Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security Andr´ e Schaller ∗ , Wenjie Xiong † , Nikolaos Athanasios Anagnostopoulos ∗ , Muhammad Umair Saleem ∗ , Sebastian Gabmeyer ∗ , Stefan Katzenbeisser ∗ and Jakub Szefer † ∗ Technische Universit¨ at Darmstadt and CYSEC, Darmstadt, Germany † Yale University, New Haven, CT, USA Abstract—Physically Unclonable Functions (PUFs) have be- come an important and promising hardware primitive for device fingerprinting, device identification, or key storage. Intrinsic PUFs leverage components already found in existing devices, un- like extrinsic silicon PUFs, which are based on customized circuits that involve modification of hardware. In this work, we present a new type of a memory-based intrinsic PUF, which leverages the Rowhammer effect in DRAM modules – the Rowhammer PUF. Our PUF makes use of bit flips, which occur in DRAM cells due to rapid and repeated access of DRAM rows. Prior research has mainly focused on Rowhammer attacks, where the Rowhammer effect is used to illegitimately alter data stored in memory, e.g., to change page table entries or enable privilege escalation attacks. Meanwhile, this is the first work to use the Rowhammer effect in a positive context – to design a novel PUF. We extensively evaluate the Rowhammer PUF using commercial, off-the-shelf devices, not relying on custom hardware or an FPGA-based setup. The evaluation shows that the Rowhammer PUF holds required properties needed for the envisioned security applications, and could be deployed today. Keywords—rowhammer, physical unclonable function, security, dynamic random access memory, PUF, DRAM, DRAM retention This document is based on the accepted version of the work of the same title that has been published in the Proceedings of the 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) by IEEE, which has the following Digital Object Identifier (DOI): 10.1109/HST.2017.7951729. Minor formatting changes have been applied. c 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. I. I NTRODUCTION In recent years, attacks that exploit the Rowhammer effect have gained a lot of attention, as they can enable a plethora of security-related risks due to the wide-spread vulnerability imposed by the Rowhammer effect in today’s DRAM modules. The phenomenon was first described by Kim et al. [1], who were able to induce so-called disturbance errors in high- density, commodity DRAM modules by repeatedly accessing uncached memory rows. Disturbance errors occur due to the charge coupling between DRAM cells, which accelerates charge leakage in adjacent rows, and eventually results in bits being flipped in so-called victim rows in DRAM, even though said victim rows were not explicitly accessed. The Rowhammer effect allows for breaking many software-based security mechanisms, as well as memory and process isolation, because it allows flipping memory bits, which would otherwise be protected by software-based access control mechanisms. Numerous papers have been published that use the Rowham- mer effect in order to improve the identification of vulnerable DRAM cells or to implement various Rowhammer attacks [2], [3], [4], [5]. In contrast to the existing work on the Rowhammer effect, we present a novel approach that uses DRAM disturbance errors, in order to strengthen the security of DRAM-equipped devices, instead of attacking such platforms. We propose to use bit flips, induced by the Rowhammer effect, as basis for a Physically Unclonable Function (PUF) that allows for robust identification of DRAM-equipped devices. We further present a software-only solution that works on commodity hardware and which enables runtime queries to the Rowhammer PUF, not requiring custom hardware or an FPGA setup. Prior work on DRAM PUFs has considered using the decay characteristics of DRAM cells when refresh is disabled, e.g. [6], but the Rowhammer effect as a source of a PUF has not been explored so far. Compared to existing DRAM decay-based PUFs, the Rowhammer PUF takes advantage of disturbance errors to increase the entropy of the PUF response. With our new ap- proach, we enable DRAM-equipped low-cost platforms to use hardware-based fingerprinting, identification, or key storage mechanisms without adding extra logic, e.g., as opposed to extrinsic arbiter PUFs that require new circuits to be added to the computing platform. Since many, if not most, DRAM- equipped platforms are affected by the Rowhammer effect [1], application of Rowhammer PUF goes well beyond just the platforms tested in this work. Additionally, unlike most known intrinsic PUFs, particularly SRAM-based PUFs, which can only be accessed at SRAM boot-up time, the Rowhammer PUF can be queried both at boot-up time and at runtime of a system. Contributions This paper extends the field of Physically Unclonable Functions (PUFs) with the following contributions: • We introduce the Rowhammer PUF, which leverages distur- bance errors among DRAM rows that manifest themselves as bit flips, which are used as basis for the new type of Physically Unclonable Function. • We implement the Rowhammer PUF on commodity, off-the- shelf devices, in a way which is accessible during runtime and which requires no custom hardware or an FPGA setup. • We provide an extensive evaluation, showing very good metrics for uniqueness, robustness and entropy. We further show the PUF’s ability to operate at different ambient temperatures in a stable manner. arXiv:1902.04444v1 [cs.CR] 12 Feb 2019