Run-Time Accessible DRAM PUFs in Commodity Devices

  • Wenjie XiongEmail author
  • André Schaller
  • Nikolaos A. Anagnostopoulos
  • Muhammad Umair Saleem
  • Sebastian Gabmeyer
  • Stefan Katzenbeisser
  • Jakub Szefer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9813)


A Physically Unclonable Function (PUF) is a unique and stable physical characteristic of a piece of hardware, which emerges due to variations in the fabrication processes. Prior works have demonstrated that PUFs are a promising cryptographic primitive to enable secure key storage, hardware-based device authentication and identification. So far, most PUF constructions require addition of new hardware or FPGA implementations for their operation. Recently, intrinsic PUFs, which can be found in commodity devices, have been investigated. Unfortunately, most of them suffer from the drawback that they can only be accessed at boot time. This paper is the first to enable the run-time access of decay-based intrinsic DRAM PUFs in commercial off-the-shelf systems, which requires no additional hardware or FPGAs. A key advantage of our PUF construction is that it can be queried during run-time of a Linux system. Furthermore, by exploiting different decay times of individual DRAM cells, the challenge-response space is increased. Finally, we introduce lightweight protocols for device authentication and secure channel establishment, that leverage the DRAM PUFs at run-time.


Decay Time Authentication Protocol Jaccard Index Kernel Module Memory Controller 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been co-funded by the DFG as part of project P3 within the CRC 1119 CROSSING. This work was also partly funded by CASED. The authors would like to thank Kevin Ryan and Ethan Weinberger for their help with building the heater setup used in the experiments, and Intel for donating the Intel Galileo boards used in this work. The authors would also like to thank anonymous CHES reviewers, and especially our shepherd, Roel Maes, for numerous suggestions and guidance in making the final version of this paper.


