An Overview of DRAM-Based Security Primitives

Recent developments have increased the demand for adequate security solutions, based on primitives that cannot be easily manipulated or altered, such as hardware-based primitives. Security primitives based on Dynamic Random Access Memory (DRAM) can provide cost-efficient and practical security solutions, especially for resource-constrained devices, such as hardware used in the Internet of Things (IoT), as DRAMs are an intrinsic part of most contemporary computer systems. In this work, we present a comprehensive overview of the literature regarding DRAM-based security primitives and an extended classification of it, based on a number of different criteria. In particular, first, we demonstrate the way in which DRAMs work and present the characteristics being exploited for the implementation of security primitives. Then, we introduce the primitives that can be implemented using DRAM, namely Physical Unclonable Functions (PUFs) and True Random Number Generators (TRNGs), and present the applications of each of the two types of DRAM-based security primitives. We additionally proceed to assess the security such primitives can provide, by discussing potential attacks and defences, as well as the proposed security metrics. Subsequently, we also compare these primitives to other hardware-based security primitives, noting their advantages and shortcomings, and proceed to demonstrate their potential for commercial adoption. Finally, we analyse our classification methodology, by reviewing the criteria employed in our classification and examining their significance.


Introduction
Recent events have served to amplify the need for more adequate security and privacy solutions for modern computer systems.Such events include the disclosure of a state-organised system of online surveillance covering the whole world [1], as well as newly reported software and hardware vulnerabilities that affect systems used every day by normal users.As these events affect the vast majority of the public, there has been significant pressure to address them in a thorough and transparent manner.
It is for this reason that research regarding IT security has been growing rapidly the last few years.The quick development of this research field has, in turn, brought forward a rise in relevant publications, regarding both software and hardware security.As an increasing number of vulnerabilities is being found in current security mechanisms and implementations, there is a growing demand for better security primitives that will prove more resistant to existing attacks.

Preliminary Concepts
We can distinguish three main concepts that form the background of our paper.The first one is the hardware component used, Dynamic Random Access Memories (DRAMs).The inherent properties of DRAMs are exploited in order to implement the security primitives that form the other two background concepts that this section discusses, Physical Unclonable Functions (PUFs) and Random Number Generators (RNGs).Both PUFs and RNGs have proven very useful for the implementation of cryptographic applications, especially in resource-constrained devices, such as the hardware used in the implementation of the Internet of Things (IoT).PUFs can be used for the implementation of key agreement, identification and authentication protocols, while RNGs can produce ephemeral keys and nonces, which are extremely vital for the security of cryptographic protocols.
Ephemeral keys can be produced by TRNGs, making it almost impossible for an attacker to gain access to them, as a good TRNG is extremely unlikely to produce the same output, even if an attacker gets hold of it.Additionally, such keys can be employed in a one-time pad (OTP) scheme, where they will only be used once [7].The single usage of such ephemeral keys guarantees that the OTP scheme is information-theoretically secure and provides perfect secrecy, therefore making TRNGs really important for cryptography.Furthermore, nonces produced by TRNGs have also become a common feature of cryptographic protocols, in order to prevent replay attacks.Therefore, TRNGs are essential primitives for the secure implementation of a large number of modern cryptographic protocols.
Moreover, as PUFs ideally act as physical functions that always produce the same output for a specific input, not only their outputs can be used as keys in key agreement schemes, or identifiers for identification and authentication purposes, but they also provide the additional advantage that they do not have to be stored after they are used.This is a significant advantage, because, in this way, cryptographic protocols can be implemented without the need for additional secure storage hardware.Finally, as DRAM-based PUFs and TRNGs are based on an inherent memory module of most contemporary computer systems, they allow for the implementation of cryptographic protocols even on IoT hardware and other resource-constrained devices that do not support additional security mechanisms, such as Trusted Platform Module (TPM) implementations and other security primitives that require hardware additions.
In this section, we examine how DRAMs work and which of their characteristics have been employed for the implementation of security primitives, namely PUFs and TRNGs.We then proceed to additionally discuss basic concepts regarding these security primitives.In this way, we aim to provide insights into the way DRAM-based security primitives work, as well as a preliminary introduction to their cryptographic applications, which will be discussed in more detail in Section 3.3.

Dynamic Random Access Memories
Dynamic Random Access Memories (DRAMs) are a type of Random Access Memory (RAM) that has been incorporated into the vast majority of modern computer systems.RAM is a type of volatile memory, a memory that can only store values while it is being powered.However, Dynamic RAMs (DRAMs), unlike Static RAMs (SRAMs), not only lose their stored content when they are not being powered, but also need to have their content constantly refreshed, due to the significant leakage that is inherent to their design.On the contrary, the design of SRAMs allows them to keep their content without being refreshed, as the design of SRAM cells is such that the stored value is constantly being reinforced on its own.
However, DRAMs are one of the most widely used types of RAM, as the design of DRAM cells is very simple, lightweight and cost-efficient.Most often, DRAM cells consist of a single capacitor that stores charge above or below a certain threshold, indicating one logical value or the other, and a single gatekeeper transistor that controls access to the storage capacitor.In comparison, the most common design for SRAM cells consists of six transistors, therefore providing a clear explanation for the usual difference in the size of the DRAM and the SRAM incorporated on a system.As DRAM cells require less space and are cheaper to implement than SRAM cells, most modern commercial systems tend to have DRAM storage sizes in the range of gigabytes (GB) and SRAM storage sizes in the order of kilobytes (KB), a difference that translates in billions of DRAM cells and only thousands of SRAM cells.
DRAM cells are grouped into memory arrays, where each row is connected to a wordline, which enables access to that row.All the cells in a single column are connected to a bitline, which is used to extract the value stored on a particular DRAM cell, to which access has been enabled through the wordline.The bitlines are connected to sense amplifiers that amplify the voltage of each bitline to a level that can be interpreted as logical zero or logical one.Obviously, this setup, which is shown in Figure 1, only allows access to one row at a time, while the values of all the cells of this row can be read at the same time using the bitlines.However, the sense amplifiers work in a differential way, as they compare the voltage of two different bitlines in order to determine whether the charge of one of them has increased or decreased from the reference level stored in the other one [8].In order for a row to be accessed, first, the bitlines are charged to Vdd 2 and, then, the relevant wordline is also charged, in order to force the row's transistors to contact and, therefore, allow access to the relevant capacitors.If a cell's capacitor is charged, charge flows from the capacitor to the bitline, causing the bitline to get slightly more charged, whereas if the capacitor is not charged, charge flows from the bitline to the capacitor, causing the bitline to become slightly less charged.Then, a sense amplifier compares the charge of this bitline to the reference Vdd 2 charge stored in another bitline, and amplifies their difference.This leads into the cell's value being recognised as logical one or logical zero, when the cells of a row are being read.In order to facilitate the differential amplification process, DRAM cells are usually organised into two different categories; true cells, whose charged capacitor indicates a value of logical one, and anti-cells, which store a value of logical one when their capacitor is discharged [8].For both categories of cells, the opposite state of their capacitors indicates a value of logical zero.This procedure also helps refresh the values stored on the DRAM cells, as the bitlines being compared are forced to exchange charges [9].This happens in such a way that either will discharge the cell's capacitor, if the relevant bitline is charged below the Vdd 2 charge stored in the other bitline, or will charge the capacitor, if the relevant bitline is charged above the Vdd 2 charge stored in the other one.As DRAM cells store their charge on a capacitor, their charge will inevitably leak unless it is regularly replenished.Therefore, an automated process exists in order to refresh the values stored in all the DRAM cells, within such a time interval that even the most leaking cell will always be able to provide the correct value.The refresh process is almost identical to reading, but the logical values of the DRAM cells are not used further.Writing usually happens in a similar way to reading, with the difference being that while a row is being accessed, particular bitlines are forced to potentially different charges, in order for the correct values to be written in the cells, through the previously described operation of the sense amplifiers [9].After a row has been accessed, either for writing, reading or to be refreshed, the relevant wordline is discharged, therefore trapping the charge of the capacitor in the cell, until it either leaks or is refreshed.

