Cloning Physically Unclonable FunctionsClemens Helfmeier, Christian Boit
Semiconductor Devices,Dept. of High-Frequency and Semiconductor System Tech.,
Technische Universitat Berlin,Berlin, Germany
Dmitry Nedospasov, Jean-Pierre SeifertSecurity in Telecommunications,
Dept. of Software Eng. and Theoretical Computer Science,Technische Universitat Berlin,
These authors contributed equally to this work
AbstractAs system security demands continue to evolve,Physically Unclonable Functions (PUFs) are a promising solutionfor secure storage on Integrated Circuits (ICs). SRAM PUFsare among the most popular types of PUFs, since they requireno additional circuitry and can be implemented with on-diememories such as caches and data memory that are readilyavailable on both ASICs and FPGAs. This work demonstratesthat SRAM PUFs are not well suited as PUFs, as they do notmeet several requirements that constitute an ideal PUF. Thecompact nature of SRAM, standard interconnects and resiliencyto environmental effects make SRAM PUFs particularly easy toclone. We consider several ways in which SRAM PUFs can becharacterized and demonstrate a Focused Ion Beam circuit editwith which we were able to produce a physical clone of ourProof-of-Concept SRAM PUF implementation. As a result of thecircuit edit, when challenged, the physical clone produced anidentical physical response to the original device. To the best ofour knowledge, this is the first work in which a physical cloneof a Physically Unclonable Function was produced.
Secure storage is a critical component of any secure systemand is often delegated to dedicated hardware. In many casesdedicated security Integrated Circuits (IC) are incorporatedinto the designs of secure systems specifically to take care ofsuch tasks. Secret data can be programmed into a secure ICduring production by the vendor or personalization by the end-user . In systems lacking Non-Volatile Memory (NVM), keystorage and distribution can be particularly difficult.
However, even with NVM, an attacker can utilize anynumber of techniques to read-out on-die memories . Oneespecially promising avenue to solve the problems of keystorage are Physically Unclonable Functions (PUFs) sinceintrinsic process variations can be used to implement uniquechallenge/response pairs for every IC , . When imple-mented correctly, a key does not have to be stored at all, butis instead derived from the characteristic response of a PUF.Ideally, the characteristic response changes whenever the ICis altered, i.e. when the device is depackaged. Such behaviorprovides an additional layer of tamper-resistance .
One of the most researched and popular classes of PUFsare memory-based PUFs . Such PUFs utilize the settlingstate of volatile memory, such as Static Random AccessMemory (SRAM), to implement unique challenge/responsepairs. Such memories are already present on secure ICs and
offer hardware vendors substantial flexibility during manufac-turing. Memories can be partially or completely re-purposedto temporarily or permanently act as a PUF at startup. SRAMis commonly included in such solutions, making SRAM-basedPUFs especially popular . SRAM and SRAM-based PUFsare also particularly resilient to temperature variations andare generally more compact than many other memory-basedPUFs .
Though several works to date have described the charac-teristics of an ideal PUF, this work focuses on the originaldefinitions introduced in . This work demonstrates thatSRAM PUFs violate at least the following characteristics ofan ideal PUF:
Manufacturer resistant - It should be infeasible to createa second PUF that generates the same response.
Hard to characterize - It should be infeasible to char-acterize the response of a PUF.
Controlled - The PUF should be difficult to access forthe attacker and implement some tamper-resistance.
The main contributions of this paper are: (1) First success-ful physical clone. We successfully reproduced the uniqueresponse of our Proof of Concept (PoC) SRAM PUF imple-mentation in a second identical device. We used a Focused IonBeam (FIB) circuit edit (CE) to produce a fully-functioningsecond instance of the device with an identical physicalresponse to that of the target device. To the best of ourknowledge this is the first successful hardware-based cloningattack against a PUF. (2) Several strategies to read out SRAM.If the entire contents of the SRAM can be extracted, an SRAMPUF can be fully-characterized. We review several techniqueswith which the contents of SRAM at startup can be extractedallowing an attacker to recover the unique response of theIC. (3) Discussion and Countermeasures. We discuss severalinherent weaknesses of memory-based PUFs as compared toother classes of PUFs. We also introduce several mitigationtechniques with which hardware vendors can make our attacksignificantly less cost-effective for the attacker.