  1. 1.
    Hacking DefCon 23’s IoT Village Samsung fridge. Accessed Feb 2016
  2. 2.
    Armknecht, F., Maes, R., Sadeghi, A.R., Sunar, B., Tuyls, P.: Memory leakage-resilient encryption based on physically unclonable functions. In: Sadeghi, A.-R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security, pp. 135–164. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bacha, A., Teodorescu, R.: Authenticache: harnessing cache ECC for system authentication. In: Proceedings of International Symposium on Microarchitecture, pp. 128–140. ACM (2015)Google Scholar
  4. 4.
    Batra, P., Skordas, S., LaTulipe, D., Winstel, K., Kothandaraman, C., Himmel, B., Maier, G., He, B., Gamage, D.W., Golz, J., et al.: Three-dimensional wafer stacking using Cu TSV integrated with 45 nm high performance SOI-CMOS embedded DRAM technology. J. Low Power Electron. Appl. 4, 77–89 (2014)CrossRefGoogle Scholar
  5. 5.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Foster, I., Prudhomme, A., Koscher, K., Savage, S.: Fast and vulnerable: a story of telematic failures. In: USENIX Workshop on Offensive Technologies (2015)Google Scholar
  7. 7.
    Gassend, B., Clarke, D., Van Dijk, M., Devadas, S.: Delay-based circuit authentication and applications. In: Proceedings of the ACM Symposium on Applied Computing, pp. 294–301. ACM (2003)Google Scholar
  8. 8.
    Greenberg, A.: Hackers remotely kill a jeep on the highway–with me in it. Wired (2015). Accessed 08 July 16
  9. 9.
    Guajardo, J., Kumar, S.S., Schrijen, G.-J., Tuyls, P.: FPGA intrinsic PUFs and their use for IP protection. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 63–80. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: Brand and IP protection with physical unclonable functions. In: IEEE International Symposium on Circuits and Systems, pp. 3186–3189 (2008)Google Scholar
  11. 11.
    Hashemian, M.S., Singh, B., Wolff, F., Weyer, D., Clay, S., Papachristou, C.: A robust authentication methodology using physically unclonable functions in DRAM arrays. In: Proceedings of the Design, Automation and Test in Europe Conference, pp. 647–652 (2015)Google Scholar
  12. 12.
    Hernandez, G., Arias, O., Buentello, D., Jin, Y.: Smart nest thermostat: a smart spy in your home. Black Hat USA (2014)Google Scholar
  13. 13.
    Jaccard, P.: Etude comparative de la distribution orale dans une portion des Alpes et du Jura. Impr. Corbaz (1901)Google Scholar
  14. 14.
    Katzenbeisser, S., Kocabaş, Ü., Rožić, V., Sadeghi, A.-R., Verbauwhede, I., Wachsmann, C.: PUFs: myth, fact or busted? A security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Keeth, B.: DRAM Circuit Design: Fundamental and High-Speed Topics. Wiley, Hoboken (2008)Google Scholar
  16. 16.
    Keller, C., Gurkaynak, F., Kaeslin, H., Felber, N.: Dynamic memory-based physically unclonable function for the generation of unique identifiers and true random numbers. In: IEEE International Symposium on Circuits and Systems, pp. 2740–2743. IEEE (2014)Google Scholar
  17. 17.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM SIGARCH Computer Architecture News, pp. 361–372 (2014)Google Scholar
  18. 18.
    Kocabaş, Ü., Peter, A., Katzenbeisser, S., Sadeghi, A.-R.: Converse PUF-based authentication. In: Camp, L.J., Volkamer, M., Reiter, M., Zhang, X., Katzenbeisser, S., Weippl, E. (eds.) Trust 2012. LNCS, vol. 7344, pp. 142–158. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Kohnhäuser, F., Schaller, A., Katzenbeisser, S.: PUF-based software protection for low-end embedded devices. In: Conti, M., Schunter, M., Askoxylakis, I. (eds.) TRUST 2015. LNCS, vol. 9229, pp. 3–21. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  20. 20.
    Kong, J., Koushanfar, F., Pendyala, P.K., Sadeghi, A.R., Wachsmann, C.: PUFatt: embedded platform attestation based on novel processor-based PUFs. In: ACM/EDAC/IEEE Design Automation Conference, pp. 1–6 (2014)Google Scholar
  21. 21.
    Liu, J., Jaiyen, B., Kim, Y., Wilkerson, C., Mutlu, O.: An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In: ACM SIGARCH Computer Architecture News, pp. 60–71 (2013)Google Scholar
  22. 22.
    Liu, W., Zhang, Z., Li, M., Liu, Z.: A trustworthy key generation prototype based on DDR3 PUF for wireless sensor networks. Sensors 14, 11542–11556 (2014)CrossRefGoogle Scholar
  23. 23.
    Maes, R., van der Leest, V.: Countering the effects of silicon aging on SRAM PUFs. In: IEEE International Symposium on Hardware-Oriented Security and Trust, pp. 148–153 (2014)Google Scholar
  24. 24.
    Maes, R., van der Leest, V., van der Sluis, E., Willems, F.: Secure key generation from biased PUFs. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 517–534. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  25. 25.
    Maes, R., Rožić, V., Verbauwhede, I., Koeberl, P., Van der Sluis, E., Van der Leest, V.: Experimental evaluation of physically unclonable functions in 65 nm CMOS. In: Proceedings of the ESSCIRC, pp. 486–489 (2012)Google Scholar
  26. 26.