Storage Capacitor
However, apart from DRAMs with cells consisting of one transistor and one capacitor (1T1C), as the one shown in Figure 1, there are also other DRAM implementations, such as purpose-built embedded DRAMs, with cells consisting of only two transistors (2T) [10,11].In these, the storage capacitor is replaced by a storage transistor connected to a transistor that allows access for writing.In these 2T DRAM cells, writing and reading are decoupled, therefore requiring two different sets of a wordline and a bitline each, one set of which is used for writing and the other for reading [10].This design is quite similar to the one used in early DRAM cells, which consisted of three transistors (3T), one used for write access, one for read access and one for storage.This design again required two wordlines and two bitlines for each cell, as one set of a wordline and a bitline was used for writing and the other for reading [9].Nevertheless, all of these designs again require frequent refreshing of the values stored in their DRAM cells, due to leakages.

DRAM-Based Security Primitives
Hardware-based security primitives exploit inherent characteristics of hardware in order to extract entropy, in the form of random and unique outputs, which can be used for the implementation of cryptographic solutions.These outputs can be robust, in which case they can be used for identification and authentication, or unstable, in which case they can be used in cryptography as random one-time keys and nonces.Manufacturing variations cause minor imperfections in commodity hardware, such as DRAMs, which can serve to create inherent characteristics in a random and unique way in each individual hardware instance.Therefore, while such imperfections do not affect the correct operation of hardware, they can be exploited for the implementation of security primitives.Researchers have identified a number of inherent characteristics in DRAMs that can be leveraged for the implementation of hardware-based security primitives.
In particular, it has been noted that the cells of DRAMs may assume different values at startup [12], in a similar way to SRAM cells.In this case, the startup charge of the capacitor of each individual cell (in a 1T1C DRAM) may be slightly above the Vdd 2 threshold value (Figure 2a), or slightly below it (Figure 2b), a situation that leads to the cell's value being interpreted as logical one or logical zero, respectively, if the cell is a true cell, and vice versa, if the cell is an anti-cell.Figure 2 provides an overview of how voltage moves, in each of the two cases, through the DRAM circuitry presented in Figure 1, when the cells are read.The cells are previously untouched, not having been written to, by the system or the user.Another characteristic of DRAM cells that can be exploited for the extraction of entropy is their retention times.As already mentioned before, DRAM cells need to be frequently refreshed or the charge of their capacitors leaks away, causing the values stored in them to flip.However, the decay characteristic is not the same for all the cells of a particular DRAM, with cells exhibiting different periods of charge remanence.This phenomenon can be exploited in a number of different ways, resulting in different degrees of instability.Researchers have either stopped the refresh function of the DRAM [13][14][15][16], exploiting the retention of different cells, or cut the power of the whole chip [17], taking advantage of the data remanence of the cells, or even forced different low voltages in the wordlines, in order to intensify the decay effect [18].Furthermore, in order to increase the number of flips exhibited over time, a row hammer process can be used [5].In this case, rows are constantly written alternately with zeros and ones, causing the values of cells in other rows to flip, due to excessive leakage.In order to maximise the effects of row hammering, the rows constantly changing value (hammer rows) alternate with the rows that will be used for the implementation of the security primitive (primitive rows), as shown in Figure 3.

Pull up Network
Sense Amplifiers

Figure 3.
The alternating order between rows used for row hammering (hammer rows) and rows used for the implementation of a security primitive (primitive rows).
It is, therefore, evident that the retention characteristic of DRAM cells is highly dependent on the leakage of their capacitors, which can be affected by nearby components, such as other cells in the same or in other rows.Figure 4 presents some of the different leakage paths, showing with red colour paths in the same row, and with blue, paths affecting cells in other rows.Note that the leakage of a cell can also affect cells in non-adjacent rows, and can affect nearby bitlines and wordlines, as well as the transistors and capacitors of other cells, as shown in Figure 4.  We need to mention that DRAM cells also exhibit a Variable Retention Time (VRT) phenomenon, which means that the same cell may randomly switch between a high retention state (corresponding to a high retention time) and a low retention state (corresponding to a low retention time) at different points in time [8,19].This behaviour depends on the amount of unoccupied traps that exist in the gate region of the transistor at a given point in time, which can absorb some of the draining charge, and is related to the manufacturing process of the cell's transistor.This phenomenon can add to the instability of the retention characteristic of DRAM cells.

WL
Moreover, another characteristic of DRAM cells that has been exploited for the implementation of security primitives is the time required for the writing operation to be successful [20,21].If this time is decreased, some cells will fail to be written, while others will still be written successfully, depending on slight variations in their transistors and capacitors.Obviously, however, for the output of the DRAM to be random, the time allowed for the write operation must not be set too high or too low, as this would cause the vast majority of cells to be written successfully or to fail to be written, respectively.Changing the time parameters for the write operation of a DRAM can be done either with the introduction of a delay component [20], or by manipulating their values using software commands, when this is possible [21].
We should, finally, note that, based on the stability of the DRAM characteristics exploited, different security primitives can be implemented.If the characteristic exhibits a high degree of stability, then a Physical Unclonable Function (PUF) can be implemented out of it, which can be used for identification, authentication or even as a secure key storage.Even if the characteristic is not fully stable, error correction can be applied so that the DRAM-based PUF can truly act as a function, which always provides the same output for a specific input.Otherwise, if the characteristic is highly unstable, it can be leveraged for the production of a random number generator.In this case, we want the output to be as unstable as possible, so that we can ensure that the numbers (actually, bitstrings) that are produced will be highly random.In both cases, however, we require that the characteristic holds enough randomness to be unpredictable and is quite unique per DRAM instance, in order to prevent trivial attacks against the security primitives being implemented.

Physical Unclonable Functions
As already mentioned, Physical Unclonable Functions (PUFs) act as functions encoded in hardware, which produce a unique output, being referred to as a response, for a specific input, being called a challenge.PUFs provide a varying level of security, and can, therefore, be used in different applications, depending on the number of their available input-output pairs, which are referred to as Challenge-Response Pairs (CRPs).For example, a PUF with only a single challenge-response pair can be used for identification, while a PUF with multiple CRPs can be used to provide multiple different session keys for authentication.In the first case, the response needs to be secret, while, in the second one, responses can be also used without any secrecy, as long as the related CRPs are not used again.
Although a number of publications considered the usage of physical characteristics for identification, authentication and anti-counterfeiting [22][23][24], the first major investigation regarding the potential of a physical structure to serve as a hardware-entangled one-way function was only conducted in 2001 [25,26].Nevertheless, this study concentrated on the usage of a dedicated disordered optical structure as a security primitive, and required additional hardware for its identification.The first intrinsic PUF came in 2002 [27,28], being reported in the same publications that also proposed the term "physical unclonable function" in order to describe a hardware-entangled function that produces outputs that are unique for each hardware instance.However, again, the primitives proposed (arbiter PUFs) were dedicated hardware components that, although they were implemented in silicon, would require additional hardware in order to be evaluated.
A major breakthrough happened in 2007 with the introduction of the SRAM PUF [29,30], which was the first PUF that not only was implemented in silicon, but was also based on a hardware component, SRAM, that was part of most contemporary computer systems, and which could also be evaluated without the need of additional hardware.Nevertheless, the SRAM PUF is based on the startup values of the SRAM, and can therefore only be evaluated at boot-time.This means that the system needs to be restarted every time its PUF response is required.Additionally, the SRAM PUF has only a single CRP, whereas all previous PUF implementations could provide multiple CRPs, forcing a distinction between PUFs with a single or very few CRPs, which are referred to as "weak" PUFs, and PUFs with a large number of CRPs, which are called "strong" [31,32].However, at the same time, modelling and machine-learning attacks against the so-called "strong" PUFs [33][34][35][36], forced the development of newer more resistant implementations, such as the XOR (eXclusive OR) arbiter PUF and the lightweight arbiter PUF, which were, however, then attacked using more sophisticated modelling and machine-learning attacks.Therefore, while research still continues in order to find a strong PUF that will also be immune to modelling and machine-learning attacks, most of the delay-based implementations, such as arbiter and ring oscillator PUFs, are proven to be extremely vulnerable to them.It is for this reason that the majority of the most recent PUF implementations are based on memory elements, such as SRAMs, DRAMs and Flash memories.
The distinction between "strong" and "weak" PUFs is not always obvious, as it is not easy to define what constitutes a large enough number of CRPs.In general, however, delay-based PUF implementations have been considered as "strong" and memory-based ones as "weak".Nevertheless, the ring oscillator PUF, a delay-based PUF, has been described in some publications as a "weak" PUF [32] and in others as a "strong" one [35].Additionally, as we discuss in other sections, DRAM PUFs can quite often provide multiple CRPs, and even a very large number of them [11].However, in this work, we refrain from judging whether the different DRAM-based PUFs are "weak" or "strong", and only examine the amount of CRPs that they can potentially allow for, which we sometimes proceed to compare to the single CRP that most SRAM PUF implementations provide.
Regarding the prevalence of memory-based PUF implementations in recent publications, this is clearly demonstrated in Table 1, which presents a brief history regarding the development of the most well-known PUFs.In this table, we use a colour classification to distinguish between memory-based, delay-based and other PUF implementations, in order to present this information to the reader in a way that is very simple to understand without additional effort.
Table 1.History of the development of the most well-known Physical Unclonable Functions (PUFs).The PUFs presented are colour-coded according to their type.
A DRAM decay-based PUF can inherently provide multiple CRPs, and not only a single one, as the retention characteristic of DRAM cells is dependent on time and temperature.In a similar fashion, the DRAM latency-based PUF can provide multiple CRPs, when a set of different values is used for the time parameters of the write operation of the DRAM.Even the DRAM PUF based on the startup values of the DRAM can be considered to be able to provide a number of CRPs, if large segments of a single DRAM are considered as different components of the PUF, each of which can be queried independently and provide its own (single) CRP.It is therefore essential to investigate DRAM PUFs in detail, in order to shed light on the current state of the art, as well as provide insights into their full potential.

