Attacking SRAM PUFs using very-low-temperature data remanence

Abstract In this work, we extend our previous manuscript regarding a systematic study of data remanence effects on an intrinsic Static Random Access Memory Physical Unclonable Function (SRAM PUF) implemented on a Commercial Off-The-Shelf (COTS) device in the temperature range between − 110 ∘ C and − 40 ∘ C. As the experimental results of our previous work show, an attack against intrinsic SRAM PUFs, which takes advantage of data remanence effects exhibited due to low temperatures, is possible, resulting in the attacker being able to know the PUF response, with high probability. As demonstrated in our previous work, this attack is highly resistant to memory erasure techniques and can be used to manipulate the cryptographic keys produced by the SRAM PUF. In this work, we examine and discuss potential countermeasures against this attack in more detail, and investigate whether this attack can be performed using an experimental setup that does not guarantee a high degree of thermal isolation. Additionally, we also examine and discuss whether very low temperatures can be used to perform another relevant type of attack against SRAM PUFs, based on whether very low temperature can prevent the SRAM from being overwritten. Finally, we also discuss related works and the generalisation of our results in more detail.

[1]  Amir Rahmati,et al.  DRV-Fingerprinting: Using Data Retention Voltage of SRAM Cells for Chip Identification , 2012, RFIDSec.

[2]  Ken Mai,et al.  6T SRAM and 3T DRAM data retention and remanence characterization in 65nm bulk CMOS , 2012, Proceedings of the IEEE 2012 Custom Integrated Circuits Conference.

[3]  Stefan Katzenbeisser,et al.  Run-Time Accessible DRAM PUFs in Commodity Devices , 2016, CHES.

[4]  Felix C. Freiling,et al.  Lest we forget: Cold-boot attacks on scrambled DDR3 memory , 2016, Digit. Investig..

[5]  Amir Rahmati,et al.  Reliable Physical Unclonable Functions Using Data Retention Voltage of SRAM Cells , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[6]  An Braeken,et al.  Comparison of SRAM and FF PUF in 65nm Technology , 2011, NordSec.

[7]  Narayanan Vijaykrishnan,et al.  Impact of Circuit Degradation on FPGA Design Security , 2011, 2011 IEEE Computer Society Annual Symposium on VLSI.

[8]  Patrick Schaumont,et al.  Hardware/software co-design of physical unclonable function based authentications on FPGAs , 2015, Microprocess. Microsystems.

[9]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[10]  Ahmad-Reza Sadeghi,et al.  Remanence Decay Side-Channel: The PUF Case , 2016, IEEE Transactions on Information Forensics and Security.

[11]  Yevgeniy Dodis,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, EUROCRYPT.

[12]  Tilo Müller,et al.  FROST - Forensic Recovery of Scrambled Telephones , 2013, ACNS.

[13]  Ahmad-Reza Sadeghi,et al.  On the Effectiveness of the Remanence Decay Side-Channel to Clone Memory-Based PUFs , 2013, CHES.

[14]  Stefan Katzenbeisser,et al.  An Overview of DRAM-Based Security Primitives , 2018, Cryptogr..

[15]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[16]  Tolga Arul,et al.  Low-Temperature Data Remanence Attacks Against Intrinsic SRAM PUFs , 2018, 2018 21st Euromicro Conference on Digital System Design (DSD).

[17]  Zou Xuecheng,et al.  Novel security strategies for SRAM in powered-off state to resist physical attack , 2009, Proceedings of the 2009 12th International Symposium on Integrated Circuits.

[18]  Stefan Katzenbeisser,et al.  PUF-Based Software Protection for Low-End Embedded Devices , 2015, TRUST.

[19]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[20]  Tilo Müller,et al.  On the Practicability of Cold Boot Attacks , 2013, 2013 International Conference on Availability, Reliability and Security.

[21]  Arnab Raha,et al.  D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication in embedded systems , 2016, 2016 International Conference on Compliers, Architectures, and Sythesis of Embedded Systems (CASES).

[22]  Andreas Weinand,et al.  Proof of Concept for IoT Device Authentication Based on SRAM PUFs Using ATMEGA 2560-MCU , 2018, 2018 1st International Conference on Data Intelligence and Security (ICDIS).

[23]  Shuai Chen,et al.  FPGA implementation of SRAM PUFs based cryptographically secure pseudo-random number generator , 2018, Microprocess. Microsystems.

[24]  Helena Handschuh,et al.  Hardware Intrinsic Security from Physically Unclonable Functions , 2010, Towards Hardware-Intrinsic Security.

[25]  Fatemeh Tehranipoor,et al.  Phase calibrated ring oscillator PUF design and implementation on FPGAs , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).

[26]  Amir Rahmati,et al.  TARDIS: Time and Remanence Decay in SRAM to Implement Secure Protocols on Embedded Devices without Clocks , 2012, USENIX Security Symposium.

[27]  Tim Güneysu,et al.  Enabling SRAM-PUFs on Xilinx FPGAs , 2014, 2014 24th International Conference on Field Programmable Logic and Applications (FPL).

[28]  Chip-Hong Chang,et al.  Optimizating Emerging Nonvolatile Memories for Dual-Mode Applications: Data Storage and Key Generator , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[29]  Steven Trimberger,et al.  Analysis of Data Remanence in a 90nm FPGA , 2007, 2007 IEEE Custom Integrated Circuits Conference.

[30]  Roy H. Campbell,et al.  BootJacker: compromising computers using forced restarts , 2008, CCS.

[31]  Stefan Katzenbeisser,et al.  Decay-Based DRAM PUFs in Commodity Devices , 2019, IEEE Transactions on Dependable and Secure Computing.

[32]  Sergei Skorobogatov Low temperature data remanence in static RAM , 2002 .

[33]  Srinivas Devadas,et al.  Physical Unclonable Functions and Applications: A Tutorial , 2014, Proceedings of the IEEE.

[34]  Ingrid Verbauwhede,et al.  Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions , 2010, Towards Hardware-Intrinsic Security.

[35]  Zou Xuecheng,et al.  Security strategy of powered-off SRAM for resisting physical attack to data remanence , 2009 .

[36]  Fatemeh Tehranipoor,et al.  Robust hardware true random number generators using DRAM remanence effects , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[37]  Piedad Brox Jiménez,et al.  Reducing bit flipping problems in SRAM physical unclonable functions for chip identification , 2012, 2012 19th IEEE International Conference on Electronics, Circuits, and Systems (ICECS 2012).

[38]  Ross J. Anderson,et al.  On a new way to read data from memory , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..

[39]  Nele Mentens,et al.  Secure FPGA technologies and techniques , 2009, 2009 International Conference on Field Programmable Logic and Applications.

[40]  Alec Wolman,et al.  Protecting Data on Smartphones and Tablets from Memory Attacks , 2015, ASPLOS.

[41]  Stefan Katzenbeisser,et al.  PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon , 2012, CHES.

[42]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[43]  H. Handschuh Hardware-Anchored Security Based on SRAM PUFs, Part 1 , 2012, IEEE Security & Privacy.

[44]  Nitesh Saxena,et al.  Data remanence effects on memory-based entropy collection for RFID systems , 2011, International Journal of Information Security.