    Phone as a Token - turn your phone into an authentication token. Accessed Feb 2016
  27. 27.
    Rahmati, A., Hicks, M., Holcomb, D.E., Fu, K.: Probable cause: the deanonymizing effects of approximate DRAM. In: Proceedings of the International Symposium on Computer Architecture, pp. 604–615 (2015)Google Scholar
  28. 28.
    Rosenblatt, S., Chellappa, S., Cestero, A., Robson, N., Kirihata, T., Iyer, S.S.: A self-authenticating chip architecture using an intrinsic fingerprint of embedded DRAM. IEEE J. Solid-State Circuits 48, 2934–2943 (2013)CrossRefGoogle Scholar
  29. 29.
    Rosenblatt, S., Fainstein, D., Cestero, A., Safran, J., Robson, N., Kirihata, T., Iyer, S.S.: Field tolerant dynamic intrinsic chip ID using 32 nm high-K/metal gate SOI embedded DRAM. IEEE J. Solid-State Circuits 48, 940–947 (2013)CrossRefGoogle Scholar
  30. 30.
    Rührmair, U., Sölter, J., Sehnke, F.: On the foundations of physical unclonable functions. IACR Cryptology ePrint Archive 2009, p. 277 (2009)Google Scholar
  31. 31.
    Schaller, A., Arul, T., van der Leest, V., Katzenbeisser, S.: Lightweight anti-counterfeiting solution for low-end commodity hardware using inherent PUFs. In: Holz, T., Ioannidis, S. (eds.) Trust 2014. LNCS, vol. 8564, pp. 83–100. Springer, Heidelberg (2014)Google Scholar
  32. 32.
    Schaller, A., Škorić, B., Katzenbeisser, S.: On the systematic drift of physically unclonable functions due to aging. In: Proceedings of the International Workshop on Trustworthy Embedded Devices, pp. 15–20. ACM (2015)Google Scholar
  33. 33.
    Scheel, R.A., Tyagi, A.: Characterizing composite user-device touchscreen physical unclonable functions (pufs) for mobile device authentication. In: Proceedings of the International Workshop on Trustworthy Embedded Devices, pp. 3–13. ACM (2015)Google Scholar
  34. 34.
    Schneier, B.: The internet of things is wildly insecure—and often unpatchable. Wired (2014). Accessed 08 July 2016
  35. 35.
    Schrijen, G.J., van der Leest, V.: Comparative analysis of SRAM memories used as PUF primitives. In: Proceedings of the Conference on Design, Automation and Test in Europe, pp. 1319–1324. EDA Consortium (2012)Google Scholar
  36. 36.
    Schroeder, B., Pinheiro, E., Weber, W.D.: DRAM errors in the wild: a large-scale field study. In: ACM SIGMETRICS Performance Evaluation Review, pp. 193–204 (2009)Google Scholar
  37. 37.
    Schulz, S., Sadeghi, A.R., Wachsmann, C.: Short paper: lightweight remote attestation using physical functions. In: Proceedings of the ACM Conference on Wireless Network Security, pp. 109–114 (2011)Google Scholar
  38. 38.
    Selimis, G., Konijnenburg, M., Ashouei, M., Huisken, J., De Groot, H., Van der Leest, V., Schrijen, G.J., Van Hulst, M., Tuyls, P.: Evaluation of 90 nm 6T-SRAM as Physical Unclonable Function for secure key generation in wireless sensor nodes. In: IEEE International Symposium on Circuits and Systems, pp. 567–570 (2011)Google Scholar
  39. 39.
    Skoric, B.: A trivial debiasing scheme for helper data systems. Cryptology ePrint Archive, Report 2016/241 (2016)Google Scholar
  40. 40.
    Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: Proceedings of the Design Automation Conference, pp. 9–14 (2007)Google Scholar
  41. 41.
    Tehranipoor, F., Karimina, N., Xiao, K., Chandy, J.: DRAM based intrinsic physical unclonable functions for system level security. In: Proceedings of the Great Lakes Symposium on VLSI, pp. 15–20 (2015)Google Scholar
  42. 42.
    Intrinsic-ID to Showcase TrustedSensor IoT Security Solution at InvenSense Developers Conference. Accessed Feb 2016
  43. 43.
    Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 115–131. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  44. 44.
    Tuyls, P., Schrijen, G.J., Willems, F., Ignatenko, T., Skoric, B.: Secure key storage with PUFs. In: Tuyls, P., Skoric, B., Kevenaar, T. (eds.) Security with Noisy Data-On Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pp. 269–292. Springer, London (2007)Google Scholar
  45. 45.
    Tuyls, P., Škorić, B.: Secret key generation from classical physics: physical uncloneable functions. In: Mukherjee, S., Aarts, R.M., Roovers, R., Widdershoven, F., Ouwerkerk, M. (eds.) AmIware Hardware Technology Drivers of Ambient Intelligence, pp. 421–447. Springer, Netherlands (2006)CrossRefGoogle Scholar
  46. 46.
    Viega, J., Thompson, H.: The state of embedded-device security (spoiler alert: it’s bad). IEEE Secur. Priv. 10, 68–70 (2012)CrossRefGoogle Scholar
  47. 47.
    Waldspurger, C.A.: Memory resource management in VMware ESX server. In: ACM SIGOPS Operating Systems Review, pp. 181–194 (2002)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Wenjie Xiong
    • 1
    Email author
  • André Schaller
    • 2
  • Nikolaos A. Anagnostopoulos
    • 2
  • Muhammad Umair Saleem
    • 2
  • Sebastian Gabmeyer
    • 2
  • Stefan Katzenbeisser
    • 2
  • Jakub Szefer
    • 1
  1. 1.Yale UniversityNew HavenUSA
  2. 2.Technische Universität Darmstadt and CASEDDarmstadtGermany

Personalised recommendations