Random Number Generators
Since antiquity, humans have been interested in the generation of random numbers for a plenitude of reasons, ranging from gambling to cryptography and statistics.Random number generation can be either truly random, when a chaotic system is being used, or pseudorandom, when a seed is being used to generate a sequence that appears random, but is repeatable using the same seed as a basis for the generation of a future sequence.A chaotic system, on the contrary, is based on so many different factors that the sequences generated by it are not fully predictable.Such a system can often be modelled or simulated, up to some degree, but its exact output is not fully predictable.For example, throwing dice or flipping a coin can be modelled and simulated, but the results of these actions are not fully predictable because the exact circumstances under which these actions may be performed are extremely hard to predict.
However, if we know the exact force with which a coin is being flipped, on which exact spot on the coin this force has been placed, what was the initial state of the coin, what are characteristics of the coin, such as its mass, the material of which it is made, etc., and, also, that no other forces affect the coin, then perhaps the outcome of the coin flipping can be predicted.In exactly the same way, if we know the seed of a number generator and its exact algorithm, we can then usually predict the exact output of it.Therefore, the generation of random numbers is highly dependent on the system being used for it and, more specifically, on how deterministic this system is.
A non-deterministic system will produce highly unpredictable outputs and can therefore be used for the implementation of True Random Number Generators (TRNGs), while a simple system that is also fully deterministic will produce outputs that are highly predictable and therefore not suitable for random number generation.Finally, a complex deterministic system will produce output that is, up to some degree, predictable, but does appear random, and can therefore be used for the implementation of a PseudoRandom Number Generator (PRNG).Therefore, the degree of complexity of a system and its determinism have to be assessed, in order to determine the ability of a system to be used for random number generation.Nevertheless, this task can prove to be much more complex than assessing the output of such a system, for its randomness, unpredictability, etc.For this reason, researchers have developed tests that can indeed examine the suitability of a system to act as a Random Number Generator (RNG) based on its outputs.One of the most popular suites of such tests has been produced by the National Institute of Standards and Technology (NIST) in the United States of America (USA) [50].
Both TRNGs and PRNGs may pass such statistical tests successfully, but once the initial seed of a PRNG, including its initial state, is known, all its outputs can be predicted successfully.TRNGs are therefore much more secure, being completely unpredictable, and are, therefore, more suitable for applications related to security, such as data encryption.However, PRNGs are also very popular due to their flexible and low-cost implementations and their low generation times [51].Recent research has, therefore, focused on the implementation of cost-efficient and flexible TRNGs, which could be employed as security primitives, mainly in cryptographic protocols.Such TRNGs could be implemented using commercial hardware, such as DRAMs, which is not only widely available, but would also not require additional dedicated hardware, which would raise the cost of production.
Such implementations would enable the use of intrinsic TRNGs that would be inherently available even in resource-constrained devices, such as IoT hardware.As already noted, TRNGs are particularly useful for the production of ephemeral, one-time keys and nonces, which can allow the implementation of complex cryptographic protocols.For this reason, intrinsic TRNGs could enable the usage of complex cryptography even on low-end devices.Therefore, DRAM-based TRNGs could prove to be a major breakthrough in the history of hardware-based TRNGs.
As software can only very rarely prove to be unpredictable, most TRNG implementation in modern computer systems use hardware in order to generate random numbers.A large number of hardware components, such as power supplies [52,53], Zener diodes and delay and clocking elements, which inherently carry an increased noise load, have been utilised for the implementation of TRNGs.However, the implementation of such TRNGs usually requires additional circuitry or other hardware, either for the construction of the TRNG components or for the evaluation of the TRNG hardware.As a result, not only such TRNGs may increase the production costs, but also have an increased generation time, as multiple components may be required for their construction and evaluation.On the contrary, an intrinsic silicon TRNG, such as a DRAM-based TRNG, can provide increased security in comparison to a PRNG, while providing low generation times and requiring only dedicated software, a need that is also common to most PRNGs.
Recent research has proven that the characteristics of DRAMs may, in some cases, provide outputs that are random and unique per DRAM instance, but also highly unstable, and can therefore be used for the implementation of intrinsic hardware TRNGs in commodity devices.In particular, the potential of the retention time of DRAM cells to serve as a source of entropy for the implementation of a TRNG had been noted even in the very first publications regarding the decay characteristic of the DRAM cells as a basis for the implementation of security primitives [15,16].Additionally, the data remanence of DRAM cells has also been investigated as a characteristic that can be exploited for the creation of a robust DRAM-based TRNG [17,54].Finally, a more recent publication studies the potential of the startup values of DRAM cells to be employed for the production of a TRNG, and the difficulties in the realisation of such a scheme [55].Therefore, as recent research [19] keeps providing promising results regarding the potential of DRAMs to serve as a basis for the formation of cost-efficient, fast and flexible TRNGs, we believe that it is crucial to investigate in detail the current state of the art regarding DRAM-based TRNGs and their future potential for cryptographic applications.

Overview of the Current State of the Art Regarding DRAM-Based Security Primitives
As already mentioned in the previous section, the recent development of DRAM-based security primitives can potentially lead to significant advances in the field of IT security, because such primitives not only can be implemented in a cost-efficient manner, as DRAMs constitute intrinsic components of most contemporary computer systems, but also, quite often, can be used at run-time.For this reason, in this section, we investigate the relevant literature, provide a thorough overview of it and classify it, in such a way as to provide a clear picture of the current state of the art and useful insights regarding potential future developments.