The rest of this paper is structured as follows: In Section IIwe provide additional necessary background information onthe 6T-SRAM cell circuit as well as SRAM PUF implementa-tions. The FIB CE is explained in Section III. In Section IV we
read and write amplifier
voltage drop direct pathto ground
Fig. 1: Schematic and read operation of a 6T SRAM. Thesolid arrows depict the current injected by the read amplifiersfor the specified states. The dotted arrows correspond to theresulting current to ground. During this process, transistor N2is in saturation and emits light.
provide details of the Device Under Test (DUT) as well as thePoC implementation and experimental setup. We present theresults of our experiments including all the necessary stepsto reproduce the attack in Section V. Finally we evaluatethe impact of our findings and propose several potentialcountermeasures in Section VI.
II. BACKGROUNDThis section introduces terminology used throughout the
work and reviews several characteristics of SRAM and SRAM-based PUFs. The process of cloning a PUF consists of twomain steps:
Chacterization - a process in which the attacker gainsknowledge of the challenge/response behavior of a PUF.
Emulation - the process of recreating or modeling theunique response of a PUF, i.e. creating a PUF withidentical challenge/response pairs.
If an attacker is able to fully characterize the unique PUFresponse, the response can be emulated or modeled. Theauthors of  successfully applied machine learning to createa software model of an arbiter PUF and generate correctresponses. However, software modeling is often impractical,especially in high-security applications. Such scenarios mayrequire an identical form factor, i.e. a smartcard, or additionalfunctionality present on the IC that is outside the scope of thePUF itself. By directly characterizing the physical responseof the target device, an identical physical response can bereproduced in a second instance of the device. We refer toa modified device exhibiting an identical physical responseas a physical clone of the target device. The physical cloneremains fully functional and retains any additional capabilitiesimplemented on the IC.
A. SRAM and SRAM PUFs
An SRAM consists of an array of cells connected bybitlines and wordlines where each cell stores a single bit of
information. The cells of an SRAM array can be read orwritten by the corresponding logic interface, depending onthe status of the bitlines and wordlines. During a read of anSRAM cell, the corresponding wordline is asserted and thestatus of the bitlines is read . The cell needs to drive theread amplifiers inputs during this read access, see Figure 1.Depending on the drive strength of a given cell, the voltagesat the drains of the cells four inverter transistors are elevatedand reduced, respectively.
As the SRAM is powered up, each cell takes on either thelogical state of 0 or 1 , . A PUF response is generatedsimply by challenging or addressing an SRAM array, i.e.reading out a particular location within the array. This alsohas the advantage of requiring no additional logic to generatechallenge/response pairs since existing memory access logiccan be used.
B. SRAM Characterization Techniques
Since SRAM PUF responses are produced simply by chal-lenging certain addresses within the SRAM, reading out theentire SRAM after startup is sufficient to fully characterizethe IC. There are a number of ways in which an attacker canachieve this goal. SRAM PUF challenges utilize standard on-chip memory interfaces and buses. If an attacker gains controlof such interfaces, any memory contents stored on the IC canbe accessed.
With the exception of Read Only Memory (ROM), whichcan be extracted from optical images of the die, the IC must beactively stimulated in order to extract memory contents. Fully-invasive decapsulation in conjunction with microprobing canprovide an attacker access to any memory circuitry. However,probing embedded memories directly is infeasible in practicebecause of the number of data and address lines. Instead, thedata can exfiltrated over multiple measurements of the individ-ual lines . Arbitrary access to embedded memories can alsobe achieved by directly manipulating the opcodes executed bythe IC. Such attacks circumvent all on-die countermeasuresand sensors and are not impeded by bus encryption, sincedata must be deobfuscated and decrypted before reaching thecore of the IC .
If the attacker is able to introduce one or more deterministictransient faults into the SRAM PUF, Differential Fault Analy-sis (DFA) can be applied to recover the SRAM contents .