when hammered for 60s,
experiments, each response was measured 20 times. Figure 3 shows 120s and 180s respectively. This is mainly due to the close proximity
the similarity index 𝐽𝑖𝑛𝑡𝑟𝑎 for the three RH-PUF responses before of the DoS aggressor rows to more PUF victim rows, since victim
and after the attack. On the right-hand side of the figure, histograms rows in the middle become less vulnerable to our attack when the
of similarity index values 𝐽𝑖𝑛𝑡𝑟𝑎 for three SSRH RH-PUFs before RH-PUF size increases.
the DoS attack are shown. Our results are on par with the results
in [16]. On the left-hand side of Figure 3, the effect of our DoS 5.3 Modeling Attack on the RH-PUF
attack on the 𝐽𝑖𝑛𝑡𝑟𝑎 values of the same three RH-PUF instances is Our modeling attack on the RH-PUF works under the restriction that
shown. Our attacks shifted the similarity index of PUF responses an attacker can only observe CRPs exchanged in the authentication
𝐽𝑖𝑛𝑡𝑟𝑎 away from the threshold value 𝐽𝑡ℎ𝑟𝑒𝑠ℎ and introduced a protocol. Hence, we perform the following steps: i) measure RH-
maximum of 80% noise to the PUF responses, which cannot be PUF CRPs for a RH-PUF instance, ii) pick valid CRPs that adhere
tolerated even with the use of more advanced fuzzy extractors. As to the criteria defined in [23] as training set from the collected CRPs,
indicated by the results in Table 1 and Table 2, our DoS attack works and iii) run an interpolation algorithm to predict future responses
at best on RH-PUF with small sizes. For example, in the second based on the training set and verify its accuracy. We use standard
Table 3: Modeling 8-row RH-PUFs