Brief Literature Taxonomy
As Table 2 reveals, there has been an increased interest regarding DRAM-based security primitives in previous years.This is also evident from the publication of two doctoral dissertations in 2017 that consider DRAM-based security primitives to a significant extent [54,75].Additionally, other doctoral dissertations also discuss DRAM-based security primitives [76,77], exhibiting that these primitives are becoming well-known.Finally, the existence of other publications from Eastern Europe [78,79] and Asia [13,77] are further indicators of the global outreach of the topic of DRAM-based security primitives.
It is, therefore, important to examine in some detail the most influential publications regarding DRAM-based security primitives, in order to identify their most important contributions and, in this way, expose the current state of the art of this scientific field.We choose to do so in a chronological order, as Table 2 shows, in order to allow the reader to view how this field has evolved and get some very first insights into its potential future development.
As it has already been mentioned, there are four major characteristics and effects related to DRAMs that have so far been exploited for the implementation of a DRAM-based security primitive.These are DRAM decay and data remanence effects, the startup values of the DRAM cells, DRAM write access latencies and the effect of applying a row hammer algorithm on the rows of a DRAM array.We, therefore, choose to also classify the publications presented in Table 2 according to the exploited characteristic(s), which they refer to, in order to provide a more detailed view of the way in which DRAM-based security primitives were developed.We choose a colour classification, in order to make the results of our classification easier for the reader to understand.As some publications consider two characteristics, we indicate those by using both relevant colour indicators in Table 2.As Table 2 shows, the first publications regarding DRAM-based security primitives have occurred in 2012 and all were considering DRAM PUF implementations based on the retention characteristic of DRAMs.Since then, however, the amount of publications per year seems to be stable, with a sudden increase in 2017, which may also be continued in 2018.Additionally, the number of DRAM characteristics employed for the implementation of security primitives has also increased, and may further increase in the future.An overview of the current literature regarding DRAM-based security primitives follows.
In 2012, Okamura et al. [13] published a paper regarding the usage of the retention characteristic of a DRAM in order to produce a PUF.They also examined the effect of temperature on this characteristic, with a focus on the effects of different temperatures on the number of bits flipping.They compared PUF responses measured at 25 • C to responses measured and −5 • C, 45 • C and 65 • C, showing that the number of flipped bits increases, for higher temperatures and higher decay times, during which the DRAM is not being refreshed.Finally, they showed that unique 192-bit keys can be generated within 30 s and 672-bit keys within 60 s.
Fainstein et al. [18] published a paper describing a Retention-based Intrinsic Chip ID (RICID) using embedded DRAM (eDRAM).They demonstrated intrinsic chip identification using a 32 nm Silicon-On-Insulator (SOI) high-κ/metal gate embedded DRAM, which provided a high probability of ID uniqueness and recognition.Their technique constitutes a decay-based DRAM PUF, where the decay is intensified by using higher wordline low voltages (VWLs).They used a bit fail map of a DRAM array, in which retention pass or fail bits (represented as logical zeros or ones, respectively) are used to generate a pair of binary strings A and B using different VWLs.Using a higher VWL for B results in a greater number of retention fails such that the list of failing cell positions includes all of the positions that failed in A and new ones because more cells leak enough for their logical value to flip.Keller et al. [14] presented a poster about the usage of the retention characteristic for the implementation of a DRAM PUF, and Felber [15] made also presentation slides for the same implementation and its usage in a Quantum Key Distribution (QKD) system.
In 2013, Rosenblatt et al. [80] extended the RICID idea published by Fainstein et al. [18] using the same DRAM PUF implementation in order to include field-tolerant authentication by detecting a number of bits that can ensure successful recognition and also prevent ID spoofing during the read operation.This allowed for a 100% recognition rate of the unique chip IDs generated under different temperature and voltage conditions, using more than 400,000 ID pair comparisons in more than 250 chips.Successful recognition rates were predicted to be very close to 100% using an analytical model for one million different pairs.
In a different publication in the same year, Rosenblatt et al. [81] presented an architecture that enables self-authentication in chips, using electrically programmable fuses (eFUSEs) that store PUF responses produced by an eDRAM.Again, the DRAM PUF is based on the retention times of the DRAM cells, which can be lowered using higher VWLs.The responses produced are proven to be unique using Monte Carlo simulations and the chips can be authenticated even when the responses are noisy.The simulation results are confirmed by testing more than 50 chips and an analytical model is used to predict that attacking the DRAM PUF using brute force would require more than 10 years to be successful and that successful authentication rates are very close to 100% using an analytical model for one million different chips.
In 2014, Liu et al. [82] published a paper regarding a DRAM decay PUF based on a Double-Data-Rate type three (DDR3) Synchronous DRAM (SDRAM).They also described an algorithm for key generation, with an integrated fuzzy extractor, which can produce secure 128-bit keys.Due to the wide adoption of DDR3 memory in wireless sensor networks (WSNs), and as the proposed DRAM PUF technology provides high security and does not require hardware changes, the proposed PUF is suitable for usage in WSN applications.The feasibility of such a PUF is validated using an Field-Programmable Gate Array (FPGA) board and a number of removable Small Outline Dual In-line Memory Module (SODIMM) DRAMs.An extended version of this paper was also published the same year by Liu et al. [83], in which a more detailed overview of the algorithm, including a thorough description of the fuzzy extractor parameters, is presented.Both papers present positive results regarding the decay rate and the intra-device and inter-device Hamming distances.
Keller et al. [16] also presented a DRAM decay PUF based on a DDR3 SODIMM DRAM connected to an FPGA board, which can, however, also be used for the generation of random numbers.A memory controller that permanently disables the refreshing operation has been implemented.The authors note that the implemented DRAM PUF allows for repeated queries at run-time, in contrast to an SRAM PUF.Furthermore, utilising a 512 MB DDR3 module, 400 random bits can be produced per second.
In 2015, Tehranipoor et al. [12] introduced a DRAM PUF based on the startup values of the DRAM cells, which works in a similar way to the SRAM PUF.Nevertheless, due to the size of the DRAM, this PUF allows for a much larger response size.It relies on the fact that DRAM cells initialise to random values at startup because of variations in their manufacturing process, which are however too small to affect their regular operation.Different operating conditions, such as different voltage and temperature levels are investigated in order to test the PUF's reliability.The most stable cells are selected during enrollment for further use.
Hashemian et al. [20] presented in the same year a DRAM PUF implementation based on the write access failures.An external delay circuit can be implemented in order to change the time parameter of the write operation, in such a way that a number of cells fail to be written.Monte Carlo simulations were performed using an implementation of a Simulation Program with Integrated Circuit Emphasis (SPICE), a program used for the simulation of hardware.These simulations showed that, for 1000 chips with 10% inter-die and 8% intra-die variation, the proposed PUF exhibits high uniqueness with a 50.01%average inter-die Hamming distance and good robustness under temporal fluctuations in the supply voltage and the temperature and under aging effects for its estimated 10-year lifetime.The PUF also provides good reproducibility with a 7% average intra-die Hamming distance for temperatures ranging from 20 • C to 50 • C and 7.4% average intra-die Hamming distance for supply voltages ranging from 0.9 to 1.2 volts.Furthermore, aging analysis shows that under Negative-Bias Temperature Instability (NBTI) effects, unstable bits constitute on average only 0.92% of the PUF responses over the estimated 10-year lifetime.
Zhang [84] published his master's thesis on the same year, which is highly related to the papers by Liu et al. [82,83].The same PUF implementation is presented, along with an extended related literature section, additional sections on the applications of PUFs and more information regarding the fuzzy extractor scheme and the metrics used to evaluate this DRAM decay PUF.The results prove that this PUF implementation can serve for secure key generation.
Rahmati et al. [85] presented what can be characterised as an "attack" PUF implementation, as their paper explored how the decay characteristics of DRAM cells in approximate DRAM, a DRAM that does not provide 100% stability of its stored values can create an error pattern that could serve as a system identifying fingerprint.Approximate DRAM allows for some values to decay, as its refreshing time is not adequate enough for all the cells to be refreshed before they decay.Therefore, the values stored in the cells with the lowest retention times will fade away, creating a unique pattern of error, which may not affect significantly the content stored over all the DRAM array, but can lead to successful recognition and de-anonymisation.This publication was followed by others that focus more on the optimisation of the quality of an approximate DRAM [91,92].
In 2016, Tehranipoor et al. [17] published a paper presenting a hardware TRNG based on the data remanence effect of a DRAM, whereby information remains in a DRAM even after powering it down.This phenomenon is practically another version of the cell decay characteristic.Nevertheless, as in this case, the whole DRAM, or even the whole chip, is powered down, a slightly different behaviour may appear, which is also dependent on burn-in and grounding effects, i.e., the time that a value has been stored on a cell and whether the overall circuit is grounded or not.Additionally, the startup behaviour of the cells can play a role because, if the cells decay completely during the period of time that the DRAM is powered off, they will probably assume their startup values when the DRAM is again powered on.Therefore, this implementation is inclined to exhibit high instability, which makes it fit to serve as an TRNG.An FPGA and its on-board DRAM are used for testing, together with a power-cycle circuit used to enable and disable the DRAM.
Sutar et al. [86] published a paper on a DRAM decay PUF that is intrinsically reconfigurable, supporting a large number of challenge-response pairs (CRPs) through the variation of different parameters.Their design is implemented and validated using an FPGA and removable SODIMM DDR3 DRAM modules.Their design also allows for reduced authentication times in comparison to previous works.Additionally, the authors tested the robustness of their authentication mechanism under temperature variations and aging effects.Their results demonstrate a 100% true-positive (successful authentication) rate for a 10 • C temperature variation with a 0% false-positive rate.For a nine-month old DRAM module, their authentication mechanism also provided a 100% true-positive rate and a 0% false-positive rate.
Vitenko [78] presented a rather interesting implementation of a DRAM PUF based on the retention characteristic of DRAM cells, as it was the first implementation on a truly commercial device.The DRAM of a tablet computer produced by LG, a well-known electronics company that has its headquarters in Seoul, South Korea, was used in order to implement a PUF and the relevant DRAM module was controlled using the Android OS.The evaluation of the responses of the PUF proves that it can be used for identification purposes, as they are proven to be random, unique and stable enough.This paper proves in a definitive way that DRAM PUFs can be used commercially.
Xiong et al. [4] implemented a DRAM decay PUF that can be queried at run-time on two commercially available evaluation boards using a Linux kernel module, therefore exhibiting that DRAM PUFs can be implemented and used in IoT hardware.Additionally, they also presented a firmware implementation of the same PUF on both devices using the firmware of these devices.
However, this implementation cannot be accessed at run-time.Finally, they also presented lightweight cryptographic protocols based on their PUF implementations, which can be used for device authentication and secure channel establishment.
In 2017, Sutar et al. [87] presented a memory-based combination PUF implementation that combined an SRAM PUF with a DRAM decay PUF.This implementation can potentially combine the advantages of both types of memory-based PUFs and address the shortcomings of each individual PUF type.This implementation addresses potential problems of the two different PUF types, such as the DRAM module being removable, in which case, it can easily be transferred to another system for the implementation of a number of different attacks against its security.The proposed PUF exhibits high entropy, supports a large number of challenge-response pairs, and is intrinsically reconfigurable.The SRAM PUF utilizes a power-cycling approach to generate startup values as responses, while the DRAM PUF responses consist of unique bit-flip patterns generated through a refresh-pausing approach.The combination PUF has been implemented using an FPGA and several off-the-shelf SRAMs and DRAMs.Their experimental results demonstrate substantial improvements over current memory-based PUFs including the ability to resist various attacks.Extensive authentication tests across a wide temperature range (20-60 • C) and accelerated aging (12 months) demonstrate the robustness of the proposed design, which achieves a 100% true-positive rate and a 0% false-positive rate for authentication across these parameter ranges.
Tehranipoor et al. [88] published an investigation of the reliability of the responses of a DRAM PUF based on the startup values of its DRAM cells under device-accelerated aging effects.Their paper presents accelerated aging experimental results over 18 months on three DRAM PUFs based on startup values.Experiments were conducted using three Commercial Off-The-Shelf (COTS) DRAM modules.Additionally, in order to accelerate aging, a thermal inducting system was employed.Based on their results, the effect of NBTI stress appears to be negligible on DRAMs and can be ignored.In other words, this type of DRAM PUFs is resistant to aging, and can, therefore, improve the performance and reliability of the entire system during its operational life.
Tang et al. [11] presented a DRAM PUF based on the retention characteristic of DRAM cells, utilising the location of cells with a weak retention characteristic in a 65 nm 2T Complementary Metal-Oxide-Semiconductor (CMOS) eDRAM.In this case, multiple locations of the DRAM are utilised to produce the PUF's final response, as their error patterns are combined in the final response.This scheme allows for the creation of more than 10 32 unique CRPs from a 1 Kbit eDRAM array.The responses become more stable through the application of a zero-overhead repetitive write-back technique along with bitmasking, while instabilities induced by voltage and temperature variation are mitigated by adjusting the read reference voltage and refresh time before each authentication operation.Finally, the area of each cell of the proposed DRAM PUF is calculated to be less than 1 µm 2 .
Eckert et al. [55] published a paper dealing with a hardware TRNG implementation based on the startup values of Double-Data-Rate type two (DDR2) DRAM.In this paper, they show that the startup values of newer DRAMs may not suitable to serve as a PUF, a conclusion that was also reached by Anagnostopoulos et al. [93].However, by combining multiple measurements through an XOR operation and by using a von Neumann corrector, the authors manage to implement a TRNG.The authors assess the randomness of their scheme using the NIST suite of tests and prove that it can be used as a TRNG.We note here that the eXclusive OR (XOR) logical operation provides a logical output of zero when all its inputs have the same logical value and of one when at least one of them has a different logical values from the others.
Tehranipoor et al. [3] extended the previous publication by Tehranipoor et al. [12] regarding a DRAM PUF based on the startup values of the DRAM cells.Their approach has a relatively low generation time and no additional hardware is required.The effect of different operating conditions, based on voltage and temperature variations and aging is examined.Their implementation consists of external Dual In-line Package (DIP) DRAM modules connected to an FPGA board, and provides highly distinct PUF responses with an average inter-die Hamming distance of 0.4937, which can be utilised to construct 128-bit secure keys.
Schaller [75] published his doctoral dissertation in 2017, in which he examines PUF implementations on COTS hardware and their applications.He discusses in detail DRAM PUFs based on both the retention characteristic of DRAM cells and the row hammer effect, as well as their applications, and potential protocols based on them.His dissertation proves that DRAM and other memory-based PUFs can be implemented on COTS hardware and serve as security primitives for the implementation of lightweight cryptographic protocols.
Tehranipoor [54] also presented her doctoral dissertation in 2017, in which DRAM-based PUFs and TRNGs are presented and discussed in detail.The overall dissertation is considering the design and architecture of various hardware-based TRNGs and PUFs that meet the requirements and needs for low-cost solutions in today's electronic systems.For this reason, particular focus is placed upon DRAM-based security primitives.Additionally, this dissertation also deals with the architectural requirements for designing resource-efficient embedded system platforms.Works presented in this dissertation include a DRAM PUF based on startup values and two DRAM-based TRNGs, one that is based on the startup values of DRAM cells and another that is based on their data remanence.
Kumar et al. [89] published a book chapter, a part of which deals with hardware security based on intrinsic IDs produced by eDRAM.These IDs are produced by eDRAM based on the retention of its cells, which is lowered by using higher VWLs.The technique being employed is very similar to the ones used by Rosenblatt et al. [80] and Rosenblatt et al. [81].The authors prove that this implementation can be successfully employed for the authentication of a chip.
Kirihata et al. [90] also published a book chapter, in which they also discuss a DRAM PUF implementation based on the retention of its cells, which is lowered by using higher VWLs.The scheme being employed is again very similar to the ones used by Rosenblatt et al. [80] and Rosenblatt et al. [81], and is used for anti-counterfeiting purposes.This scheme has the advantage of being based on an intrinsic element, the DRAM, thus not requiring additional hardware for its implementation, and therefore being highly cost-efficient.
In general, we must note that the publications by Fainstein et al. [18], Rosenblatt et al. [80], Rosenblatt et al. [81], Kumar et al. [89] and Kirihata et al. [90] form a family of publications investigating the potential of eDRAM for the implementation of a DRAM PUF based on the retention characteristic of its cells, which is artificially lowered by using higher VWLs.To this end, these publications examine in detail the applications and security of such a primitive, in order to determine its suitability to serve as the basis of lightweight cryptographic protocols.
Schaller et al. [5] presented a paper regarding the potential of the row hammer effect to be used in order to enhance the uniqueness and randomness of a DRAM PUF, if it is used in conjunction to the decay characteristic of the DRAM cells that is exhibited when the refresh operation of the DRAM is paused.Their implementation on COTS evaluation boards proved that generation times can be significantly decreased in this way, leading to a PUF that is accessible at run-time and can be used in a quick manner.Additionally, this was the first positive application of the DRAM row hammer effect.
In 2018, Kim et al. [21] presented an implementation of a DRAM PUF based on the latency of the write operation of the DRAM, and proved that it has a significantly lower generation time in comparison to the DRAM decay PUF.For this purpose, they implemented both DRAM decay-based and DRAM write latency-based PUFs on a large number of Double-Data-Rate type four (DDR4) DRAM modules connected to an evaluation board.Their implementation of the DRAM write latency PUF requires no additional hardware for measurements, in contrast to the implementation of the same type of PUF by Hashemian et al. [20], as they use memory controllers that allow them to change the time parameters of the write operation of the DRAM through software means.Their implementation is accessible at run-time and the effects of temperature on it have been investigated, proving a significant decrease of generation times for the DRAM write latency PUF in comparison to the DRAM decay PUF at all temperatures.
Finally, also in 2018, Sutar et al. [19] extended the previous paper by Sutar et al. [86] regarding a reconfigurable DRAM decay PUF, by also presenting a TRNG based on the DRAM decay PUF and the VRT phenomenon.Their implementation was based on several COTS DDR3 DRAM modules being connected to an FPGA board and was proven to be around five times faster than other prior DRAM PUFs.Their PUF implementation was also proven to be resilient and robust against temperature variations and aging effects, while the potential of the proposed TRNG design was verified using the NIST statistical test suite.

Applications of DRAM-Based Security Primitives
As the previous section shows, DRAM-based security primitives have been employed in a number of different applications, while both PUF and TRNG implementations have been constructed with equally good results.In this section, therefore, we will investigate the different primitives proposed by each work and their applications.In order, however, to do this, we first need to discuss what are the potential applications of PUFs and TRNGs and the way in which these applications work.
In particular, as already mentioned, the main difference between a PUF and a TRNG is the stability of their outputs.While a good PUF will provide pretty much the same output for the same input, a good TRNG will provide different outputs each time the same input is fed into it.This property of a good TRNG is also shown on Figure 5, where, for the same input A, the TRNG provides a different output, each time it is queried.Therefore, while TRNGs can be used for the construction of ephemeral keys and nonces, which are very useful in cryptography, they are not ideal for identification or authentication purposes.Nevertheless, ephemeral keys can provide information-theoretic security and perfect secrecy when used in a one-time pad scheme and nonces are widely used in order to protect against replay attacks.Additionally, a key produced by a TRNG can also be stored and used for identification and authentication.However, a key generated from a TRNG cannot be directly traced back to it and, therefore, has a weak connection to the device itself.On the contrary, if a key is generated by a PUF, it can be linked to it (and, therefore, also to the relevant device), as a PUF will always generate the same output when provided the same input under the same conditions, and, therefore, also the same key.Moreover, a key generated from a PUF does not need to remain stored after being used, as it can be easily regenerated every time it is needed.Therefore, PUFs have three main applications, namely key agreement, identification and authentication.
Regarding secure key agreement, usually a fuzzy extractor scheme needs to be applied, as a PUF often provides slightly noisy responses, which could otherwise affect its reliability [94,95].This means that, for a particular challenge, the PUF may not always generate exactly the same response, but may often generate similar responses, which, however, contain some amount of noise.For this reason, we employ a fuzzy extractor scheme, which incorporates some Error Correction Code (ECC) [14], in order to stabilise the PUF response [96].PUF-based key agreement consists of two phases, which are shown in Figure 6.
In the first phase, the enrollment phase, which is executed entirely on the server's side, the PUF response is combined with the desired key, in order to produce some redundancy bits, called helper data.The server then saves the challenge, the response and the key used, as well as the helper data produced, and an ID regarding the CRP and the key used.As Figure 6 shows, the same CRP can be used with a different key, which will result in different helper data.If the fuzzy extraction scheme is constructed in a secure way, such that the helper data do not leak information about the CRP and the key, then the helper data can also be made public.
In the second phase, the reconstruction phase, the PUF has been transferred securely from the server to the client and a reverse procedure is employed in order for the server and the client to agree on a key.The server sends a challenge to the client and the relevant helper data for a specific key.The client uses the PUF to produce the (noisy) response corresponding to the sent challenge, which is then combined with the helper data and corrected, using the same ECC as in the enrollment, in order to produce the key.As the server already has the relevant key from the enrollment phase, the server and the client have agreed to a key, without revealing or transferring a CRP or the key.

652
Regarding secure key agreement, usually a fuzzy extractor scheme needs to be applied, as a

653
PUF often provides slightly noisy responses.This means that for a particular challenge, the PUF 654 may not always generate exactly the same response, but may often generate similar responses, which, 655 however, contain some amount of noise.For this reason, we employ a fuzzy extractor scheme, which 656 incorporates some Error Correction Code (ECC) [13], in order to stabilise the PUF response [92].

657
PUF-based key agreement consists of two phases, which are shown in Figure 6.In the first phase, the enrollment phase, which is executed entirely on the server's side, the PUF 659 response is combined with the desired key, in order to produce some redundancy bits, called helper 660 data.The server then saves the challenge, the response and the key used, as well as the helper data 661 produced, and an ID regarding the CRP and the key used.As Figure 6 shows, the same CRP can be 662 used with a different key, which will result in different helper data.If the fuzzy extraction scheme is 663 constructed in a secure way, such that the helper data do not leak information about the CRP and the 664 key, then the helper data can also be made public.Regarding the fuzzy extraction scheme and its related ECC, a number of schemes have been proposed for DRAM-based PUFs, including fuzzy extractor schemes using helper data [4,19,75,[82][83][84]86], fuzzy match schemes with or without hashing [81,89,90] and fuzzy vault schemes that also use helper data [13].Additionally, using a universal hash implementation based on the Toeplitz matrix [83,84], which can be represented by a Linear-Feedback Shift Register (LFSR), is another way of stabilising the DRAM PUF responses.All of these schemes need to be combined with an ECC, which can potentially be based on either Hamming [16,19,86], BCH [82][83][84] or Reed-Solomon [13] error correction code.
However, instead of error correction, one can also employ the use of only the most stable cells [3,11,12,54,88], in order to create stable responses.This approach is quite efficient, especially in applications that do not require perfect stability, such as identification and authentication.In this case, applying an acceptance threshold for stability can be sufficient, as then only the most unstable cells need to be excluded from the response, with no further operation required.
PUF-based identification works in a similar way, in the sense that a server queries multiple PUFs in order to create a database of (some of) their CRPs, which are stored according to the PUF from which they came from.Then, at any point in time, this server can identify any of these PUFs, without explicitly revealing the stored CRPs, by sending challenges to it and observing if the responses produced correspond to the relevant responses stored in its database.In this way, a PUF can be identified if CRPs from it exist on the server's database.Figure 7 demonstrates how PUF-based identification works.However, in the case of successful identification, a CRP of the identified PUF may have been completely revealed, and therefore should not be used again.In order to avoid this, a hashing scheme may be employed, so that the CRPs are not transmitted in the clear, or a key can be used for implicit identification, through encryption and decryption of a nonce, a signature, an identifier, etc.Finally, also error correction may again be required, if the PUF responses are noisy.Finally, PUF-based authentication is very similar to PUF-based identification, as once again a server creates a database of (some of) the CRPs of a PUF.However, this time, the PUF, and its related device, go through untrusted environments, where they can be substituted by counterfeits.Therefore, if a client wants to ensure the authenticity of such a device, it can do so by sending a request for authentication of the relevant PUF to the server.Then, the server responds with a challenge for the PUF to be identified.If the produced response matches the relevant response saved on the server's database, then the device is authenticated, otherwise not, as shown in Figure 8.In this case, authentication is achieved without explicitly revealing any of the stored CRPs.Again, however, in the case of successful authentication, a CRP of the authenticated PUF may be completely revealed, and therefore should not be used again.In order to avoid this, a hashing scheme may be employed, so that the CRPs are not transmitted in the clear, or a key can be used for implicit authentication, etc.Finally, error correction may also again be required, if the PUF responses are noisy.In order to provide a clear and thorough overview of the applications of DRAM-based security primitives, we classify the relevant literature, first, in Table 3, based on the security primitive it and, then, in Table 4, based on the applications these primitives have been suggested for.We should mention here that, in Table 3, we also include the category "Attack PUF", in order to describe a case where the PUF characteristic is used in order to actually facilitate an attack, rather than provide security.Additionally, in Table 4, we group together the "Authentication" and "Anti-Counterfeiting" categories, as they are highly related, one serving to validate the authenticity of the primitive and the other to invalidate counterfeit instances.The same principle is applied to "Identification" and "De-Anonymisation", where one category implies the identification of a primitive for security purposes and the other also its identification, but in order to facilitate an attack.Finally, of course, some additional factors that need to be taken into account, regarding the application for which a DRAM-based security primitive is more suitable for, are the ability of such a primitive to be used at run-time or not and the amount of CRPs it can generate.We discuss these factors in more detail in the other sections of this paper.

Security Evaluation of DRAM-Based Security Primitives
Another important aspect that we need to examine is the actual level of security provided by DRAM-based primitives, as well as the different ways in which this can be assessed.In order to do this, we need to first examine the factors that may affect the security of DRAM-based primitives.Apart from conventional attack vectors, there are also other factors that affect the security of such primitives.These factors include the time needed for the generation of primitives, the number of unique outputs the primitive can generate, whether the DRAM module being used is removable or not, whether the primitive can generate outputs at run-time, whether it is affected by changes in the environmental conditions, or in the voltage being supplied and, finally, whether it is affected by aging.
In particular, if the generation time is high, then, obviously, there is a higher probability for an attack to be successful, without being detected.Additionally, if the DRAM module is removable, then an attacker can easily replace it, or steal it and connect it to a different device.Furthermore, a security primitive that can generate a lot of unique outputs provides a higher level of security than one that can only generate a single output, and is much more resistant, for example, to a de-anonymisation attack.Moreover, a security primitive that is accessible at run-time has a much higher potential to be used in practical security applications than one that is only accessible at boot-time.On the other hand, a primitive that is only accessible at boot-time can probably also only be attacked at boot-time and, therefore, has a smaller attack surface.Finally, obviously, a primitive that is significantly affected by factors that can easily be controlled by third-party entities, such as temperature, voltage, or whose outputs are significantly altered by aging, can offer a lower level of security than another primitive that remains unaffected.

Attacks and Defences
For this reason, we need to note here that security is a relative term, which is highly dependent on the manufacturing cost, the cost of performing an attack and the potential gains/damages of such an attack [97].For example, and as invasive attacks have been proposed against DRAM-based security primitives [19,[82][83][84]86,87], one could point out that a complex mesh shield of detectors around the DRAM could potentially prevent such attacks almost completely.However, if the manufacturing cost of such a mesh shield is much higher than the inclusion of another primitive that is invulnerable to such attacks, then DRAM-based security primitives may fail as security primitives.Additionally, however, if the costs of a successful invasive attack outweigh the potential gains for the attacker, then such attacks will inevitably not be used in such a scale as to render the security primitive insecure.Finally, we also need to distinguish between different implementations, as, for example, attacks based on the replacement of the DRAM module [3,14,54,87], have a different cost when removable DRAMs are employed than when on-board DRAM modules are used.
Keeping, therefore, in mind that there is no perfect security, and that security is highly relevant [97], we observe that a number of potential attacks have been proposed against DRAM-based security primitives, and we note possible defences and countermeasures.Invasive attacks [19,[82][83][84]86,87] can be prevented if the DRAM module is tamper-proof or tamper-evident, meaning that it stops working after being physically tampered with or its behaviour is noticeably altered.Non-invasive probing, such as memory readouts [3,4,54,75,87], can be prevented if the DRAM can only be accessed by privileged code or is a dedicated security module to which access is limited.Attacks taking advantage of the collection of a large number of CRPs, such as machine learning attacks [19,86], as well as row hammer attacks [4], can also be prevented in the same way as memory readouts.Fault injections [3] can be detected through software or hardware means and appropriate action be taken.
Brute force attacks [3,81], as well as dictionary attacks, can be prevented if the entropy of the output of the DRAM security primitive is adequate.The entropy of the output is dependent on the probability that each bit of it, which corresponds to a memory cell, has a logical value of zero or one, on whether there are correlations among the values of the different memory cells and on the size of the output.Guessing attacks [4,19,86] are also highly unlikely to be successful if the DRAM-based security primitive produces outputs with high enough entropy, even when such attacks are based on expert manufacturing knowledge [19,54,55,86], which can also be prevented by keeping such knowledge only available to trustworthy parties.
In order for the entropy of the output of the DRAM-based security primitive to be high enough to prevent brute force, dictionary and guessing attacks, its possible values must be so many that an attacker is highly unlikely to find the correct one, either by luck (in the case of guessing attacks) or by an exhaustive (in the case of brute force attacks) or selective search (in the case of dictionary attacks).Therefore, if the bits of the output are highly unpredictable, having an almost equal probability to have a logical value of zero or one, are not correlated and the output has a large size, the attacker will be highly unlikely to be successful as the possible values of the output will be 2 N , where N is the size of the output.
Even if the output of the DRAM-based security primitive is biased towards one of the two logical values, if the size of the output is large enough and the bias is not extremely strong, the entropy of the output may still be adequate enough to prevent brute force, dictionary and guessing attacks, as the number of the possible values of the output is equal to the number of possible combinations , where N is the size of the output and U the number of bits having the opposite value from the one towards which the output is biased.However, again, this only holds if the bits of the output are not correlated.Finally, the attacker must be prevented from acquiring knowledge regarding the DRAM-based security primitive that can be used to render the relevant conditional entropy of its output low.For example, if an attacker can use expert manufacturing knowledge to correctly predict a large part of the output, the entropy of the output conditioned on this knowledge may become low enough to allow an otherwise infeasible attack to be successful.
Additionally, when inherent error correction hinders the PUF or the TRNG behaviour [5,21], it can be simply disabled or DRAMs without this feature can be used.Additionally, the TRNG behaviour of a DRAM-based implementation can be enhanced by combining multiple outputs and using de-biasing schemes, such as a von Neumann corrector [54,55].
Finally, we also need to examine the "attack" PUF scheme proposed by Rahmati et al. [85].Attacks against this implementation constitute countermeasures against the de-anonymisation attack it is being used for.Its attack model is based on supply-chain and eavesdropping attacks [85], and countermeasures against it, which constitute attacks against the PUF's de-anonymisation application, are data segregation, noise and data scrambling.Noise can be countered through error correction schemes, while data segregation and scrambling can be potentially disabled.
Additionally, these metrics may have a different meaning, depending on the DRAM-based security primitive they are used for.For example, the Hamming weight of a DRAM decay PUF refers to the number of bit flips that have occured, while the Hamming weight of a DRAM PUF based on the startup values of the DRAM refers to the number of cells whose startup value is equal to logical one.Moreover, a number of other metrics, such as the number of stable cells [3,11,12,19,54,81,[88][89][90], the probability of uniqueness [18,80,81,89,90], the chance of mismatch [85], the bit error rate [21,75] and the number of CRPs or keys being produced [3][4][5]11,14,15,19,21,54,75,80,81,[85][86][87]89,90], have also been employed in order to assess the security that a DRAM-based primitive can provide.
Finally, we also need to mention the NIST statistical suite of tests, which serves as a sui generis suite of metrics for DRAM-based TRNG implementations [12,16,17,19,54,55], as well as the generation time as a metric to assess security [4,19,21,86].It is therefore clear that it is currently not easy to compare different DRAM-based security primitives and their implementations, as a common single set of metrics is not currently being used in the relevant literature.

Discussion
In this section, we briefly compare DRAM-based security primitives to other hardware-based security primitives, discuss the potential of DRAM-based security primitives to be commercially adopted and, finally, present and discuss the different classification criteria employed in this publication.

A Short Comparison of DRAM-Based Security Primitives to Other Hardware-Based Security Primitives
As already mentioned, DRAMs have a number of advantages over other similar hardware-based security primitives.In particular, while a large variety of hardware-based security implementations have been proposed, memory-based primitives are attractive security mechanisms due to the ubiquitous presence of memory in virtually every computer system.Moreover, these memory-based security primitives do not require any additional circuitry for their operation, giving them a distinct advantage over other implementations.Additionally, unlike SRAM, standalone DRAM has a large size in most contemporary computer systems and most DRAM-based security primitives can also be accessed as a security primitive at run-time and not only at boot-time.Finally, most DRAM-based PUFs can provide multiple CRPs, in contrast to SRAM-based PUFs, which usually only allow for a single CRP.
However, DRAM-based security primitives may sometimes require a long generation time, especially when they are based on the retention times of DRAM cells.Nevertheless, recent research has significantly improved the output generation times, even for DRAM decay-based PUFs, as the relevant literature shows.Furthermore, if the DRAM module being used is removable, it provides more flexibility, but, at the same, it introduces the risk of being stolen or replaced.This issue can, however, be resolved if an on-board DRAM module is used.Finally, the characteristics of DRAM modules being used for the implementation of security primitives are quite often particularly susceptible to temperature changes.This is an issue that can, however, be resolved by the introduction of a temperature sensor.
We can therefore conclude that the intrinsic nature of DRAM-based primitives, their large size and their inclusion in most contemporary computer systems make them appealing for security applications, as they are highly cost-efficient, lightweight and can act as sources of significant entropy.However, a number of open issues still remains to be addressed by future research.

The Potential of DRAM-Based Security Primitives for Commercial Adoption
As we have already discussed in the previous sections, DRAMs are already widely available and in mass production, forming an intrinsic part of most contemporary computer systems.Additionally, they can also provide run-time access to characteristics that can be used for the implementation of security primitives, and have, most often, a significantly large size, which can ensure that DRAM-based security primitives can provide enough entropy.Therefore, and as DRAM-based security primitives have a number of advantages over other hardware-based security primitives, we need to assess their potential to be adopted as widely used commercially available security implementations.
However, in order to do this, we first need to examine the implementations proposed in the relevant literature and their characteristics.For this purpose, Table 5 presents the various implementations described in the different works concerning DRAM-based security primitives.Based on this table, it is obvious that DRAM-based security primitives have been tested using both simulations and practical implementations.Regarding practical implementations of such security primitives, these range from external DIP, removable DIMM and on-board DRAM modules connected to FPGA and evaluation COTS boards to widely used commercial devices.It should, therefore, be evident that DRAM-based security primitives can easily become commercially available and be used in a large scale.As already noted in the previous sections, existing barriers against the commercial adoption of DRAM-based security primitives can be overcome in various different ways, towards which existing research is already moving.This is evident in recent publications, some of which consider the generation times of these primitives and how they can be improved [4,19,21,86] or the implementation of such security primitives using the latest commercially available DRAM modules, such as Low-Power Double-Data-Rate type 4 (LPDDR4) DRAM modules [21], or widely used commercial devices [78].To this end, research has considered DRAM-based security primitives based on the startup values of cells, which can most often only provide a single input-output pair, but has also focused on DRAM-based security primitives that provide multiple input-output pairs, such as DRAM decay-based and DRAM write latency-based primitives, as it can clearly been seen on Table 2.
Finally, as DRAM-based security primitives are already present in most contemporary computer systems, including IoT hardware, which is usually resource-constrained, they provide the ideal basis for the implementation of intrinsic highly cost-efficient security mechanisms in IoT devices.As IoT devices quite often cannot inherently support additional security mechanisms, such as Trusted Platform Modules (TPMs) and other security primitives that require hardware additions, DRAM modules can allow for the implementation of security primitives in such devices, which can then be utilised in a number of different security applications, such as cryptographic protocols.This is further supported by the ability of DRAM modules to serve as a basis for the creation of both TRNGs and PUFs, which are also accessible at run-time.We can, therefore, conclude that DRAM-based security primitives exhibit significant potential for commercial adoption, especially in IoT devices.This is of particular importance, as a constant rise has been noted in the use of IoT devices for a multitude of different applications, which include user and customer authentication, weather prediction, traffic monitoring and health applications that range from monitoring general health indicators to tracking specific heart signals [98].This constant expansion of IoT devices into everyday life significantly increases the need for adequate security solutions that are compatible with the constrained resources of IoT hardware, such as DRAM-based security primitives [7].Therefore, there are increased incentives for the commercial adoption of DRAM-based security primitives.

Classification Criteria
In this section, we provide a quick overview of the classification criteria used in this paper to classify DRAM-based security primitives and the relevant literature and discuss their significance.
In particular, we note that we have provided a comprehensive overview of works concerning such primitives, and have used the following criteria in order to produce a thorough classification of them: • Year of publication, in order to demonstrate the significance of the topic of DRAM-based security primitives and provide insights into the future development of the relevant scientific field.
• DRAM characteristic being exploited for the implementation of a security primitive, in order to demonstrate the diversity of characteristics being used and highlight the number of works about them.
• Security primitive being implemented, in order to demonstrate that works concerning both PUF and TRNG implementations exist and that both primitive types can be generated, with equally good results, using DRAMs.
• Applications used, in order to demonstrate that all DRAM-based primitives can be employed in a wide range of security applications, serving as the basis for the implementation of relevant cryptographic protocols.
• Security considerations, regarding both attacks against the implemented security primitives and countermeasures against such attacks, as well as an overview of the employed security metrics, in order to provide detailed insights into the security of DRAM-based primitives.
• Implementation setup, in order to discuss whether they can be commercially adopted and how practical are the implementations discussed in the relevant literature.
Finally, we also note that we have additionally provided a comparison of DRAM-based security primitives to other hardware-based security primitives, in order to provide a clear and thorough view of their advantages and disadvantages, in comparison to other hardware-based security primitives.

Conclusions
In this work, we have presented a comprehensive overview and an extended classification of DRAM-based security primitives.We have examined the characteristics that are being exploited for the implementation of such primitives, and also provided extended insights into the way a DRAM works.We have also discussed in detail PUFs and TRNGs as the security primitives being implemented.Additionally, we have provided insights into the development of the relevant scientific field, the applications of DRAM-based security primitives and their evaluation as security mechanisms.
Moreover, we have also compared them to other hardware-based security primitives, noting their advantages and disadvantages, discussed their potential for commercial adoption and, finally, presented our classification methodology and the significance of the criteria employed in our classification.
Based on our extensive survey of the relevant literature, we can conclude that DRAM-based security primitives can be easily adopted for commercial use and can provide significant advantages when employed as a basis for security in resource-constrained devices, such as IoT hardware.Although current implementations exhibit a number of potential shortcomings, current research is already trying to address them.We can, therefore, conclude that DRAM-based security primitives could easily be employed in commercial applications in the future, and that the relevant scientific field may potentially thrive in the future.
To this end, some related issues that still remain to be addressed in future works include the establishment of commonly accepted security metrics, in order to enable an easier evaluation of the implemented DRAM-based security primitives, a thorough assessment of ways to mitigate their dependence on temperature and voltage variations and the effects of aging, as well as a review and analysis of ways to secure removable DRAM modules, which could allow for more flexibility.Additionally, another topic that is still under investigation concerns further ways in which the time required for the generation of the outputs of DRAM-based security primitives could be reduced even further.Finally, a future study could also examine whether the Integrated Circuit (IC) design parameters relevant to the design of DRAM modules can affect these outputs.The quick growth and the recent advances in this scientific field, as they have been demonstrated in this paper, lead us to believe that all the open research topics discussed in this section may be thoroughly investigated in the near future.

Figure 2 .
Figure 2. Timing diagram of a read operation of a previously untouched DRAM cell, for cells biased to Vdd (a) or Vss (b) at startup due to process variations.In this case, Vdd signifies the supply voltage and Vss the ground voltage.

Figure 4 .
Figure 4. Some of the potential leakage paths for a single cell's capacitor.Charge can leak to components in the same row (red lines), or even in other rows (blue lines), especially in the case of row hammering.

Figure 5 .
Figure 5. Principle of operation of a True Random Number Generator.

Figure 5 .
Figure 5. Principle of operation of a True Random Number Generator

Table 2 .
History of the development of DRAM-based security primitives.The publications examined are colour-coded according to the DRAM characteristic being exploited for the implementation of the security primitives discussed in them.

Table 3 .
Classification of publications according to the security primitive they concern.The publications are colour-coded according to the DRAM characteristic being exploited for the implementation of the security primitives examined in them.
DRAM natural decay effect DRAM intensified decay effect due to VWL DRAM startup values DRAM data remanence effect DRAM row hammer effect DRAM write access latency

Table 4 .
Classification of publications according to their applications.The publications presented are colour-coded according to the DRAM characteristic being exploited for the implementation of security primitives examined in them.